brandonpoc
Dabbler
- Joined
- Mar 26, 2013
- Messages
- 17
I believe I have identified a bug with the way encrypted volumes are handled when that volume has been expanded.
Please see http://forums.freenas.org/showthread.php?12063-Encrypted-Volume-Will-Not-Decrypt! for a little more information and background, but to refresh:
I created an encrypted volume called "SSD", made from one 60GB SSD (/dev/ada0[p1]), and used it for a week without problems. I saved the key and the recovery key, as well as set a passphrase to the key. I then proceeded to add a second 60GB SSD (/dev/ada5[p1]) to the volume (default, striped). Everything worked fine until I rebooted and attempted to use my passphrase to decrypt the volume and import it and bring it online; I couldn't! Not only did it not recognize my passphrase but it also did not decrypt with the recovery key. I checked the key in /data/geli/ for the volume and the size was 0! Somehow the key got nuked. I detached it and went to auto-import it, and chose both disks ada0p1 and ada5p1. It successfully attached it via GELI, but didn't import it via ZFS as I couldnt' find any mount point and the web UI bailed on me. The /dev/gptid/ .eli was present for the FIRST disk of the volume, the long ID name of /dev/ada0, but NOT the second. I manually was able to geli detach and then geli attach the first disk but NOT the second. When I try on the second, geli suggests I use the -p option indicating that there is no passphrase and thus no key present (even though I present one to geli via the -k option). This leads me to believe that something is wrong with the way FreeNAS is expanding encrypted volumes.
Now, when I choose just the first disk /dev/ad0[p1] to auto-import, I enter my passphrase for the key and FreeNAS UI presents me with the volume name ("SSD"), and I select it but then I get this error:
Mar 26 21:27:24 cabinet manage.py: [middleware.exceptions:38] [MiddlewareError: The volume "SSD" failed to import, for futher details check pool status]
I'm thinking it needs both disks, but only the first disk actually contains the GELI data and the second disk doesn't? I tried providing to the second disk (ada5[p1]) the key with no pass-phrase, and I tried providing the recovery key as well, and neither work. It's as if none of the geli encryption was initialized for the second disk during expansion.
So, as it stands right now, I have no way to import my data. This is important data. I have a backup (thank God!) because I had my suspicions that things might go awry, and they did. I am going to re-create my volumes and datasets/pools with both disks from the get-go, and not try to expand it which is really a shame. This should be noted in the FAQ and errata so that others don't attempt this lest they lose their access.
Please keep me updated!
Thanks,
Brandon Edward
Please see http://forums.freenas.org/showthread.php?12063-Encrypted-Volume-Will-Not-Decrypt! for a little more information and background, but to refresh:
I created an encrypted volume called "SSD", made from one 60GB SSD (/dev/ada0[p1]), and used it for a week without problems. I saved the key and the recovery key, as well as set a passphrase to the key. I then proceeded to add a second 60GB SSD (/dev/ada5[p1]) to the volume (default, striped). Everything worked fine until I rebooted and attempted to use my passphrase to decrypt the volume and import it and bring it online; I couldn't! Not only did it not recognize my passphrase but it also did not decrypt with the recovery key. I checked the key in /data/geli/ for the volume and the size was 0! Somehow the key got nuked. I detached it and went to auto-import it, and chose both disks ada0p1 and ada5p1. It successfully attached it via GELI, but didn't import it via ZFS as I couldnt' find any mount point and the web UI bailed on me. The /dev/gptid/ .eli was present for the FIRST disk of the volume, the long ID name of /dev/ada0, but NOT the second. I manually was able to geli detach and then geli attach the first disk but NOT the second. When I try on the second, geli suggests I use the -p option indicating that there is no passphrase and thus no key present (even though I present one to geli via the -k option). This leads me to believe that something is wrong with the way FreeNAS is expanding encrypted volumes.
Now, when I choose just the first disk /dev/ad0[p1] to auto-import, I enter my passphrase for the key and FreeNAS UI presents me with the volume name ("SSD"), and I select it but then I get this error:
Mar 26 21:27:24 cabinet manage.py: [middleware.exceptions:38] [MiddlewareError: The volume "SSD" failed to import, for futher details check pool status]
I'm thinking it needs both disks, but only the first disk actually contains the GELI data and the second disk doesn't? I tried providing to the second disk (ada5[p1]) the key with no pass-phrase, and I tried providing the recovery key as well, and neither work. It's as if none of the geli encryption was initialized for the second disk during expansion.
So, as it stands right now, I have no way to import my data. This is important data. I have a backup (thank God!) because I had my suspicions that things might go awry, and they did. I am going to re-create my volumes and datasets/pools with both disks from the get-go, and not try to expand it which is really a shame. This should be noted in the FAQ and errata so that others don't attempt this lest they lose their access.
Please keep me updated!
Thanks,
Brandon Edward
