Problems with Encryption while Upgrading from 9.10.2 to 11.0

[Dylan Tully]

Hello Everyone,

I've had an encrypted zfs pool on my freenas server that I initially created in November 2016. I copied the Geli key, created a passkey, and I copied the config file then. I haven't had any problems with decrypting the pool simply by giving it my password after updating or rebooting. I've also been able to import the pool to a new install of Freenas with the key and passphrase.

My current problem is that I'm trying to upgrade to a fresh install of 11.0 on a new USB. I was able to import the config file just fine but when I go to view volumes to try and decrypt the pool, I feed it the Geli key (the most recent copy I have of the Geli key is from March) and the passkey and it tells me that the pool fails to decrypt.

Should I unmount the pool and try to re-import it?

Can someone clarify what events might re-key the pool?
I haven't added or replaced any drives from the pool since I originally made it.

 

[Dylan Tully]

Alright,

After 10 minutes of panic that I'd failed to properly backup my keys, I detached the volume and remounted it using the backed up key and it decrypted just fine using the key.

However now when I reboot the server, I have to detach and re-import the pool every time instead of just being able to go to View Volumes and punching in the passkey. My suspicion is that this is because I do not have the correct master key in the /data/geli folder. I still have the previous freenas install to import things from (though for some reason it won't boot). Does anyone have a good example/guide of the geli backup and geli restore commands being used?

 

[SweetAndLow]

Alright,

After 10 minutes of panic that I'd failed to properly backup my keys, I detached the volume and remounted it using the backed up key and it decrypted just fine using the key.

However now when I reboot the server, I have to detach and re-import the pool every time instead of just being able to go to View Volumes and punching in the passkey. My suspicion is that this is because I do not have the correct master key in the /data/geli folder. I still have the previous freenas install to import things from (though for some reason it won't boot). Does anyone have a good example/guide of the geli backup and geli restore commands being used?

Are you using the cli? You should stop that and use the GUI, this would cause the reboot import issues.

Sent from my Nexus 5X using Tapatalk

 

[Dylan Tully]

I've been using the GUI for everything so far. Right now the situation I'm in is that if I reboot the server and then go into view volumes, it throws a failed to decrypt error if I try to unlock the encrypted volume by providing the password. It throws the same failed to decrypt error if I give it the password and geli recovery key. But I can unmount the pool and import it with the geli recovery key and passphrase and it decrypts just fine.

 

[dlavigne]

Sounds like a bug. Please create a report at bugs.freenas.org that indicates that this was an upgrade, and post the issue number here.

 

[Dylan Tully]

I'll write up when I get home from work so I can get the exact error message.

One question I do have is that I this was a clean install on a new usb stick and then I restored my previous settings by uploading the config and recovery keys through the GUI. This wasn't an upgrade in place onto the same USB drive. Could that explain why it won't decrypt from the view volumes panel with just the passphrase now?

 

[dlavigne]

Not sure, but definitely worth mentioning in the bug report.

 

[pro lamer]

@Dylan Tully have you created the bug? Or is your issue solved?

 

[Dylan Tully]

I didn't end up creating the bug as I was able to resolve the problem without much more headache last July.

It's been a while so I don't remember exactly what I did to fix it but it was some variation on "huh, something weird happened, try it again and see if it works". I'm pretty sure I made a clean install of 9.10.2, imported the config file from the previous 9.10.2 install and then did an upgrade to 11.0 and it worked fine. I haven't had any issues since.