Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Cannot import encrypted volume in 11.2-beta

Joined
Aug 24, 2018
Messages
5
Thanks
0
#1
I'm seeing issues with a brand new 11.2-beta installation.
They are related to this ticket, https://redmine.ixsystems.com/issues/41688 which has been "closed as a transient error".

However, before I post a bug report, can anyone confirm my observations? I tried this several times.
  1. install FreeNAS-11.2-BETA2 (f14b2ed0e)
  2. use legacy UI (new UI has the same result, but you don't see the errors)
  3. create a volume of 4 disks zfs2, ENCRYPTED!
  4. download the key
  5. reboot
  6. detach the volume
  7. reboot
  8. Import volume. use downloaded key, no passphrase
  9. RESULT: nothing seems to have happened. Refresh the browser to be sure. Expected result: volume should have been brought back
  10. try again to import volume
  11. RESULT: error (see attachment)
 

Attachments

Joined
Aug 24, 2018
Messages
5
Thanks
0
#2
UPDATE

I decided to test this on 11.1 also.
I can reproduce the same problem there! You cannot import encrypted volumes ?!
Strange, because this video clearly shows it works: https://www.youtube.com/watch?v=tMaOK8TnvQo
The only difference is, in the video the key-file has a passphrase.
So I tried again, this time WITH passphrase. And indeed, success!

So still looks like I stumbled upon an important freenas bug:
It looks like you cannot import encrypted volumes with key-files that DO NOT have a passphrase.

Still, it would be nice if someone else could reproduce this.
Who wants to have a go?
 

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,116
Thanks
3,851
#3
The regular key requires a password to be complete. The recovery key is capable of decrypting the disks on its own. Are you sure you used the correct one?
 

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,116
Thanks
3,851
#5
If that is not what you mean, then please elaborate.
GELI has two key slots. The first supports a key and a password, which are combined to obtain the key used to decrypt the disks. The second only supports keys - FreeNAS calls it the recovery key.

Naturally, these two keys are different and not interchangeable (although the recovery key is interchangeable with the regular key+password combination).
 
Joined
Aug 24, 2018
Messages
5
Thanks
0
#6
Ok, so, do I understand correctly that,

a) you can download the Key
upload_2018-8-25_23-40-47.png
, but then you MUST Add/Change Passphrase
upload_2018-8-25_23-42-14.png
, as key will not work otherwise. (you even need to create the passphrase before the download)

or

b) Or you can Add a recovery key
upload_2018-8-25_23-43-24.png
and use that (new/other) key. This key does not need a passphrase, but as such it is less secure, and therefor it is best used only if you forgot the passphrase of the other Key (hence the name 'recovery key')
 

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,116
Thanks
3,851
#7
a) you can download the Key
, but then you MUST Add/Change Passphrase
, as key will not work otherwise. (you even need to create the passphrase before the download)
Other way around. If you set the password (I'm not sure you absolutely have to, GELI doesn't mandate it), you then have to download the new key.

but as such it is less secure
Not necessarily. It's more different than less secure.
 
Joined
Aug 24, 2018
Messages
5
Thanks
0
#8
Other way around. If you set the password (I'm not sure you absolutely have to, GELI doesn't mandate it), you then have to download the new key.
Sure, if you set the passphrase you have to download the Key again. That is clear.

But my point is, if you download a Key which has no passphrase set on it, then you can not import a volume successfully with that passphraseless-Key. I tried it on 11.1 and 11.2-beta.

Maybe someone can try to confirm this in a test environment?
 
Joined
Jul 16, 2014
Messages
24
Thanks
1
#9
I'm actually trying to import a volume right now on 11.2-RELEASE-U1 and am having the same issue importing the encrypted volume (same error as attached by OP).

All I have is the geli.key which I downloaded just before detaching the volume... did I download the wrong key? Am I SOL (I do have backups...)?
 
Top