Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

SOLVED Replaced drive in encrypted pool, howto verify keys before reboot?

Joined
Jul 11, 2019
Messages
5
Thanks
1
#1
Have a bit of an language barrier issue, i followed the documentation for replacing a failed drive in my encrypted pool, after the resilvering the pool status shows as healthy, but I get stuck at this part in the documentation:

Wait until resilvering is complete before restoring the encryption keys to the pool. Restore the encryption keys before the next reboot or access to the pool will be permanently lost.

But since the only options I got are the following:
  • Create passphrase
  • Add recovery key
  • Delete recovery key
  • Encryption Rekey
  • Download Encrypt Key
Im kinda stuck on what to do. Would it be enough to press Add recovery key?

The pool was created a while ago, and i added a passphrase, and downloaded both the recovery and encryption keys, at that time,

And i downloaded the encrypt key before doing the disk swap.

Is there any way i can verify that everything is in order, before rebooting? It´s not the most valued data, and the server is just for my personal home use, but it will take a while to rip all my blue rays and dvd's again...
 
Joined
Oct 18, 2018
Messages
333
Thanks
165
#2
Hi @3nm1. You want to take the following steps.

  1. Add recovery key - downloads a backup key (User Key 2)
  2. Encryption Rekey - regenerates the main key (User Key 1)
  3. Create passphrase - adds passphrase to User Key 1
  4. Download Encrypt Key - downloads User Key 1

Make sure you keep the 2 downloaded files in a safe place.

Then, to verify you can lock/unlock your pool using the recovery key (User Key 2) to verify that it works.

To verify that User Key 1 works you can take the following steps assuming you're using FreeNas-11.2-U5 as your signature indicates. I assume you have only a single encrypted pool. If not there are a few additional steps.

  1. $ mv /data/geli/<key_name>.geli /data/teli/<key_name>_back.geli
  2. Reboot your computer
  3. Attempt to unlock the pool using your passphrase. It should fail
  4. Using SCP or some other tool upload User Key 1 to your FreeNAS box and put it in /data/geli/<key_name>.geli. Use the same as the original file name from step 1.
  5. Try to unlock the pool with your passphrase. It should work. If so, you now know your key worked! You can remove the extra copy $ rm /data/geli/<key_name>_back.geli

If it failed to unlock.
  1. Post the exact error messages and steps you took here
  2. Regain access to your pool by $ mv /data/geli/<key_name>_back.geli /data/geli/<key_name>.geli
  3. Unlock your pool with your passphrase
  4. repeat the step to generate User Key 1 and add the passphrase
  5. try to repeat these steps to verify
Note: I've done the above steps on my machine to learn about and verify the encryption keys. It does work, but if you make a mistake you could possibly lock yourself out of your data forever if the mistake is serious enough.
 
Last edited:
Joined
Jul 11, 2019
Messages
5
Thanks
1
#3
Hi, thanks for the reply, i get the following error message when trying to create a passphrase.
Error creating passphrase for pool MediaStorage...


Think i will just buy a temporary backup drive, and move my files to that and delete and redo the pool from scratch..
 
Joined
Oct 18, 2018
Messages
333
Thanks
165
#4
Did you try Encryption Rekey first?
 
Joined
Jul 11, 2019
Messages
5
Thanks
1
#5
Yes, got a "Successfully re-keyed pool MediaStorage"
 
Joined
Oct 18, 2018
Messages
333
Thanks
165
#6
Joined
Jul 11, 2019
Messages
5
Thanks
1
#7
That helped, doing a backup before reboot, will post my findings hopefully tomorrow. Thanks for the support.
 
Joined
Jul 11, 2019
Messages
5
Thanks
1
#8
Server rebooted and verified, thanks for the support!
 
Top