SOLVED How to unlock volume?? have key, recovery_key, and know passphrase

[cher]

Today, I did something like this - volume passphrased, added recovery key and downloaded key as FreeNAS user manual says. So, I have geli.key and deli_recovery.key. Here is the the problem:
when FreeNAS machine rebooted, volume status says LOCKED, can't access it.

"View disks" shows all the disks correctly: da0,da1....da5. Searched online, suggested geli attach unlock each hdd using key, but in my case it shows error:
I did:

Code:

root@freenas:/ # geli attach -k /data/geli/dfa79a0b-c67e-451d-a150-d7329231c2a1.key /dev/da0p2
geli: Cannot read metadata from /dev/da0p2: Invalid argument.
root@freenas:/ #

What are the steps to follow? Like this:
1. geli attach each to unlock
May be the key in my /data/geli/ is not correct. How do I upload the correct key(I have downloaded today when passphrased into my desktop) to FreeNAS so I can use it to unlock drives with command line. Is that correct command line?

2. Import volume

Could you please help? Appreciated.
My system:

Build FreeNAS-11.0-U4 (54848d13b)
Platform Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz
Memory 32618MB
Thanks

 

[Chris Moore]

Did you already have data on this storage pool?

 

[cher]

Yes I have, everything running fine until this afternoon. All I did was encrypted with passphrase the volume.
Do you know how should I proceed?
Thank you in advance

 

[rs225]

Did you receive a script error at any point?

 

[cher]

Did you receive a script error at any point?

If you are asking during passphrase.. No.
If you are asking while unlocking, e.g. with command.YES, says
Invalid argument
geli attach -k /data/geli/dfa79a0b-c67e-451d-a150-d7329231c2a1.key /dev/da0p2

 

[rs225]

I am asking about farther back, around the time of the passphrase addition, and key downloads. I would like to get as many of the steps as possible to see if this can be reproduced.

 

[cher]

I am asking about farther back, around the time of the passphrase addition, and key downloads. I would like to get as many of the steps as possible to see if this can be reproduced.

No. There was no problem at the time of passphrase addition and key downloads. Btw, does this question applies in my case, very similar?: I tried it and got error
https://forums.freenas.org/index.php?threads/how-to-import-encrypted-pool.51532/

Code:

geli attach -k keyfile.key -p /dev/<raw uuid of disk>

 

[rs225]

I think the problem is different. The metadata error could be serious. Unfortunately, I will have to put more time on this tomorrow. Anyone else is free to followup from here.

 

[cher]

I think the problem is different. The metadata error could be serious. Unfortunately, I will have to put more time on this tomorrow. Anyone else is free to followup from here.

Oh No, sounds serious. Is there a way to save/recover data? Its raidz2, currently, on FN 11-0-U4. previously was on 9.10.2-U6.

 

[Chris Moore]

From the image you posted, it looks like the volume is still asking for you to 'Create Passphrase'.

Oh No, sounds serious. Is there a way to save/recover data? Its raidz2, currently, on FN 11-0-U4. previously was on 9.10.2-U6.

Did you save the, "geli_recovery.key"?

 

[cher]

From the image you posted, it looks like the volume is still asking for you to 'Create Passphrase'.
No, that image is "Change passphrase"
Did you save the, "geli_recovery.key"?

Yes. I have both geli.key and geli_recovery.key.

 

[Chris Moore]

Yes. I have both geli.key and geli_recovery.key.

Exactly what did you do when you rebooted the system to regain access to the storage poool? Because there is no portion of that process that should have required any command line access.

 

[cher]

Exactly what did you do when you rebooted the system to regain access to the storage poool? Because there is no portion of that process that should have required any command line access.

That is sort of the question I posted in OP, what I should do to regain the access to volume. Here is what I did-> I passphrased, downloaded/saved key and recovery key and rebooted the machine. Once rebooted, saw alert red light "CRITICAL: Dec. 9, 2017, 8:42 p.m. - The volume OrgVol state is UNKNOWN:". storage shows info as in in OP. Searched online, found forum posts on geli. Tried as in OP.

Code:

root@freenas:/ # geli attach -k /data/geli/dfa79a0b-c67e-451d-a150-d7329231c2a1.key /dev/da0p2
geli: Cannot read metadata from /dev/da0p2: Invalid argument.
root@freenas:/ #

What commands/stuff can I try to debug it? do you know?
Or How do I use geli.key and recovery_geli.key that I downloaded to my desktop machine to recover the volume?
Thanks,

 

[Chris Moore]

Or How do I use geli.key and recovery_geli.key that I downloaded to my desktop machine to recover the volume ?

There is absolutely nothing in the documentation about using the command line. Why did you do that?

Export your pool and DO NOT clear the disks. Then follow these directions to import the disks.
http://doc.freenas.org/11/storage.html?highlight=encrypt#importing-an-encrypted-pool

Once the disks are unlocked, you import the pool the same way you would if it were not encrypted.

 

[cher]

Sorry, just wanted to ask:If I do this, will my volume/datasets/jails and installed plugins remain intact?
So steps are:
1. Detach Volume(red symbol)>export pool?

2. Import disks one at at time


File system type: Non checked?
destination:/mnt from export pool?
3. Import Volume

Thanks

 

[Chris Moore]

If I do this, will my volume/datasets/jails and installed plugins remain intact?

No guarantees. I don't understand how you got where you are. I did it with my system to test and everything should remain intact, but something already didn't work right and we are doing this to try and fix it. Your data could be irrevocably lost already.

1. Detach Volume(red symbol)>export pool?

Yes, that is where you detach the volume.

2. Import disks one at at time

No! That is not what I pointed you at. Your disks should already be there. You just import the volume.

 

[Chris Moore]

It is late where I am. I am going to bed. I hope this works for you or that someone else can assist you.

 

[cher]

Great. Dettached and Imported Volume Worked. Thanks a lot for your help.

 

[Chris Moore]

Happy that I could help.

Sent from my SAMSUNG-SGH-I537 using Tapatalk

 

[trinity-it]

Hi everybody,
I'm working on freenas solution (11.1u6) for one customer and now I have this question:
because I want to encrypt a volume with key and passphrase (only way to secure privacy data in case of stolen) but I don't want leave the root password to my customer (can destroy the configuration...), there is a method to mount and typing the passphrase on cli (I can use a script in restricted non interactive shell with a specific user) when the nas reboot ?

thanks
Stefano