Klennet Storage Software

Encryption is probably a net negative

I see a trend of people encrypting their data and then losing their encryption key for whatever reason. With modern encryption, like the algorithms used in ZFS, the data is then just gone.

While the examples come from ZFS and TrueNAS, there are plenty of stories about BitLocker and other encryption systems. Take a look at this one, unable to unlock a dataset with the correct passphrase

People often ask for improvement in encryption without understanding what the goal of the system is, see this example from TrueNAS forums

Personally, I am of the opinion that an encryption scheme where both the encrypted data and the keys to access that data are on the same system isn’t encryption, but rather security theater.

The goal of the current (as of April 2025) key-encrypted TrueNAS system is to allow safe and quick repurposing, recycling, or RMA of the drives, should the need arise. If you want to prevent unauthorized access to a stolen physical server, use passphrases. There is no way to have the encryption key on the server itself and still be protected if someone steals the server. You then have to enter these passphrases after a reboot. You can automate the process somewhat. For example, have TrueNAS fetch the passphrase from some network location. This separates the secret from the physical server, so if someone steals the server, the data is (probably1) locked upon reboot.

The risk-reward tradeoff for using encryption seems to be off. The likelihood of the server being stolen seems to be less than the likelihood of some kind of encryption failure.

One specific failure mode is:

  1. The TrueNAS boot drive fails, taking the encryption key with it.
  2. There is no backup of the key.
  3. The entire pool is now inaccessible.

What was a very simple case of "put in a new boot drive, reinstall, reconfigure, all good" is now a mess. One must attempt recovery on a boot drive, which is troublesome even if successful. If unsuccessful, the pool is gone. Considering that people often use some kind of throwaway/less reliable single SSD for TrueNAS OS, this is happening more and more often.

So, if you are in an environment requiring security, use passphrases and have a proper backup. If you are at home, do not use any kind of encryption, and also have a proper backup. In any case, do not use encryption for the sake of encryption. You will have one less failure mode to worry about.

1 Probably - unless the passphrase somehow ends up in the swap files.

Filed under: Encryption, NAS, ZFS.

Created Thursday, April 17, 2025

Copyright © 2017 - 2025 Alexey V. Gubin