SOLVED Another "recovery key lost" thread

[ndr3k]

Hey there,

Confirmation required on classical dumbuser problem:

After 1 year of successfully running a cool feature as seen in many movies, called volume encryption on highly experimental and non-supported config, without any real requirement for it, I finally got what I deserved. My freenas running 9.2.1.9, with lots of data with emotional value on it, had experienced series of errors which I failed to act on, and now after the final and fatal "ex-factor" driven physical failure of usb stick it was running on, I have reached the painful understanding that I have failed to properly back-up my recovery key. I still have the passphrase, but according to all FreeNAS documentation, this is not enough to decrypt a volume. I am almost willing to move on to the next phase of grief - acceptance, but there are some vague hints on the web which keep me still awake on those lonely nights. For example this one: https://www.reddit.com/r/freenas/comments/2h6efv/scared_to_try_freenas_what_happens_if_my_usb/

"If you have either the GELI password or the recovery key, you can completely restore your encrypted NAS on any system that supports GELI and ZFS, even one that isn't a FreeNAS system."

Could someone please confirm that this guy has no idea what he is on about, and that volume cannot be decrypted with only passphrase without the recovery key, so I can just wrap-up the disk, and store it in a cool and dry place for better days of future generations and quantum computing brute-force possibilities to come.

Thanks in advance.

 

[jgreco]

I was under the impression that the keys are stored on disk and are unlocked by the GELI password. However, I've primarily worked with the framework under FreeBSD and don't know a lot about what is going on with FreeNAS for encryption. There may yet be hope, and what you quote from reddit is consistent with my understanding of things.

 

[ndr3k]

Ok, this lead me back to initial despare. :)

Any ideas, if and how something could be done here? Anyone?

 

[jgreco]

I'd try carefully poking at it with a FreeBSD LiveCD. Then try "geli attach da0" or whatever your device name is, see if it takes your password and unlocks the disk. If so, stop there and don't do anything that you would later discover to be stupid!

 

[ndr3k]

Avoid stupid. Got it. Thanks :)

 

[jgreco]

No, not avoid stupid, avoid doing anything that you would LATER discover to be stupid! Heheheh. No but seriously give that a shot and see what happens. I'm trying to avoid having to do any Real Work here to help you figure this out because I've already got a lot going on, but if we get stuck in the back-and-forth here I may find some time to look in more detail.

 

[fta]

You must recover your key from your usb stick. If I remember correctly, it resides in /data/geli. If you cannot recover it, your data is gone for good.

 

[jgreco]

The question is whether or not the key is stored in the last sector of the provider, which is where geli stores metadata. I'm unclear on what's actually been designed into the FreeNAS implementation.

 

[ndr3k]

This pretty much seems to sum it up. I'm doomed:

https://forums.freenas.org/index.php?threads/recover-encryption-key.16593/#post-85497

How GELI works (what made me hope in the first place):

An user key can be created from two components -- a passphrase and/or a key file -- you can use one, the other, or both.

But here's the Freenas implementation:

FreeNAS uses the user keys as follows:

• user key 0 (the "main" key) always has the key file component which is stored in /data/geli. It optionally can also have the passphrase component. If the passphrase is set then both the key file and the passphrase are needed to unlock the pool (decrypt the master key).

So without recovery key or /data/geli.... I will probably remember this passphrase till the day I die, but it will not help we retrieve any data :D

 

[jgreco]

Well, is the USB stick totally toast, or is it maybe possible that it isn't a total loss? I'm happy to walk you through poking at it. It isn't that hard to check.

 

[fta]

The question is whether or not the key is stored in the last sector of the provider, which is where geli stores metadata. I'm unclear on what's actually been designed into the FreeNAS implementation.

There is a key there. It is the key that decrypts the data on the disk. However, that key is encrypted. It is encrypted with the key that freenas creates and stores in /data/geli. If he can't recover his key, his data is gone.

 

[fta]

An user key can be created from two components -- a passphrase and/or a key file -- you can use one, the other, or both.

This is incorrect. There is always a key file involved. This is not a freenas requirement. It's a geli requirement.

 

[cyberjock]

Yeah, if you don't have a key backed up from before the USB key failure, and you can't recover the key from /data/geli, there are no recovery options that are realistically going to crack the encryption in any of our lifetimes.

 

[ndr3k]

Well, is the USB stick totally toast, or is it maybe possible that it isn't a total loss? I'm happy to walk you through poking at it. It isn't that hard to check.

I appreciate it, but that is a total loss. No joy there. None whatsoever.

Some key takeaways:

1. RTFM
2. When thinking about encryption (without the real need for it), think again and go back to point 1. Do while ....
3. Backup your keys. And again. Really!
4. Do not ignore "database malformed" nor any other errors
5. Do not plug your freenas to power outlet where your gf might feel a unexpected urge to unplug it in order to plug in a friggin vacuum cleaner. Especially when you have seen big fat warnings about the fragile state of your setup.

I don't have the heart to click on the button to destroy data and re-use that specific disk myself so I will just call my ex :D

 

[jgreco]

So, just so we're clear here, you've actually installed a different USB key, and then you've verified that there is no way to access the contents on the original USB stick? Just because the original USB stick won't boot doesn't make it a total loss. The data might still be right there waiting for you. The method to check and recover it is not horribly difficult.

 

[SweetAndLow]

If the USB can be recognized, I would try to grab that data directory then dd an image of the USB just to be sure. 9.2 was ufs so it should mount under other os's.

 

[jgreco]

I would not try to mount it on another OS. A very careful inspection is warranted in order to make sure you don't inadvertently damage it further.

 

[SweetAndLow]

How are your going to inspect it without mounting it?

 

[jgreco]

The problem with mounting it on some other OS is that you're not really guaranteed as to what is going to happen. Using FreeBSD or FreeNAS, we know exactly what will happen when you follow a certain set of steps.

 

[ndr3k]

Thanks for the concern, but here's the deal with usb:

LED-s on stick not lighting up as they should when plugging in
BIOS doesn't see the device.
Installed another FreeNAS, disk not seen.
Tried with FreeBSD liveCD - no joy.

Low-cost no-name piece of shhh provided by employer. I have now asked around and several from that batch have malfunctioned quite quickly.