Hi
How secure is my data on TrueNAS in the event of a government search?
I wish to save no data local on device (MBA), so keeping everything on TrueNAS box.
Is there any security hints you can give me?
I trust the entire encryption of ZFS/TrueNAS much less than LUKS. But maybe I just don’t fully understand it yet.
I think you’d realistically have bigger problems than this if it’s a nation state after your data.
I also hope you know that while you have your right to encrypt and secure data as you want it, refusal will have its own consequences no matter. And I don’t know what country you’re in.
All that said, I don’t really have a conclusive answer for you as I know little about TrueNAS. But it’s a good question so I’m curious to know as well.
Hope someone else can help out. I just wanted to provide that context and nuance to your supposed concern.
That depends entirely on your threat model here. Using your Macbook or phone as a cloud-only device to circumvent potential checks could work, especially when traveling. The issue becomes whether your NAS is safe or not.
For most cases, your TrueNAS is turned on 24/7 or a duration close to that time frame. Any competent forensic investigator would clone its hard drive while it is still on instead of plugging it out. Remember that full-disk encryption only works when your device is in a Before-First-Unlock (BFU) state. Afterwards, you are reliant on the strength of your account password.
You should structure your threat model this way:
If you answer yes to both questions, store all of your data offline in a device with full-disk encryption. Although not perfect, you can also use an encrypted hidden volume feature present in something like Veracrypt.
Alternatively, you can store your data in an alternative jurisdiction. It could be a NAS/homelab at a friend’s house that can be connected through a Tailscale VPN connection. Not ideal in terms of usability, but it gets the job done.
I have an older TrueNAS instance that I upgraded from FreeNAS. BSD’s GELI encryption has worked well for me. With that being said, I have no experience with what TrueNAS is doing lately with the conversion from BSD to Linux. That is a future project for me.
Comparing ZFS Native Encryption to LUKS, LUKS encrypts everything. ZFS Native Encryption encrypts everything except ZFS metadata, for example, ZFS pool name, ZFS dataset names, ZFS snapshot names, etcetera. If your ZFS metadata naming does not have anything incriminating (a pool name of money laundering or something) , I would use whichever one you feel more comfortable. The encryption quality should be comparable.
My Linux boxes use LUKS for root volumes (LVM + EXT4), and I use ZoL (ZFS on Linux) with Native Encryption for data volumes.
I have not researched this for a few years, but there were some significant bugs with ZFS Native Encryption when used with ZFS snapshots and therefore ZFS send/receive. TrueNAS does automatically create ZFS snapshots. You may want to look into that part before committing to ZFS Native Encryption on TrueNAS. That is something else on my list for next year when I rebuild multiple Linux boxes when the LTS support ends.
Help: Show Text Console without Password Prompt
Unset to add a login prompt to the system before the console menu is shown.
My feelings not good. Please expert review
I think the console is basically running as root. Unchecking the checkbox would provide a small layer of protection from cats walking across the keyboard, curious children, etcetera.
A word of advice based on my experience: Disconnect everything you want to protect from the Internet and encrypt it with a strong password and robust encryption. Anything connected to the Internet is susceptible to interception.
You can always setup some badass switch to lit the entire NAS on fire in case of an emergency, you lose everything but they don’t get anything either.
I know, not a solution per se.
But anybody that can sit next to your spinning drives for long enough can probably get access to it given enough time.
I didn’t knew that BFU was also relevant to hard drives.
I thought it was a GOS specific thing. TIL, thanks! 
And yes, offline offsite + Veracrypt would also be my recommendation in general. 
Can also put it into a safe + cameras + pay a body guard on-site to keep an eye on it.
That would be destruction of evidence. Pretty much an instant criminal charge for most jurisdictions. Even in places like the U.S. where you are not required to give up passwords.
The difference between BFU and AFU is a rather common concept when referring to smartphones and encrypted devices (i.e. storage drives). Not just GOS!
