How to have a backup boot USB with Encryption?

[MartynW]

Hi,

I'm a little lost on how Passphrase, the key and recovery key all work with the USB boot device?

I set up my box with one USB device, all encrypted and all good, so take a backup of the config and keys.
I take a second USB stick, swap it with the original, then reinstall the FreeNAS OS on it using the same version as the original.
On booting up restore the config, and reboot.
On the system coming up, the passphrase no-longer works and I have to use the recover key to unlock the volume?

How should I be doing this? Ideally I'd like both USB's to be using the same Passphase and Keys?

Just when do you use the Geli Key?

Thanks in advance,

 

[dlavigne]

Note that the passphrase, the encryption key, and the recovery key are not stored in the config database stored on the USB stick. This is why it is important to download these manually.

If the passphrase is not working, either the passphrase is being typed in incorrectly or it does not match the key stored on the hard drive's metatdata. This not-matching will occur if you change the password and forget to create a new recovery key.

 

[MartynW]

Thanks dlavigne,

Sorry my question wasn't clear.

I HAVE backed up all the Keys and the passphrase is being cut and paste from a password repo.

My question is

How can I have 2 USB boot devices use the same Geli key, passphrase and recovery key?

On my backup USB boot device, the passphrase doesn't work but the recovery key does. On my active USB Device the passphrase does work.

Is there any good documentation as to how this works? I've not found any?

 

[cyberjock]

Well, your USB boot device doesn't use the keys or anything. The keys are tied to your zpool. If you are using the same zpool in both situations(which it sounds like you are) then your keys and passphrases should work. If they aren't, I'm a little stumped. I've got an encrypted pool and I have done reinstalls of FreeNAS and had to restore the config file and I didn't have a problem. At least, I don't remember having a problem.

 

[dlavigne]

How are you trying to encrypt the USB drive? ie since this is not supported, are you trying to encrypt this drive manually? Or are you confusing the encryption of the storage drives with the USB drive?

 

[ser_rhaegar]

Before restoring your config, you should auto-import your pool as this will allow you to specify the encryption key (not recovery key) + passphrase. Once imported, your USB stick will have the normal encryption key which works with the passphrase. Then restore your config and at each boot the passphrase should work without the recovery key.

If you import your config first, it already lists your pool but the USB drive is missing the encryption keys so you have to use the recovery key each time.

 

[MartynW]

Thanks ser_rhaeger, that sounds like the step I missed. I'll give that ago tonight and report back.

 

[MartynW]

Hmm, so I followed the steps ser_rhaeger mentioned, it asked for the Key and the Passphrase and this unlocked the disks fine. I then uploaded the config. Once again the passphase failed

May 14 17:19:03 freenas manage.py: [middleware.notifier:1272] Failed to geli attach gptid/286b4986-d257-11e3-afc5-002590f0662c: geli: Cannot open keyfile /data/geli/28a83243-e997-479f-acbd-53aad24c8eb1.key: No such file or directory.
May 14 17:19:04 freenas manage.py: [middleware.notifier:1272] Failed to geli attach gptid/28dc22d1-d257-11e3-afc5-002590f0662c: geli: Cannot open keyfile /data/geli/28a83243-e997-479f-acbd-53aad24c8eb1.key: No such file or directory.
May 14 17:19:04 freenas manage.py: [middleware.notifier:1272] Failed to geli attach gptid/2952be34-d257-11e3-afc5-002590f0662c: geli: Cannot open keyfile /data/geli/28a83243-e997-479f-acbd-53aad24c8eb1.key: No such file or directory.
May 14 17:19:04 freenas manage.py: [middleware.notifier:1272] Failed to geli attach gptid/29cab7bc-d257-11e3-afc5-002590f0662c: geli: Cannot open keyfile /data/geli/28a83243-e997-479f-acbd-53aad24c8eb1.key: No such file or directory.
May 14 17:19:04 freenas manage.py: [middleware.notifier:1272] Failed to geli attach gptid/2a40ada7-d257-11e3-afc5-002590f0662c: geli: Cannot open keyfile /data/geli/28a83243-e997-479f-acbd-53aad24c8eb1.key: No such file or directory.
May 14 17:19:04 freenas manage.py: [middleware.notifier:1272] Failed to geli attach gptid/2ab65d61-d257-11e3-afc5-002590f0662c: geli: Cannot open keyfile /data/geli/28a83243-e997-479f-acbd-53aad24c8eb1.key: No such file or directory.
May 14 17:19:04 freenas manage.py: [middleware.notifier:3285] Importing vol0 [12104170456948444124] failed with: cannot import '12104170456948444124': no such pool available
May 14 17:19:04 freenas manage.py: [middleware.exceptions:38] [MiddlewareError: Volume could not be imported: 6 devices failed to decrypt]
But the recovery key works, so got me thinking, and I thought, arhg, the config I uploaded was saved from the not working backup USB, there must me something stored in this.

So I took a leap of faith based on ser_rhaeger post. I detached the volume and auto imported it over the top of the uploaded config, and volia! It worked, and now the passphrase works

So Auto-Import the geli key is the key, and you can do this after the upload and a detach as well as before.

Hope this helps someone

 

[ser_rhaegar]

Great! Glad you worked it out!

 

[panz]

I recently reinstalled FreeNAS to a brand new USB stick. This is the procedure:

1) export the config file and save it on your desktop;

2) double check that you have the correct passphrase, the GELI Recovery key and the Volume key (a.k.a.Encryption key);

3) reinstall FreeNAS on the new USB stick;

4) restore the configuration file and the SSH and replication keys (these are not automatically saved to your config file!);

5) after config file is restored, I can decrypt my pool only with the recovery key; password doesn't work ;

6) detach the volume without neither marking the disks as new nor deleting all shares related to this volume;

7) auto-import volume using the passphrase AND the encryption key (this IS NOT the Recovery key, so BE SURE to save it as recommended in step #2);

8) now test the passphrase and the recovery key to check if they work.