Unlock geli-encrypted ZFS volume via Shell or remotely via SSH

[AK8]

Hi,

I have created an encrypted zfs volume with FreeNAS 8.3.1. As intended, each time after reboot the volume needs to be unlocked manually with a passphrase. Via GUI it works just fine.

Now I would like to setup a kind of replication script on another (remote) NAS which would do the following:
(1) wake-on-lan the FreeNAS according to a specified time schedule (with crontab and ipkg wakelan),
(2) unlock the encrypted volume on FreeNAS (via SSH),
(3) rsync certain folder on NAS to FreeNAS rsync module, and
(4) shutdown the FreeNAS remotely.

I've already made steps (1),(3),(4) working, and the question is how to cope with number (2)?

My guess is that it might be done with some command(s) like this:
geli attach -j [passphrase_file] -k [geli_key_file] [dev_to_unlock]
and then probably doing something with zfs pool.

If so, it would be possible to unlock from a remote machine via SSH:
ssh root@freenas geli attach -j [passphrase_file] -k [geli_key_file] [dev_to_unlock]

Thanks!

 

[William Grzybowski]

Well, you have all figured out, not sure what you're asking...

geli attach every device... then zpool import -R /mnt volumename

 

[markmcb]

I've already made steps (1),(3),(4) working, and the question is how to cope with number (2)?

I would love to see your script. I'm planning to do the same thing myself and it'd be nice to build on your work.

 

[cyberjock]

Also noteworthy is that I just read in the manual that all the services are restarted after an encrypted volume is mounted.

 

[AK8]

I would love to see your script. I'm planning to do the same thing myself and it'd be nice to build on your work.

Sure. Here is my script to rsync a certain folder from my Qnap NAS to the FreeNAS. The latter one is in a remote location, but accessible through OpenVPN as if it is on the same LAN (TAP interface instead of TUN is needed to allow broadcast packets):

#!/bin/sh

# Wake-on-lan the FreeNAS using the ipkg's wakelan:
/opt/bin/wakelan -b [LAN's BROADCAST IP ADDRESS] -m [FREENAS MAC ADDRESS]
# It takes c. 2 minutes for my FreeNAS to boot. Waiting for 3 mins just to be on a safe side:
sleep 180

# Unencrypt geli devices (the set has to be repeated for each encrypted HDD in the zfs pool you want to mount):
/usr/bin/ssh root@[FREENAS IP ADDRESS] geli attach -j ~[FILE WITH THE PASSPHRASE] -k /data/geli/[SOME LONG FILE NAME].key /dev/gptid/[SOME LONG DEVICE NAME]
# The .key file is the same for each device while the device names vary.
# To make it more secure, you may want to copy the file with the passphrase to the FreeNAS in the beginning of the script and delete it after HDDs are unencrypted - instead of holding it on the FreeNAS.
# And, since the unencryption takes some time:
sleep 30

# Import zfs pool:
/usr/bin/ssh root@[FREENAS IP ADDRESS] zpool import -R /mnt [ZFS VOLUME NAME]
sleep 30

# Now ZFS pool is unlocked. Starting the rsync job:
/usr/bin/rsync -ahP --password-file=[PASSWORD FILE TO ACCESS THE RSYNC MODULE ON FREENAS] [FOLDER TO SYNC] [USER NAME TO ACCESS THE RSYNC MODULE ON FREENAS]@[FREENAS IP ADDRESS]::[RSYNC MODULE NAME]

# Wait until the rsync process completes:
wait

# Shutdown the FreeNAS:
/usr/bin/ssh root@[FREENAS IP ADDRESS] shutdown -p now

 

[Sonic1234]

I have a similar projekt I'm working on and got stuck after I boot the system und unlock with the script above.
For some reason the owncloud service wount start if I unlock through ssh...If I unlock through the GUI everything works fine.
Any ideas whats different between unlocking with ssh and GUI?
Is there a way to restart ownload service via SSH?
Thanks