How to restore encryption key when creating new boot disk?

Status
Not open for further replies.
E

EvanVanVan

Patron
Joined
Feb 1, 2014
Messages
211
I asked this in another thread but it was missed. Reading the FreeNAS FAQ, it says don't worry about cloning the boot disk, just create a new one and upload a copy of your config file. OK, but I don't see the option to upload my encryption key? The 5 buttons under the Storage > Volumes section don't seem to be related, only about changing/updating the key or passphrase

p.s. I did think about removing the encryption but I saw the only way of doing it seemed to be rewriting each drive individually without encryption (or something). I didn't really finish reading it, it seemed dangerous/a lot of work.

Thanks
 
joeschmuck

joeschmuck

Old Man
Moderator
Joined
May 28, 2011
Messages
10,994
This topic is covered several times in these forums. Do a google search for "freenas encryption key save" or something similar. I haven't read much about removing encryption, I thought you had to backup your data, destroy your pool and recreate it without encryption but maybe something changed.
 
E

EvanVanVan

Patron
Joined
Feb 1, 2014
Messages
211
I always search first. But FreeNAS encryption key save seems to be backing up the key file. I've downloaded it and saved it, i'm wondering how to get it back on the drive? Which from what I've found, is not covered. I even searched Freenas encryption restore key.

And as I mentioned in my first post, I searched, found the instructions (http://forums.freenas.org/index.php...om-a-zfs-volume-while-keeping-the-data.16467/) and gave up on the idea of removing encryption.

Edit: I looked harder after searching and I supposedly found instructions in the last few posts in this thread: http://forums.freenas.org/index.php?threads/how-to-have-a-backup-boot-usb-with-encryption.20857/

Thanks
 
Last edited:
Knowltey

Knowltey

Patron
Joined
Jul 21, 2013
Messages
430
If you have an encrypted pool the Geli.key **should** be included in the config backup. But you should be better safe than sorry and also download the geli.key on its own and store it in a safe place not on the encrypted pool.

How to get it back in is as simple as putting the geli.key file in the appropriate field when you are doing the pool auto-import.
 
C

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
You guys are confused as all hell.

The config file has no geli key. And it shouldn't include a geli key. If it did anyone with your config file would have access to your pool.

The config file only has one thing in it relating to the pool, the name of the pool and the disks in the pool.

The disks in the pool have their part of the encryption/decryption process and the key you download from the WebGUI is the other 1/2 of that encryption/decryption process.

So no, the config doesn't have your key, never has had your key, and shouldn't have your key.
 
Knowltey

Knowltey

Patron
Joined
Jul 21, 2013
Messages
430
cyberjock said:
You guys are confused as all hell.

The config file has no geli key. And it shouldn't include a geli key. If it did anyone with your config file would have access to your pool.

The config file only has one thing in it relating to the pool, the name of the pool and the disks in the pool.

The disks in the pool have their part of the encryption/decryption process and the key you download from the WebGUI is the other 1/2 of that encryption/decryption process.

So no, the config doesn't have your key, never has had your key, and shouldn't have your key.
Click to expand...

Mine did earlier tonight. I did a fresh reinstall on my USB. booted, restored config, and then all I had to do was put in my passphrase to unlock my pool which means that the geli.key file was already in the config.

recent change perhaps?

EDIT: I be the village idiot.
 
Last edited:
joeschmuck

joeschmuck

Old Man
Moderator
Joined
May 28, 2011
Messages
10,994
Knowltey said:
Mine did earlier tonight. I did a fresh reinstall on my USB. booted, restored config, and then all I had to do was put in my passphrase to unlock my pool which means that the geli.key file was already in the config.

recent change perhaps?
Click to expand...
Can't wait to hear the response to that one. Was that with 9.2.1.7?
 
Knowltey

Knowltey

Patron
Joined
Jul 21, 2013
Messages
430
joeschmuck said:
Can't wait to hear the response to that one. Was that with 9.2.1.7?
Click to expand...

Yeah, but the config file was saved out of 9.2.1.6.

EDIT: I'm an idiot, just got home and checked, apparently didn't actually start the stick reimage, so basically all I did was just reupload the config to the old stick, so that would make sense as to why the geli key would still be there.
 
Last edited:
Status
Not open for further replies.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "How to restore encryption key when creating new boot disk?"

Similar threads

H
  • Locked
Recovery Key Usage for Raid-Z?
Replies
2
Views
767
Ericloewe
Ericloewe
D
  • Locked
Recovering Key from Reformatted USB
Replies
11
Views
3K
m0nkey_
m0nkey_
B
  • Locked
ZFS Encryption: Reboot yields locked volume
Replies
4
Views
5K
dlavigne
D
Ben1010101
  • Locked
Encryption Checklist?
Replies
7
Views
4K
devnullius
devnullius
odoyle
  • Locked
how to test if encryption key works?
Replies
2
Views
812
Ericloewe
Ericloewe
Top