mgd
Dabbler
- Joined
- Jan 8, 2017
- Messages
- 46
Problem
I am going to replace my current boot device (a mirror of two USB pen drives) with two SATA SSD drives.
I have an encrypted pool (mirror of two WD RED drives) with no passphrase set, which allows the pool to be unlocked and mounted automatically when the NAS server boots. (I am aware of the dangers of having an encrypted pool and chose to have one in order to be able to RMA a faulty drive without worrying about someone being able to read my data.)
I am currently running FreeNAS 11.2-U7.
The question is how to correctly do the reinstall. I imagine this is equivalent to a situation where my USB pen drives had both crashed and the only things I had was:
These are the steps I believe are necessary to do the migration to the new mirrored SSD boot device.
Is this right?
I have tried the procedure out in a VM and it seems to work.
I also tried to simply unlock the pool in step 5.3 and it works, but the GELI key is not stored on the boot device and after the next reboot the pool is locked again. The only way I could find out to put the encryption key on the boot device is by exporting and reimporting the pool so that's is the reason for all the steps under 5.3.
I would be to sad to discover that I have overlooked something and that I have lost all my data after the reinstall, so I would be really grateful if someone more knowledgeable than me could confirm whether these are the right steps.
I am going to replace my current boot device (a mirror of two USB pen drives) with two SATA SSD drives.
I have an encrypted pool (mirror of two WD RED drives) with no passphrase set, which allows the pool to be unlocked and mounted automatically when the NAS server boots. (I am aware of the dangers of having an encrypted pool and chose to have one in order to be able to RMA a faulty drive without worrying about someone being able to read my data.)
I am currently running FreeNAS 11.2-U7.
The question is how to correctly do the reinstall. I imagine this is equivalent to a situation where my USB pen drives had both crashed and the only things I had was:
- An export of the current FreeNAS configuration.
- The GELI key for the encrypted pool.
These are the steps I believe are necessary to do the migration to the new mirrored SSD boot device.
- Boot the system using the existing USB Pen drives:
- Export the configuration using “System > General > Save Config”
- Tick the checkbox “Export Password Secret Seed” if you have any passwords stored in the configuration (that could be for outgoing mail to an SMTP server).
- [Optional]: Take a backup of the SSH host keys in
/usr/local/etc/ssh/ssh_host_*
- Take a backup of the GELI key used for encrypting the encrypted pool
- either by going to “Storage > Pools”, selecting the pool, clicking the padlock icon and selecting: “Download Encrypt Key”
- or by copying the key file directly from the boot filesystem
/data/geli/<uuid>.key
- or both – just to be sure
- Export the configuration using “System > General > Save Config”
- Shut down the system, unplug the storage disks (for safety so you don't accidentally install to them) and remove the old USB pen drives and store them in a safe location.
- Do a fresh installation to the new SATA SSD boot drives.
- Reconnect the storage disks to the system.
- Boot the system using the new SATA SSD drives:
- Import the configuration that was exported. (This will reboot the system.)
- [Optional]: Put the SSH host keys in place on the new system
- Go to “Storage > Pools” where the encrypted pool should be present but locked. (We could unlock the pool here, but the key will not persist on the system.)
- Expand the locked pool, click the gear icon and select “Export/Disconnect”.
- Make sure to uncheck everything except “Confirm export/disconnect” and click “Export/Disconnect”.
- Click “Add”, select “Import an existing pool” and click “Next”.
- Select “Yes, decrypt the disks”
- Be careful to select both disks in the mirror,
- Select the previously downloaded GELI encryption key file and click “Upload”
- Click “Next”.
- Select the pool from the dropdown and click “Next”.
- Finally, click “Import” and the pool will be imported and the encryption key stored on the boot device.
Is this right?
I have tried the procedure out in a VM and it seems to work.
I also tried to simply unlock the pool in step 5.3 and it works, but the GELI key is not stored on the boot device and after the next reboot the pool is locked again. The only way I could find out to put the encryption key on the boot device is by exporting and reimporting the pool so that's is the reason for all the steps under 5.3.
I would be to sad to discover that I have overlooked something and that I have lost all my data after the reinstall, so I would be really grateful if someone more knowledgeable than me could confirm whether these are the right steps.