Last month I rebuilt my TrueNAS server from scratch after a drive failure. What started as a simple disk replacement turned into a full security audit — and I realized my homelab storage had been running with basically no access controls, no encryption, and SSH root login enabled. Not great.
Here’s how I set up TrueNAS SCALE with actual security practices borrowed from enterprise environments — without the enterprise complexity.
Why TrueNAS for Homelab Storage
TrueNAS runs on ZFS, which handles data integrity better than anything else I’ve used at home. The killer features for me:
- ZFS snapshots — I accidentally deleted an entire media folder last year. Restored it in 30 seconds from a snapshot. That alone justified the setup.
- Built-in checksumming — ZFS detects and repairs silent data corruption (bit rot). Your photos from 2015 will still be intact in 2035.
- Replication — automated offsite backups over encrypted channels.
I went with TrueNAS SCALE over Core because I wanted Linux underneath — it lets me run Docker containers (Plex, Home Assistant, Nextcloud) alongside the storage. If you don’t need containers, Core on FreeBSD works fine too.
Hardware: What Actually Matters
You don’t need server-grade hardware, but a few things are non-negotiable:
- ECC RAM — ZFS benefits enormously from error-correcting memory. I run 32GB of ECC. If your board supports it, use it. 16GB is the minimum for ZFS caching to work well.
- CPU with AES-NI — any modern AMD Ryzen or Intel chip has this. You need it for dataset encryption without tanking performance.
- NAS-rated drives — I run WD Red Plus 8TB drives in RAID-Z1. Consumer drives aren’t designed for 24/7 operation and will fail faster. CMR (not SMR) matters here.
- A UPS — ZFS hates unexpected power loss. An APC 1500VA UPS with NUT integration gives you automatic clean shutdowns. I wrote about setting up NUT on TrueNAS separately.
My current build: AMD Ryzen 5 5600G, 32GB Crucial ECC SODIMM, three 8TB WD Reds in RAID-Z1, and a 500GB NVMe as SLOG cache. Total cost around $800 — not cheap, but cheaper than losing irreplaceable data.
Network Isolation First
Before you even install TrueNAS, get your network right. Your NAS has all your data on it — it shouldn’t sit on the same flat network as your kids’ tablets and smart bulbs.
I use OPNsense with VLANs to isolate my homelab. The NAS lives on VLAN 10, IoT devices on VLAN 30, and my workstation has cross-VLAN access via firewall rules. If an IoT device gets compromised (and they will eventually), it can’t reach my storage.
The firewall rule is simple — only allow specific subnets to hit the TrueNAS web UI on port 443:
# OPNsense/pfSense rule example
pass in on vlan10 proto tcp from 192.168.10.0/24 to 192.168.10.100 port 443If you’re running a Protectli Vault or similar appliance for your firewall, this takes maybe 20 minutes to set up. No excuses.
Installation and Initial Lockdown
The install itself is straightforward — download the ISO, flash a USB with Etcher, boot, follow the wizard. Use a separate SSD or USB for the boot device; don’t waste pool drives on the OS.
Once you’re in the web UI, immediately:
- Change the admin password to something generated by your password manager. Not “admin123”.
- Enable 2FA — TrueNAS supports TOTP. Set it up before you do anything else.
- Disable SSH root login:
# In /etc/ssh/sshd_config
PermitRootLogin noCreate a non-root user for SSH access instead. I use key-based auth only — password SSH is disabled entirely.
Create Your Storage Pool
# RAID-Z1 with three drives
zpool create mypool raidz1 /dev/sda /dev/sdb /dev/sdcRAID-Z1 gives you one drive of redundancy. For more critical data, RAID-Z2 (two-drive redundancy) is worth the capacity trade-off. I run Z1 because I replicate offsite daily — the real backup is the replication, not the RAID.
Enterprise Security Practices, Scaled Down
Access Controls That Actually Work
Don’t give everyone admin access. Create separate users with specific dataset permissions:
# Create a limited user for media access
adduser --home /mnt/mypool/media --shell /bin/bash mediauser
chmod 750 /mnt/mypool/mediaMy wife has read-only access to the photo datasets. The kids’ Plex account can only read the media dataset. Nobody except my admin account can touch the backup datasets. This takes 10 minutes to set up and prevents the “oops I deleted everything” scenario.
Encrypt Sensitive Datasets
TrueNAS makes encryption easy — you enable it during dataset creation. I encrypt anything with personal documents, financial records, or credentials. The performance hit with AES-NI hardware is negligible (under 5% in my benchmarks).
For offsite backups, I use rsync over SSH with forced encryption:
# Encrypted backup to remote server
rsync -avz --progress -e "ssh -i ~/.ssh/backup_key" \
/mnt/mypool/critical/ backup@remote:/mnt/backup/VPN for Remote Access
Never expose your TrueNAS web UI to the internet. I use WireGuard through OPNsense — when I need to check on things remotely, I VPN in first. The firewall blocks everything else. I covered secure remote access patterns in detail before.
Ongoing Maintenance
Setup is maybe 20% of the work. The rest is keeping it running reliably:
- ZFS scrubs — I run weekly scrubs on Sunday nights. They catch silent corruption before it becomes a problem. Schedule this in the TrueNAS UI under Tasks → Scrub Tasks.
- Updates — check for TrueNAS updates monthly. Don’t auto-update a NAS; read the release notes first.
- Monitoring — I pipe TrueNAS metrics into Grafana via Prometheus. SMART data, pool health, CPU/RAM usage. When a drive starts showing pre-failure indicators, I know before it dies.
- Snapshot rotation — keep hourly snapshots for 48 hours, daily for 30 days, weekly for 6 months. Automate this in the TrueNAS snapshot policies.
Test your backups. Seriously. I do a full restore test every quarter — pull a snapshot, restore it to a test dataset, verify the files are intact. An untested backup is not a backup.
Where to Go From Here
Once your TrueNAS box is running securely, you can start adding services. I run Plex, Nextcloud, Home Assistant, and a Gitea instance all on the same SCALE box using Docker. Each service gets its own dataset with isolated permissions.
If you want to go deeper on the networking side, I’d start with full network segmentation with OPNsense. For monitoring, check out my post on open-source security monitoring.