Unlock encrypted ZFS datasets on TrueNAS via the API
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
TrueNAS Unlock
Unlock encrypted ZFS datasets on TrueNAS via the API.
https://github.com/user-attachments/assets/172c8fd7-5b66-4c5b-bae0-32e378e9305a
Why?
TrueNAS supports encrypted ZFS datasets, but:
- Storing keys on the NAS defeats the purpose—if it's stolen, the thief has both the encrypted data and the keys
- Manual unlocking is tedious—after every reboot, you need to manually decrypt each dataset through the UI
This tool solves both problems with a "poor-man's second-factor" setup:
- Run
truenas-unlockon a separate device (Raspberry Pi, home server, etc.) - Store encryption keys only on that device
- Datasets auto-unlock when both devices are on the network
- If the NAS is stolen, data remains encrypted and inaccessible
Think of it as a hardware security key for your storage—hidden somewhere in your house, it automatically unlocks your datasets whenever your TrueNAS boots. No manual intervention required.
Table of Contents
Docker
Run once:
docker run --rm -it \
-v ~/.config/truenas-unlock/config.yaml:/app/config.yaml \
ghcr.io/basnijholt/truenas-unlock -c /app/config.yaml
Run as daemon (recommended for auto-unlock on boot):
docker run -d --restart=unless-stopped \
--name truenas-unlock \
-v ~/.config/truenas-unlock/config.yaml:/app/config.yaml \
ghcr.io/basnijholt/truenas-unlock -c /app/config.yaml --daemon
Shell Alias
Add to your ~/.bashrc or ~/.zshrc:
alias truenas-unlock='docker run --rm -it \
-v ~/.config/truenas-unlock/config.yaml:/app/config.yaml \
ghcr.io/basnijholt/truenas-unlock -c /app/config.yaml'
Install
# With uv (recommended)
uv tool install truenas-unlock
# With pip
pip install truenas-unlock
Setup
Create an API key at http://truenas.local/ui/credentials/users/api-keys (replace with your TrueNAS hostname).
Then create ~/.config/truenas-unlock/config.yaml:
host: 192.168.1.214:443
api_key: ~/.secrets/truenas-api-key # file path or literal
skip_cert_verify: true
# secrets: auto # auto (default) | files | inline
# truenas_version: "25.04" # optional: skip version detection API call
datasets:
tank/syncthing: ~/.secrets/syncthing-key # reads from file
tank/photos: my-literal-passphrase # used as-is (no such file)
The truenas_version field is optional. When specified (e.g., "25.04" or "24.10"), it skips the automatic version detection API call. This is useful if you know your TrueNAS version and want to reduce API calls. TrueNAS 25.04+ uses a different unlock API than older versions.
The secrets mode controls how values are interpreted:
- auto (default): if file exists, read from it; otherwise use as literal
- files: always treat values as file paths
- inline: always treat values as literal secrets
Usage
# Run once
truenas-unlock
# Run as daemon
# (Checks every 1s if TrueNAS is unreachable, otherwise every 30s)
truenas-unlock --daemon
# Custom interval (for the "relaxed" state)
truenas-unlock --daemon --interval 60
# Dry run
truenas-unlock --dry-run
CLI
truenas-unlock --help
Usage: truenas-unlock [OPTIONS] COMMAND [ARGS]...
Unlock TrueNAS ZFS datasets
╭─ Options ────────────────────────────────────────────────────────────────────╮
│ --config -c PATH Config file path │
│ --dry-run -n Show what would be done │
│ --daemon -d Run continuously │
│ --interval -i INTEGER Seconds between checks (1s if unreachable) │
│ [default: 30] │
│ --dataset -D TEXT Filter by dataset path │
│ --version -v Show version and exit │
│ --help -h Show this message and exit. │
╰──────────────────────────────────────────────────────────────────────────────╯
╭─ Commands ───────────────────────────────────────────────────────────────────╮
│ lock Lock configured datasets. │
│ status Show lock status of configured datasets. │
│ service Manage system service │
╰──────────────────────────────────────────────────────────────────────────────╯
Running as a Service
Requires uv to be installed. Auto-detects Linux (systemd) or macOS (launchd):
# Install and start
truenas-unlock service install
# Check status
truenas-unlock service status
# View logs (follows by default)
truenas-unlock service logs
# Uninstall
truenas-unlock service uninstall
Development
# Clone and install
git clone https://github.com/basnijholt/truenas-unlock
cd truenas-unlock
uv sync --dev
# Run tests
uv run pytest
# Run lints
uv run ruff check .
uv run mypy truenas_unlock.py
Credits
Inspired by ThorpeJosh/truenas-zfs-unlock.
License
MIT
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file truenas_unlock-1.7.0.tar.gz.
File metadata
- Download URL: truenas_unlock-1.7.0.tar.gz
- Upload date:
- Size: 67.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1f9380dc9af88be1cc925ca8f3549d44e1dde9e12c07e8ff78bee09d7eb49286
|
|
| MD5 |
496992f0a369c18cf2c176984417bb73
|
|
| BLAKE2b-256 |
183d6d0c71e7fc59a7baa149b5fdc37a79c63d292e85c929839de7a700476c1c
|
Provenance
The following attestation bundles were made for truenas_unlock-1.7.0.tar.gz:
Publisher:
release.yml on basnijholt/truenas-unlock
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
truenas_unlock-1.7.0.tar.gz -
Subject digest:
1f9380dc9af88be1cc925ca8f3549d44e1dde9e12c07e8ff78bee09d7eb49286 - Sigstore transparency entry: 771513862
- Sigstore integration time:
-
Permalink:
basnijholt/truenas-unlock@c5e6644096ec5b4e41897c806caaf2a2b5e21480 -
Branch / Tag:
refs/tags/v1.7.0 - Owner: https://github.com/basnijholt
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@c5e6644096ec5b4e41897c806caaf2a2b5e21480 -
Trigger Event:
release
-
Statement type:
File details
Details for the file truenas_unlock-1.7.0-py3-none-any.whl.
File metadata
- Download URL: truenas_unlock-1.7.0-py3-none-any.whl
- Upload date:
- Size: 11.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9f066b28479187d97ac958af8382685af07da9bb66c407c2f485a67fb6807e13
|
|
| MD5 |
5e300fe966c173612ddab1ce520a090d
|
|
| BLAKE2b-256 |
5e012e68603c40c93fc21e7c9a94b37510cca027149f1fce9088b830c8b8fc04
|
Provenance
The following attestation bundles were made for truenas_unlock-1.7.0-py3-none-any.whl:
Publisher:
release.yml on basnijholt/truenas-unlock
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
truenas_unlock-1.7.0-py3-none-any.whl -
Subject digest:
9f066b28479187d97ac958af8382685af07da9bb66c407c2f485a67fb6807e13 - Sigstore transparency entry: 771513865
- Sigstore integration time:
-
Permalink:
basnijholt/truenas-unlock@c5e6644096ec5b4e41897c806caaf2a2b5e21480 -
Branch / Tag:
refs/tags/v1.7.0 - Owner: https://github.com/basnijholt
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@c5e6644096ec5b4e41897c806caaf2a2b5e21480 -
Trigger Event:
release
-
Statement type:
