Can't decrypt zpool

[jyavenard]

Hi.

This morning I found that my RAIDZ2 pool (2x6 disks) was encrypted. That is weird caused it's been running like this since forever. Last week, I upgraded to FreeNAS-11.1-U7

I have the geli.key file (it's also stored in /data/geli).

Haven't been able to decrypt it. Following some advice here, I've detached the pool and I'm now attempting to re-attach it.
But when doing so via the GUI I get the error:

The following disks failed to attach: gptid/54947601-607a-11e3-8f33-002590875a70, gptid/53b13956-607a-11e3-8f33-002590875a70, gptid/507267cf-607a-11e3-8f33-002590875a70, gptid/52d81628-607a-11e3-8f33-002590875a70, gptid/5209e34b-607a-11e3-8f33-002590875a70, gptid/e92ed4b4-1e07-11e4-938d-002590875a70, gptid/563c9435-1d64-11e4-938d-002590875a70, gptid/572f2aa8-1d64-11e4-938d-002590875a70, gptid/52d188d3-1d64-11e4-938d-002590875a70, gptid/53a96071-1d64-11e4-938d-002590875a70, gptid/547ef411-1d64-11e4-938d-002590875a70, gptid/5554750d-1d64-11e4-938d-002590875a70

If I attempt to just decrypt a single disk like:
# geli attach -k /tmp/geli.key /dev/gptid/54947601-607a-11e3-8f33-002590875a70
Enter passphrase:
geli: Wrong key for gptid/54947601-607a-11e3-8f33-002590875a70.

Any ideas?
Is it that my geli.key file is wrong, or the passphrase?

Thanks

 

[Apollo]

There is a change in encryption behavior I think, at least for the key.

Best to reattach it from previous version of Freenas you were on.

 

[jyavenard]

There is a change in encryption behavior I think, at least for the key.

Best to reattach it from previous version of Freenas you were on.

I did upgrade the pool when I updated to 11.1, will that be a problem?

 

[jyavenard]

Went back to the earlier FreeNAS-9.10.2-U6 (561f0d7a1), still can't decrypt my drive. WTF !???

 

[jyavenard]

I have detached the pool, neither geli.key nor passphrase allows to decrypt the disks.

How can I use the recovery key with a detached pool ?

thank you

 

[Apollo]

Recovery key works when the drives are not attached. Select the recovery key and select all the drives as part of the encrypted pool. They should be imported and attached accordingly if everything is fine.
The procedure should be as follow:
- Select and upload the recovery key.
- Select the various drives from the encrypted pool.
If the key is a match, the name of the pool should appear in the list. If you see the name of your encrypted pool you should be fine, proceed with the import until complession. It will take some time, but let it complete. It can easily take hours depending on the number of snapshots present on the pool and the amount of data.
If you don't see it, no need to go further with the import with this method.

What I don't understand is how did you upgrade the pool if you didn't decrypt it?
It is possible with 11.1 that the passphrase was removed. Normally when the passphrase is used, the pool will remained locked on reboot until it is unlocked by entering the passphrase.
So it is possible there is no passphrase and importing the encrypted pool with the Geli key or recovery key should be enough.

 

[jyavenard]

Recovery key works when the drives are not attached. Select the recovery key and select all the drives as part of the encrypted pool. They should be imported and attached accordingly if everything is fine.
The procedure should be as follow:
- Select and upload the recovery key.
- Select the various drives from the encrypted pool.
If the key is a match, the name of the pool should appear in the list. If you see the name of your encrypted pool you should be fine, proceed with the import until complession. It will take some time, but let it complete. It can easily take hours depending on the number of snapshots present on the pool and the amount of data.
If you don't see it, no need to go further with the import with this method.

I've now upgraded to 11.2 just in case.
Where do I select and upload the recovery key? in the import volume screen?

When I go into storage, it is now fully blank.
The option I have is to import, where I can select all 12 disks, enter the geli.key and type the passphrase


This is what showing after I detached the volume.

When I enter the geli.key it takes about 30s for the web interface to become responsive again, with the error listed in my first post.

If I upload the geli_recovery.key it immediately fail with the same error message:





When I go back to an earlier 9.10-2, I see the zpool, it shows as unencrypted. When I click on the button to unlock it after about 5s I get a message that unlocking failed.

Following the upgrade to 11.2, I now get SSL certificate error. Need to find out what's going on here first.

What I don't understand is how did you upgrade the pool if you didn't decrypt it?

You tell me ! :)

I've never had issues decrypting this zpool before, it just no longer accepts my key / passphrase (which I know). I do have a recovery key.
The upgraded worked well, The NAS unit rebooted later following an online update and it failed to decrypt after that.

I followed the upgrade instruction. While running 9.10.2, I locked the zpool, upgraded to 11.10, unlocked the zpool and performed the pool upgrade.

It is possible with 11.1 that the passphrase was removed. Normally when the passphrase is used, the pool will remained locked on reboot until it is unlocked by entering the passphrase.
So it is possible there is no passphrase and importing the encrypted pool with the Geli key or recovery key should be enough.

How do I remove the passphrase? just leave it blank in the field? I've attempted that earlier and I get the message that it's the wrong key

Thank you for your help, very much appreciated.

