Backup encryption geli keys/Passphase not working

BBishop

Cadet
Joined
Aug 15, 2019
Messages
2
I'm not sure where to start, but I have been using Freenas for 3 years without any issue until today. Currently, the issue is that I have a USB boot volume has been marked as DEGRADED for the last 3 months (finally found time to fix the issue.....) and I didn't create a mirror..... I know lesson learnt. Previously of having this issue I would :
  1. Back up config (System --> General) and pool encrypted keys
  2. Re-install Freenas on new USB
  3. Upload config
  4. Unencrypt Pools with geli keys or passphrase
Unfortunately when I try that now, my config restores perfectly fine but when I upload the decryption key for the storage pools or enter my passphrase (saved in a password manager) I get the following error:
Code:
Error: Traceback (most recent call last):

  File "/usr/local/lib/python3.6/site-packages/tastypie/resources.py", line 219, in wrapper
    response = callback(request, *args, **kwargs)

  File "./freenasUI/api/resources.py", line 949, in unlock
    form.done(obj)

  File "./freenasUI/storage/forms.py", line 2847, in done
    raise MiddlewareError(msg)

freenasUI.middleware.exceptions.MiddlewareError: [MiddlewareError: Volume could not be imported: 8 devices failed to decrypt]


From the logs files, it states that the decryption key is incorrect as well as my passphrase. If I remove the new USB then Boot off the DEGRADED USB and use the same decryption key and passphrase, then the pools unencrypt fine, which doesn't make sense. Not sure what I am doing wrong, please see my configuration below:

Build: FreeNAS-11.2-U5
CPU: Intel Xeon E3-1230 v6
Motherboard: SuperMicro X11SSH-F
Memory: 48GB (Micron 2133Mhz DDR4 ECC)
Storage: 8x4TB Seagate IronWolf

I did try to add a mirror to the boot environment that is DEGRADED and boot off the mirror USB but this didn't work (used a USB with the same GiB as the original DEGRADED USB) as I received the following error:

Code:
EFAULT] 'newfs_msdos -F 16 /dev/da1p1' failed: newfs_msdos: /dev/da1p1: Operation not permitted

Error: Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/middlewared/main.py", line 167, in call_method
    result = await self.middleware.call_method(self, message)
  File "/usr/local/lib/python3.6/site-packages/middlewared/main.py", line 1098, in call_method
    return await self._call(message['method'], serviceobj, methodobj, params, app=app, io_thread=False)
  File "/usr/local/lib/python3.6/site-packages/middlewared/main.py", line 1046, in _call
    return await methodobj(*args)
  File "/usr/local/lib/python3.6/site-packages/middlewared/schema.py", line 664, in nf
    return await f(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/middlewared/plugins/boot.py", line 221, in replace
    boottype = await self.format(dev, format_opts)
  File "/usr/local/lib/python3.6/site-packages/middlewared/schema.py", line 664, in nf
    return await f(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/middlewared/plugins/boot.py", line 113, in format
    raise CallError('%r failed:\n%s%s' % (" ".join(command), p.stdout.decode("utf-8"), p.stderr.decode("utf-8")))
middlewared.service_exception.CallError: [EFAULT] 'newfs_msdos -F 16 /dev/da1p1' failed:
newfs_msdos: /dev/da1p1: Operation not permitted


Not sure what else to try.....Failure to access encrypted pools with new USB would mean losing 6.34Tib of data which would not be the best day of my life. I have thought about backing up to cloud storage, but then that means back up Plex config, Sonar config etc which is work that I don't really want to do. Any help would be greatly appreciated.
 

BBishop

Cadet
Joined
Aug 15, 2019
Messages
2
Well after spending the whole night researching what the issue may be, I stumbled upon the answer at 4 am thanks to this post "Encryption key storage after reinstallation and importing pools".

In summary, the issue is that when FreeNAS restores a config on 11.2-U5 it doesn't restore the geli keys within /data/geli/. This means that when you try to unencrypt your drives, FreeNAS can't because it has no file to verify if the key uploaded or passphrase entered is correct. If anyone is having this issue, you need to do the following:
  1. Copy your geli directory with keys from /data/geli to another machine (scp -r -v /data/geli NAME@IPADDRESS:/Documents/)
  2. Install FreeNAS and Imported your config to a new USB boot environment.
  3. Check within /data/ and you will see that the geli directory will be missing.
  4. Copy the geli directory to /data/ on the new USB boot environment.
  5. Reboot
  6. Once back within the WebGUI, you should be able to decrypt your pools
 

toadman

Guru
Joined
Jun 4, 2013
Messages
619
Thanks for posting. Seems like an oversight on the Freenas backup/restore config workflow.
 
Top