Hi, I have a freenas box with 4 pools. All of the pools are encrypted. They were originally created with an installation on crappy USB stick, which I've replaced since and reinstalled the OS. The original installation was with version 11.2 R2, which got upgraded to R3 before getting replaced. I have all the encryption keys backed up, and reinstalled the same version on another set of sticks in a mirror, and imported the pools using the backed up keys, and it worked just fine.
However since then, whenever I reboot the box, the pools don't come up, they stay locked and I have to manually import the correct keys for all pools, which is a hassle and a bit error prone. I've checked what's in `/data/geli` and it was empty. I've since recreated one of the pools, and the key for that one is sitting in `/data/geli`.
My main issues with this situation:
However since then, whenever I reboot the box, the pools don't come up, they stay locked and I have to manually import the correct keys for all pools, which is a hassle and a bit error prone. I've checked what's in `/data/geli` and it was empty. I've since recreated one of the pools, and the key for that one is sitting in `/data/geli`.
My main issues with this situation:
- It's inconvenient having to hunt down the backed up keys on every reboot and match up the correct key to the pool - though at lest i know that the backup is good...
- When clicking the download key for one of these pools in the UI, it downloads a 0 byte geli.key file, which is horrible UX in my opinion. I've actually thought those keys were going to be the correct ones, didn't check the file size and scratched my head for a while when after the next reboot i tried to unlock the pool with those keys. This can literally cause someone who's not careful enough to overwrite their backup keys and loose all their data on the next reboot.
- I had another issue where I tried to expand once of the pools with 2 more disks to have a stripe consisting of 3 disks (I am aware of the risks with this setup, the data stored on this volume is data that I can recover from other sources if one of the disks die). This created a new encryption key, which I backed up also, let's call this key B, while the original key A. This basically resulted in a setup, where I had a volume consisting of 2 disks, that used encryption key B, and another device that used encryption key A. After the next reboot it was a huge PITA to decrypt this pool and was completely unintuitive. I'm guessing this was made worse by key A not being stored on the box because of the above issue.