FreeNAS firmware upgrade

[Nick Townsend]

Hello,

So I will be upgrading our company's FreeNAS firmware from 8.3.1 to 9.3 for various reasons. I just want to make sure that I will not run into any issues unlocking the ZFS volume that stores all of our backups.

I have tested this with a virtual machine with FreeNAS installed on it, and it worked just fine.

My only issue is that when I uploaded the config from our actual FreeNAS server, then tried to unlock our ZFS volume, it asked for a key. We have only had to use a passphrase to unlock this volume previously, and it is not working.

When I upgrade our actual FreeNAS from 8.3.1 to 9.3, will I have to provide a key along with the passphrase? If so, where can I find this key, because when I downloaded the key from the GUI and uploaded it to the test machine along with the passphrase, that did not work either.

Thanks

 

[depasseg]

I don't know enough about 8.3 to answer your question, but I would highly recommend reading up on dealing with encrypted drives in FreeNAS. There is a way to save the keys and properly unlock them and the pool.

 

[Nick Townsend]

I don't know enough about 8.3 to answer your question, but I would highly recommend reading up on dealing with encrypted drives in FreeNAS. There is a way to save the keys and properly unlock them and the pool.

I have read the freenas manual thoroughly and the manual is not very clear with how the keys work. I downloaded the key that corresponds to the pass phrase configured with the key, and uploaded the key to the test machine with the pass phrase and get an error that the ZFS volume cannot be mounted. I backed up my key like the manual says to do and I know my passphrase so I'm lost.

 

[depasseg]

Well the key is associated with the disk drive and the/or the pool, so it wouldn't be relevant in a test machine.

You could try installing a new USB stick (and pull out the 8.x USB just in case) in your machine and installing 9.3 on that and using the keys to access your pool (don't allow a pool upgrade if it asks, or your 8.x version won't be able to access it).

 

[mjws00]

You should be incredibly concerned about this procedure. As soon as there are issues with pass phrases, keys, and a lack of understanding. You are in a very dangerous spot. I wouldn't touch this without a full and separate, unencrypted, tested backup of the pool. In fact in your shoes I would create a new unencrypted pool on 9.2.1.9 and copy the data.

The challenge is that all glitches and screw-ups result in lack of access to your data. Of course I am likely a little paranoid, and things could go smoothly... But I'd tread lightly and make sure you have a well tested fall back position.

 

[Robert Trevellyan]

I downloaded the key that corresponds to the pass phrase configured with the key, and uploaded the key to the test machine with the pass phrase and get an error that the ZFS volume cannot be mounted.

I'm not sure that your test was helpful, it's a bit unclear what you did.

I suggest practicing the entire process with a test system (could be a VM):

1. Create test system using version 8.3.1.
2. Set up encryption on test system.
3. Copy/download/backup encryption information for test system as you have with live system.
4. Upgrade test system (step-wise is probably better than trying to go directly from 8.3.1 to 9.3).
5. See if you can access data on test system.

This way you may discover that you have everything you need, or that there's something missing, without risking your live data.

And I would still make sure I had an unencrypted backup per @mjws00 's suggestion.

EDITED for typos.

 

[ovizii]

I think I know what his issue is, I just read up on this forum about encryption.
I'l try and summarize but will include the link where I found it:

on an existing system, the key is kept on the boot medium so you only need to supply the passphrase to use that key to unlock. (backing up the config doesn't back up the key)
after upgrading that key might not get copied over hence, your passphrase wasn't enough, you need to also copy your key into the right place on the boot medium OR supply the passphrase + the recovery key in the GUI.

Check these links in case you haven't already:
https://forums.freenas.org/index.php?threads/recover-encryption-key.16593/#post-85497
https://forums.freenas.org/index.ph...ks-from-single-freenas-primary-storage.17316/

 

[Nick Townsend]

I think I know what his issue is, I just read up on this forum about encryption.
I'l try and summarize but will include the link where I found it:

on an existing system, the key is kept on the boot medium so you only need to supply the passphrase to use that key to unlock. (backing up the config doesn't back up the key)
after upgrading that key might not get copied over hence, your passphrase wasn't enough, you need to also copy your key into the right place on the boot medium OR supply the passphrase + the recovery key in the GUI.

Check these links in case you haven't already:
https://forums.freenas.org/index.php?threads/recover-encryption-key.16593/#post-85497
https://forums.freenas.org/index.ph...ks-from-single-freenas-primary-storage.17316/

So instead of upgrading the firmware, i just installed 9.3 on another usb drive. I imported the config file from the 8.3.1 freenas, and when i use the passcode that i used to unlock it on 8.3.1 it says error: cannot decrypt disks or something like that.

Since you are saying the keys are not transferred over in the config file, where can I find the keys to backup my zfs pool? I downloaded the key from the gui of 8.3.1 and imported it along with the passphrase but it gives me the same error.

 

[ovizii]

Keep in mind I'm quite new at this and only quoting what made sense to me as I read it

quoting from the link I gave you:

Yes, the key file you get when you click the Download Key button is always stored in /data/geli (4th partition on the USB stick). This means you do not need to provide the file when you reboot the server and want to unlock your pool -- the passphrase is enough. You do need to upload the key file when you change/overwrite the USB stick.

The recovery key is not on the stick. The "main" key is on the fourth partition in the geli directory. If possible, you should copy the content of that directory into/data/geli in the new installation.

Have you tried supplying the downloaded recovery key + passphrase in the GUI?