Hi,
I've got 2 FreeNAS 11.3 servers. One is the main NAS, that is always running and the other one is my backup NAS where I replicate everything once a week.
Right now I'm writing a bash script so my main NAS can once a week power up the backup NAS, unlock the encrypted pools, start the replication tasks, wait for it to finish and shut it down afterwards.
Using IPMI to power it up and FreeNAS API to check which pools aren't already unlocked works fine. I can use passwords stored in files on encrypted pools for API and IPMI authentification. But I don't see how I could send the passphrase for unlocking the pool using the API without writing that passphrase in clear text as a json object.
I don't like to write passwords directly into my commands because they could end up in the logs.
In the API 2.0 documentation its written:
So is it only possible to upload a recovery key file or could I also upload a file containing my passphrase?
And there is no info about how to name it or how to tell the API which file to use as passphrase.
If not, is there a way to somehow pipe the passphrase from a file into my json text so it won't showup?
This is how my unlock line would look like:
Would be great if someone got an idea how to do this more securely.
I've got 2 FreeNAS 11.3 servers. One is the main NAS, that is always running and the other one is my backup NAS where I replicate everything once a week.
Right now I'm writing a bash script so my main NAS can once a week power up the backup NAS, unlock the encrypted pools, start the replication tasks, wait for it to finish and shut it down afterwards.
Using IPMI to power it up and FreeNAS API to check which pools aren't already unlocked works fine. I can use passwords stored in files on encrypted pools for API and IPMI authentification. But I don't see how I could send the passphrase for unlocking the pool using the API without writing that passphrase in clear text as a json object.
I don't like to write passwords directly into my commands because they could end up in the logs.
In the API 2.0 documentation its written:
And in the API 1.0 documentation for uploads:
So is it only possible to upload a recovery key file or could I also upload a file containing my passphrase?
And there is no info about how to name it or how to tell the API which file to use as passphrase.
If not, is there a way to somehow pipe the passphrase from a file into my json text so it won't showup?
This is how my unlock line would look like:
curl -s -k --netrc-file "/path/to/netrc" -X POST "http://111.222.333.444/api/v2.0/pool/id/12345/unlock" -H "accept: */*" -H "Content-Type: application/json" -d "{\"passphrase\":\"myPassphrase\",\"recoverykey\":false,\"services_restart\":[null]}"Would be great if someone got an idea how to do this more securely.
Last edited: