SOLVED Unable to attach GELI encrypted ZFS volume

[Yves Bruggeman]

Starting with FreeNAS 9.2.1.6 and above (including 9.3) it's not possible anymore to attach a GELI encrypted zvol.

Code:

# cat /etc/version; uname -r
FreeNAS-9.2.1.6-RELEASE-x64 (ddd1e39)
9.2-RELEASE-p9

# zfs create -V 2G tank/crypto

# dd if=/dev/random of=/tmp/crypto.key bs=64 count=1

# geli init -s 4096 -K /tmp/crypto.key /dev/zvol/tank/crypto
Enter new passphrase:
Reenter new passphrase:

Metadata backup can be found in /var/backups/zvol_tank_crypto.eli and
can be restored with the following command:

   # geli restore /var/backups/zvol_tank_crypto.eli /dev/zvol/tank/crypto

# geli dump /dev/zvol/tank/crypto
Metadata on /dev/zvol/tank/crypto:
  magic: GEOM::ELI
  version: 6
  flags: 0x0
  ealgo: AES-XTS
  keylen: 128
  provsize: 2147483648
sectorsize: 4096
  keys: 0x01
iterations: 805363
  Salt: ec70a8e2346b87bfe3bea763479cee8102a68d70e77b0a92553a25978a5142182c96f9cc1ba79972aa964fe43a928948e058de75070553c1f4b1c2d7417c75f2
Master Key: 8e88583e8ca41d4b068481edfc5350c35d57bbb50100254bf871cdbe68aa38e90b8823d7da802a4f937e19b45f09cae827e96dceb34fef70b2013b0674c31e937cf817b9911c39551886e5b7bff4fb082671d6adc1ec75535f6b52e5f10229392b369e91ecd81c286a89b463e434f592d4254039baa07f05ddf7daa54c8ca7e3956febd15a7fdc4df17cb43b450ce40557f0a9523b8abbf0075caa719b259d2b57d78671438dae6c7199300ff45e4fa2d4865900043ecf80e6b128bd06e2cb350442dca244c1469939f122f3b485059cb4b5d9e545e3ab3dbcc010580cc39734c2f83ac2d9d45bc2f15a4f6955a3b496ef4268b544862b3fabf0015ef9870e2b3c3ed6a2a47269bc64ae4b64033280f18381e9c20fda3832130103e4c776ee6b13fce514f3380da9f83496c28db1c631888b3f38ad8934ec9f238cfc620dff02c12effabb473ad566a1e61e3cf8a62a4f0e237e6c8ede59b974859928174bc1c1b7ff3ec675943a81adcfcbc27929d503af92cc5f3880275812cd173c2437fbc
  MD5 hash: 510be4eb9c9ef7c18fa98f342d246c54

# geli attach -k /tmp/crypto.key /dev/zvol/tank/crypto
Enter passphrase:
geli: Provider zvol/tank/crypto is invalid.

This used to work in 9.2.1.5 and below (including 8.3)

For information, the same thing happens with a GBDE encrypted volume

Code:

# gbde init /dev/zvol/tank/secret -K /tmp/crypto.key
Enter new passphrase:
Reenter new passphrase:

# gbde attach /dev/zvol/tank/secret -k /tmp/crypto.key
Enter passphrase:
gbde: Attach to zvol/tank/secret failed: Provider not found: "zvol/tank/secret"

 

[dlavigne]

See https://bugs.freenas.org/issues/7424#change-33206.

 

[Yves Bruggeman]

Thanks for the fast reply.
However setting vfs.zfs.vol.mode=1 leeds to a kernel panic on 9.3.
But it should be fixed now (or soon) in the nightlies according to:
https://bugs.freenas.org/issues/7424#change-33206

 

[Yves Bruggeman]

I can confirm that it's working in the latest nightly.

Code:

# cat /etc/version; uname -r
FreeNAS-9.3-Nightlies-201501080817
9.3-RELEASE-p6

# sysctl vfs.zfs.vol.mode
vfs.zfs.vol.mode: 2

# zfs create -o volmode=geom -V 2G tank/crypto

# geli init /dev/zvol/tank/crypto
Enter new passphrase:
Reenter new passphrase:

Metadata backup can be found in /var/backups/zvol_tank_crypto.eli and
can be restored with the following command:

    # geli restore /var/backups/zvol_tank_crypto.eli /dev/zvol/tank/crypto

# geli attach /dev/zvol/tank/crypto
Enter passphrase:

# ls -lh /dev/zvol/tank/crypto.eli
crw-r-----  1 root  operator   0x64 Jan  8 15:33 /dev/zvol/tank/crypto.eli

 

[Yves Bruggeman]

I can confirm that it's now working on the latest 9.3 Stable Update (FreeNAS-9.3-STABLE-201501090144)

Code:

# cat /etc/version; uname -r; sysctl vfs.zfs.vol.mode; zfs get volmode tank/crypto
FreeNAS-9.3-STABLE-201501090144
9.3-RELEASE-p5
vfs.zfs.vol.mode: 1
NAME         PROPERTY  VALUE    SOURCE
tank/crypto  volmode   geom     local

# geli attach /dev/zvol/tank/crypto
Enter passphrase:

# dmesg | tail -3
GEOM_ELI: Device zvol/tank/crypto.eli created.
GEOM_ELI: Encryption: AES-XTS 128
GEOM_ELI:     Crypto: software