Edit: With no passphrase provided and back on 11.1-U6, I no longer get an error, just at the top:

"An error occurred"

Starting to get pessimistic about it all :(

 

[jyavenard]

I see that there's a self-update that occurred on January 26th to 11.2 from 11.1 , that's where all the problems started.

 

[Apollo]

I've now upgraded to 11.2 just in case.
Where do I select and upload the recovery key? in the import volume screen?

Correct

When I go into storage, it is now fully blank.
The option I have is to import, where I can select all 12 disks, enter the geli.key and type the passphrase
View attachment 28069

This is what showing after I detached the volume.

When I enter the geli.key it takes about 30s for the web interface to become responsive again, with the error listed in my first post.
View attachment 28069

Error is meaningless.
I have noticed Freenas would crap out if previously present pool was previously attached, but removed when powered down with being detached.

If I upload the geli_recovery.key it immediately fail with the same error message:

View attachment 28070
View attachment 28071

When I go back to an earlier 9.10-2, I see the zpool, it shows as unencrypted. When I click on the button to unlock it after about 5s I get a message that unlocking failed.

You have to show me as I am confused to what you are trying to say.
Are you saying the pool is "Locked"?

Following the upgrade to 11.2, I now get SSL certificate error. Need to find out what's going on here first.

Not an issue, but annoying. Normally clearing the SSL permission from the browser will help.

You tell me ! :)

I've never had issues decrypting this zpool before, it just no longer accepts my key / passphrase (which I know). I do have a recovery key.
The upgraded worked well, The NAS unit rebooted later following an online update and it failed to decrypt after that.

Still lost. Is volume encrypted and locked?

I followed the upgrade instruction. While running 9.10.2, I locked the zpool, upgraded to 11.10, unlocked the zpool and performed the pool upgrade.



How do I remove the passphrase? just leave it blank in the field? I've attempted that earlier and I get the message that it's the wrong key

Thank you for your help, very much appreciated.

Edit: With no passphrase provided and back on 11.1-U6, I no longer get an error, just at the top:
View attachment 28072
"An error occurred"

Starting to get pessimistic about it all :(

If GUI has crapped out, you can figure out the status of the pool via CLI, maybe it is attached but not available.
Under shell, do:

zfs status
If the pool attached it will show.

I hope you have a backup of your pool, just in case.

 

[jyavenard]

The drives aren't mounted, they are encrypted.

The zfs volume itself isn't encrypted, the underlying disks are (with geli). AFAIK that's the standard FreeNAS design.

With the GUI, tring to import the volume with the recovery disk fails instantly), using the geli.key it takes longer to fail, but it will.

As it is now, the volume got detached, and all 12 disks aren't mounted anymore nor used for zfs. They are waiting to be decrypted, which I can no longer do.

When I attempt to do:
geli attach -p -k /tmp/geli.key /dev/gptid/DISK_GID
I get the error:
geli: Wrong key for DISK_GID

If I run geli attach with the passphrase, same thing.

I'll try another for another day or so, after that I'm afraid I'll have to give up on that data.

That box *is* my backup :)

 

[jyavenard]

Well, 2 weeks on, still haven't been able to de-encrypt my disks.
Thank you FreeNAS for destroying all my data with your !$@#$! automatic update.

 

[braintcket]

Hi, now i have the same problem

first I had two HDDs via USB3 integrated as a mirror. I thought that was ok by now.

then a hard drive had a bug and my pool has lost both hard drives and has encrypted itself.

to integrate the disks as an extension failed. then I exported the pool and wanted to reintegrate it. I have geli.key and pw.

Nevertheless, I can neither find the pool nor decrypt nor what. it seems to be gone ???

and yes that was my backup with software licenses etc etc

The system has been well maintained for about a year in this configuration

 

[braintcket]

Error decrypting disks
[EFAULT] The following devices failed to attach: gptid/15b5cf16-c744-11e9-b993-f80f416eb31d, gptid/4b27a888-c78f-11e9-8029-f80f416eb31d

Error: Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/middlewared/job.py", line 333, in run
await self.future
File "/usr/local/lib/python3.6/site-packages/middlewared/job.py", line 366, in __run_body
rv = await self.middleware.run_in_thread(self.method, *([self] + args))
File "/usr/local/lib/python3.6/site-packages/middlewared/main.py", line 1004, in run_in_thread
return await self.loop.run_in_executor(executor, functools.partial(method, *args, **kwargs))
File "/usr/local/lib/python3.6/concurrent/futures/thread.py", line 56, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/local/lib/python3.6/site-packages/middlewared/schema.py", line 668, in nf
return f(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/middlewared/plugins/disk.py", line 253, in decrypt
raise CallError(f'The following devices failed to attach: {", ".join(failed)}')
middlewared.service_exception.CallError: [EFAULT] The following devices failed to attach: gptid/15b5cf16-c744-11e9-b993-f80f416eb31d, gptid/4b27a888-c78f-11e9-8029-f80f416eb31d

 

[shanghaiultra]

I had this exact problem. The solution was not entering a passphrase - I mistakenly believed I had used one during encryption. All I needed was my key file.