Reinstalled FreeNAS 9.3 on new USB, can't unlock/import encrypted zpool volume :-(

[Zensig]

Hi !

I was running FreeNAS 9.3 when the USB stick developed errors. I swapped it for a new 8GB one (old was 4GB) and did a new installation of FreeNAS 9.3. I then imported the database from GUI.

Problem, I can't unlock the zpool (Volume1) which is visible in the gui. Usually I just click the unlock button and enter the password but that doesn't work. So since it's a new installation I thought I needed to import the zpool which I tried.

Problem is on part 3 of 3 where you are supposed to select volume the dropdown box is empty, nothing to select (see picture). Console output seems to indicate disks are decrypted but is it the import of the database which has reference already to Volume1 that makes import not work? Do I need to detach Volume1 (no check boxes ticked, ie keep data & configuration) & then import it?

Getting a tad nervous :-(

Running FreeNAS-9.3-STABLE-201412301712

 

[cyberjock]

Usually I just click the unlock button and enter the password but that doesn't work.

If you didn't have to upload your key then you might be screwed. If your old key can be retrieved from the old USB stick then you might be okay. If not, your data is gone for good. Per the manual after you create an encrypted pool there's a fat warning:

A pop-up message will remind you that it is extremely important to set a passphrase on the key, make a backup of the key, and create a recovery key. Refer to Managing Encrypted Volumes for instructions on how to perform those tasks.

Seems that you might not have backed up your keys. If you did you'd have to click the unlock button, then provide the keyfile and password.

 

[Zensig]

I got ALL the keys, even the individual disk keys in case of corruption (see picture). Decryption doesn't seem to be the problem since the console window shows the usual message when harddisks are unlocked after step 2 of Import. The problem is that the 3 of 3 step with a blank volume selection (top picture). That's why I thought it might be because since config database was restored/uploaded with info about zpool Volume1, that somehow it's tripping up the import? But I'm a bit scared about doing detaching the Volume1 to try an import again since I'm a bit out of my depth here.

 

[Zensig]

Can I copy the encryption key files/other files from the old USB to the new USB & be back at only needing passphrase to unlock volume like before ie no import? If so what files/from where do I need to copy?

Hardware for my FreeNAS:
2 X Kingston Technology KVR16E11/8 8GB DDR3 1600Mhz ECC DIMM Memory with Thermal Sensor (note ECC, so ZFS scrub won't corrupt entire volume if you have bad RAM)
6 X Seagate ST4000VN000 3.5 inch 4TB SATA III Network Atttached Storage Internal Hard Disk Drive (slightly cheaper than WD RED & spin slightly faster at 5900rpm, in an encrypted ZRAID2 for 14.3TB usable)
Seasonic G-360 GOLD 80Plus - 360W (GOLD rated for low energy bill, 360W is fine for this setup)
ASROCK MK E3C226D2I_ 6xSATA3_ Dual LAN_ mITX_ Socket 1150 (E3C226D2I) (6 SATA3 ports, ECC CPU/RAM support, USB2 port on mbo so no FreeNAS USB stick on the outside, IPMI for remote power on/control, 2 Intel Gigabit ports
Con: only VGA video out since this business version, they working on a consumer version which should have HDMI, not needed ATM but would be nice to have had available if need be)
FRACTAL DESIGN Node 304 - mini ITX (small (ITX), fits 6x3,5' drives, 2 fans that blow air directly over the 6 drives, one big fan at the back, 3 settings fan switch on the outside of the chassi, solid build quality)
INTEL Core i3-4130 3,4 GHz - socket 1150 (ECC & AES support so no slowdown using encrypted disks)

 

[cyberjock]

Yes. From the old USB stick the files are something like geli_key (the name will make it obvious) and they will be under /data.

 

[Zensig]

Ok, stuck the old usb stick into the FreeNAS box (only thing I got that can read ZFS) to get the geli_key from /data directory (could I use the geli_key I made as backup? Does the file have to have a specific filename ie pool id nr or something?).

USB stick turns up alright as
[root@znas /mnt]# ls -l /dev/da1*
crw-r----- 1 root operator 0xc8 Jan 1 16:26 /dev/da1
crw-r----- 1 root operator 0xc9 Jan 1 16:26 /dev/da1p1
crw-r----- 1 root operator 0xca Jan 1 16:26 /dev/da1p2

I tried mounting it with
[root@znas /mnt]# mount -t zfs /dev/da1p1 /mnt/usbbad/
mount: /dev/da1p1: No such file or directory

with no luck. I'm thinking instead of /dev/dap1 I need the zpool name. How do I get that?

Is there an easier way to get access/copy the geli_key off the old usb stick?

 

[Zensig]

Did another try unlocking volume. I noticed the filename of the key in the error message below:
Jan 1 17:23:56 znas manage.py: [middleware.notifier:1344] Failed to geli attach gptid/a09a5a42-bfb8-11e3-9e47-d050990a649e: geli: Cannot open keyfile /data/geli/f0237bf4-17da-45b1-8dd7-0332a940d79b.key: No such file or directory.
Jan 1 17:23:56 znas manage.py: [middleware.notifier:1344] Failed to geli attach gptid/a0eb1082-bfb8-11e3-9e47-d050990a649e: geli: Cannot open keyfile /data/geli/f0237bf4-17da-45b1-8dd7-0332a940d79b.key: No such file or directory.
Jan 1 17:23:56 znas manage.py: [middleware.notifier:1344] Failed to geli attach gptid/a13a6187-bfb8-11e3-9e47-d050990a649e: geli: Cannot open keyfile /data/geli/f0237bf4-17da-45b1-8dd7-0332a940d79b.key: No such file or directory.
Jan 1 17:23:56 znas manage.py: [middleware.notifier:1344] Failed to geli attach gptid/a18804c7-bfb8-11e3-9e47-d050990a649e: geli: Cannot open keyfile /data/geli/f0237bf4-17da-45b1-8dd7-0332a940d79b.key: No such file or directory.
Jan 1 17:23:56 znas manage.py: [middleware.notifier:1344] Failed to geli attach gptid/a1e31ae6-bfb8-11e3-9e47-d050990a649e: geli: Cannot open keyfile /data/geli/f0237bf4-17da-45b1-8dd7-0332a940d79b.key: No such file or directory.
Jan 1 17:23:56 znas manage.py: [middleware.notifier:1344] Failed to geli attach gptid/a235e95c-bfb8-11e3-9e47-d050990a649e: geli: Cannot open keyfile /data/geli/f0237bf4-17da-45b1-8dd7-0332a940d79b.key: No such file or directory.
Jan 1 17:23:56 znas manage.py: [middleware.notifier:3523] Importing Volume1 [2770707360228359120] failed with: cannot import '2770707360228359120': no such pool available
Jan 1 17:23:56 znas manage.py: [middleware.exceptions:38] [MiddlewareError: Volume could not be imported: 6 devices failed to decrypt]

So I'm guessing if I take my backup geli.key file (not the geli_recovery.key?) and rename it to f0237bf4-17da-45b1-8dd7-0332a940d79b.key and put it in /data/geli/ I should be able to do passphrase unlock?

 

[Zensig]

IT WORKED! PRAISE THE LORD! HAPPY, HAPPY, JOY, JOY!

 

[danb35]