Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Thanks for using the TrueNAS Community Edition issue tracker! TrueNAS Enterprise users receive direct support for their reports from our support portal.

Support TPM (Trusted Platform Module) 2.0 on the host as an additional security layer

Description

TPMs has been available on all mainstream desktop & server platforms for a while and it has been proven to successfully address a lot physical security issues (but not all of them). As there are no existing tickets about this, I think it is time to have one slightly smiling face

Here are some use cases where an user would like to use a TPM to achieve in both enterprise and serious SOHO environments:

1. Unlock an encrypted dataset automatically if the NAS hardware has not been changed. If the case of the NAS has not been removed, and the disks are not moved to another (even identical) computer, and the BIOS configuration is the same, then you don't need go through the complicated process to manually unlock all the datasets. If anything looks wrong, TPM would have locked itself down and the user have to manually unlock the datasets.

2. Use a key stored in the TPM as a protector to encrypt Cloud Credentials. Even if a malicious user removed the system drive, it could not retrieve the clear text credentials.

3. Use a physical TPM to encrypt the content of a virtual TPM, so VMs can be also protected. There are already requests to add virtual TPM devices for VMs ( https://jira.ixsystems.com/browse/NAS-112845 and https://jira.ixsystems.com/browse/NAS-111251 ), but if data of a virtual TPM is stored as clear text on the host, then the virtual TPM can still be easily attacked.

4. Enable remote attestation for large deployments (datacenter and connected edge environments). With remote attestation enabled, we can see from TrueCommand whether the software of a TrueNAS system has been modified, so the system administrator can act quickly.

Activity

Show:

Kris Moore July 18, 2024 at 5:57 PM

Thank you for submitting this feature request! To better accommodate and gauge community interest for future versions of TrueNAS we have moved the submission process to our TrueNAS Community Forums. If this feature is still important and relevant for consideration, please refer to the links below on how to submit it for community voting and TrueNAS roadmap review.

Feature Requests Forum:
https://forums.truenas.com/c/features/12

Feature Requests FAQ:
https://forums.truenas.com/t/about-the-feature-requests-category-readme-first/8802

Filene Taylor April 20, 2024 at 4:27 AM

Hi there, because of the danger rootkits pose to every user, from casual hobbyist, to power user, and to small corporations before becoming megacorps, we all need TPMs implemented as described.

The level of customization that is possible to circumvent monitoring of boot files, system images, and network traffic must be recognized. SecureBoot, TPM, and Measured Boots are not just “a” way to prevent this, they are THE way to prevent this.

Without SecureBoot, casual users might boot a VM without knowing the bootloader was compromised. Without TPM, power users might monitor their VM boot loaders, but think any edit to their VM can't compromise their core TrueNAS system. Without Measured Boot, any TrueNAS enterprise customer might confuse a network-wide infection as merely a change in the status quo.

+1, and not just so I can feel safer using Windows in VM. I would like to feel safe outside of the Virtual as well. slightly smiling face

Thank you, from a four-year-plus user of TrueNAS recovering from their first home network security incident.

John Cooper July 5, 2023 at 8:54 PM

+1 For adding support for this functionality.

Unresolved

Details

Priority

Assignee

Reporter

More fields

Katalon Platform

Created January 25, 2022 at 7:08 AM
Updated July 18, 2024 at 6:04 PM

Flag notifications