Unlocks a dataset in your TrueNAS SCALE server, via ssh, whenever the server boots.
You run this script from a computer that you actively keep physically secure, for example your laptop.
- Unlocks a dataset in your TrueNAS SCALE server, via ssh, whenever the server boots.
- Does not store the passphrase on disk.
- Prompts you for the passphrase at the start of the script.
- You may pipe the passphrase from a command, instead.
- Unlocks the dataset only once after each server boot.
- If you manually lock the dataset, you probably did it on purpose, so it won't auto-unlock until reboot.
- If you reboot the server, it will unlock it again.
- Runs any executable
.unlockrcfile in the unlocked dataset's root directory, if present. You should make that script idempotent, so it's OK to run it many times. To be precise, it will run.unlockrcif this script starts and finds the dataset already unlocked from the get-go. - Afterwards, waits for the next reboot, and runs again.
/bin/shunzipcurlsshclient
- Version 24.04 or later,
- SSH service enabled,
- SSH configured with public key-based passwordless login for an admin account,
- The admin account has access to the
clicommand.
# create and enter a directory for the script
mkdir -p truenas-unlock-dataset-once-after-each-boot
cd truenas-unlock-dataset-once-after-each-boot
# download+extract the script, into current directory
curl -fsSL https://github.com/hugojosefson/truenas-unlock-dataset-once-after-each-boot/tarball/main \
| tar -xzv --strip-components=1Examples below assume:
- Server IP is
10.20.30.40, - Account that can run
cliin the server, is namedadmin. - Dataset to unlock is named
tank.
To type the passphrase manually at the start of the script:
./src/cli.ts tank [email protected]If you have a command that outputs the passphrase, for example pass:
pass my-zfs-encryption | head -n1 | ./src/cli.ts tank [email protected]