Clarification on Encrypted Pool and Resilvering

[chuggs]

Forgive me if I missed something here. I have read through the documentation at the following:

https://doc.freenas.org/11/storage.html#replacing-an-encrypted-drive
https://forums.freenas.org/index.php?threads/recover-encryption-key.16593/#post-85497

The documentation states that after resilvering is complete, the pool must be re-keyed "before the next reboot, [or] access to the pool might be permanently lost." I am a little unclear here, as "might" is a strange word for a warning like this.

1. Why does it need to be re-keyed? I am not super familiar with geli, but from what I have read it appears to use envelope encryption, with a generated key encrypted with the user's key and stored in the drive metadata. When the new disk is resilvered, my assumption would be that Freenas would use the existing pool's key to encrypt the new disk's key.
2. What happens if a reboot occurs before re-keying? Why is there uncertainty in this scenario?
3. Given that large disks can take hours to resilver, this seems...risky. Am I misunderstanding something here, or do operators just sit at their machine for the duration of the resilver while praying for no power failures?

Many thanks for any insight you can offer.

 

[chuggs]

Bump, just in case someone in-the-know missed this

 

[Chris Moore]

You probably need to find a developer to get the answers to your question. This is one of the reasons that people hesitate to use encryption. There have been whole pools lost because the encryption key was in an undefined state. It is better to rekey and be sure that the key is known because not knowing will be catastrophic.

Sent from my SAMSUNG-SGH-I537 using Tapatalk

 

[Chris Moore]

PS. The encryption security default is to deny access, so if there is any inconsistencies, it would lock you out.
People have lost their pool from replacing a drive, nor rekey and then reboot. Don't make assumptions.

Sent from my SAMSUNG-SGH-I537 using Tapatalk