NAS failure scenario - mount encrypted disk on another machine

[lorchi]

Dear people,
I have a small NAS that currently contains 1 pool with 2 HDDs in a mirror. The pool is encrypted.
My aim is to simulate a failure of the NAS. I would like to know whether data from a mirror could be rescued, and consider that in my backup plans.

I shut down the NAS (without exporting), took out one drive and connected it to a Debian 10 machine with ZFS installed.
Doing "zpool list" was unsuccessful in locating the pool.

Is there a way or procedure to import a foreign disk with an encrypted pool?

Thanks in advance, Henning

 

[PhiloEpisteme]

Hi. I am not 100% sure I understand your scenario but I have these two things to add straight off.

First, doing tests like this with live data can be dangerous. If you make a mistake you can lose your data. If you have a backup that will certainly suffice. When you say "whether data from a mirror" can be rescued, the answer is likely yes.

They key to encrypted pools is maintaining reliable access to the encryption keys. I wrote a lot about encryption in the Resources section under advanced; you might find useful information there. In short though, if you have your key(s) and passphrase (if used), you're likely all set. If you do not have those you are very likely in trouble in terms of recovering data.

I will say though that testing recovery proceedures when using encryption is smart! Make sure you know how to do it properly for when the time comes. My own approach with encryption has been to do all I can to understand how it works, to keep three full copies of my data (one is off site) in the event something goes wrong, and to keep backups of both keys for each pool, the "primary" and "backup" keys. If you read through the resources section I wrote you'll note that I did a LOT of work understanding encryption with the help of a lot of great posts on these forums.

WRT to recovery, I suggest you stick with a freebsd system for recovery. The reason is that in order to unlock the devices you need geli, which is the encryption tool used to encrypt your disks in freenas. Without unlocking your devices I wouldn't expect any system to recognize the disks as part of a zfs pool.

Anyway, I hope this helps get things started for you. I am happy to help answer other questions as they come up but I do suggest you check the resources section re encryption, read the User Guide re encryption, and probably do a bit of research on geli.

 

[lorchi]

Hi there,

thank you very much for your elaborate answer and advice. You have well understood my question.

Concerning the prerequisites: Yes, I have a backup while doing these tests, and I have a copy of the encryption key (I know more than one would be better) on other machines.

Thanks for pointing me again to Geli. I had one misunderstanding: I thought an encrypted pool would encrypt its contents, while the opposite seems to be true that the disk is encrypted on which the pool resides. So it makes sense that I couldn't see the pool.

Other than that I found that geli is FreeBSD-only and cannot be read by LUKS (Linux Unified Key Setup) or other tools.

Unfortunately, BSD is no system that I normally work with. That means that acquiring and maintaining the knowledge and recovery resources would be an extra cost.

I wanted the NAS to serve as a backup. I am aware of the frequent warnings that a NAS is not a backup, however I thought this to be based on the regular use case that people work on mounted NAS resources. In my case I use it to sync my data to, so the data on the NAS is a duplication.
Now I see that it is indeed not intended to be a backup solution, even in my case of duplication.

I can see 4 options now:
1. acquire and maintain the knowledge and recovery resources,
2. change the use case, or enhance the use case by inserting an automated backup machine,
3. not use encryption,
4. switch to a different system (Linux-based).

The simplest options are 3 and 4, and I like simple.
So thanks to you again, but I might not continue on this path.

 

[Spearfoot]

I wanted the NAS to serve as a backup. I am aware of the frequent warnings that a NAS is not a backup, however I thought this to be based on the regular use case that people work on mounted NAS resources. In my case I use it to sync my data to, so the data on the NAS is a duplication.
Now I see that it is indeed not intended to be a backup solution, even in my case of duplication.

I believe when people say "a NAS is not a backup", they mean that a single copy of your data stored on a NAS shouldn't be considered a "backup" just because it has redundancy. And they are right about that.

But having a separate copy of your data stored on a NAS is indeed a backup. I backup the data from my primary NAS system to a secondary NAS; I consider the data on my secondary NAS is to be a 'hot' backup. I also backup my data to a pair of 12TB single-disk striped pools, which alternate between my safe and a hot-swap bay on my primary NAS. The disk in my safe serves as a 'cold' backup.

 

[PhiloEpisteme]

I do my backup almost exactly as Spearfoot does. Sorry if was not clear above. There is the 3-2-1 rule for backups; you want 3 copies of your data stored on 2 different mediums and at least 1 copy should be in another location. I don't follow this exactly, all of my data lives on HDDs, but I follow it pretty closely. The point about a NAS not being a backup is more to say that a single copy of your data on 1 nas, even with redundancy at the vdev level, is not a backup. If that NAS catches fire, falls victim to ransomware, etc you'll have lost everything. Hopefully that makes it more clear.

Regarding linux vs bsd can you clarify what your reasoning is for trying to import the pools in a non-freenas system? If the reasoning is just to test if you can unlock and import the pool you can do that through freenas. My resources about encryption should provide you with all of the commands to understand what is going on in the CLI but should only be used for educational purposes. The User Guide should outline quite clearly how to import an encrypted pool.

1. acquire and maintain the knowledge and recovery resources,

You should do this whether or not you use encryption. If you have an issue with one of your drives you'll need to know how to replace it whether it is encrypted or not. If you lose your primary copy of the data you'll need to know how to recover from a backup.

2. change the use case, or enhance the use case by inserting an automated backup machine,

I went this route. Other than the cost for HDDs the backup system was pretty cheap; I bought used on ebay.

3. not use encryption,
4. switch to a different system (Linux-based).

Whether you use encryption or not depends on your data and where you keep the drives. Whether you use a linux based system or not is somewhat up to personal preference. In my opinion zfs is exceptionally well suited to keeping your bits safe, if properly managed. FreeNAS makes it a bit easier to properly manage your pools etc and offers easy-to-configure sharing etc. It is worth saying though that poorly managed pools can introduce risk to your data, especially encrypted pools.

If you plan to use encryption I think you should commit to the following.
1. Have a basic understanding of geli. Understand the User Keys and Master Key geli uses.
2. Understand how FreeNAS uses geli.
3. Practice importing/exporting encrypted pools
4. Practice replacing a disk in an encrypted pool and then importing/exporting that pool after disk replacement.
5. Commit yourself to keeping quality backups of your encryption keys and passphrase (if you use one). Failure to do this could result in you losing all of your data.

If you opt to go with encryption feel free to ask more specific questions as you learn, I'm happy to save you some time by sharing pointers I learned along the way.