11.2 - Guide - Section 9.4.1.1. Replacing an Encrypted Disk

[trinxie]

Upgraded from 11.1u6 to 11.2, so far all ok
The guide differs between 11.1u6 and 11.2 for section "Replacing an Encrypted Disk"

11.1u6:
8.1.10.1. Replacing an Encrypted Drive

If the ZFS pool is encrypted, additional steps are needed when replacing a failed drive.

First, make sure that a passphrase has been set using the instructions in Encryption before attempting to replace the failed drive. Then, follow the steps 1 and 2 as described above. During step 3, a prompt will appear to input and confirm the passphrase for the pool. Enter this information then click the Replace Disk button. Wait until the resilvering is complete.

Next, restore the encryption keys to the pool. If the following additional steps are not performed before the next reboot, access to the pool might be permanently lost.

1. Highlight the pool that contains the recently replaced disk and click the Encryption Re-key button in the GUI. Entry of the root password will be required.
2. Highlight the pool that contains the disk you just replaced and click Create Passphrase and enter the new passphrase. The old passphrase can be reused if desired.
3. Highlight the pool that contains the recently replaced disk and click the Download Key button to save the new encryption key. Since the old key will no longer function, any old keys can be safely discarded.
4. Highlight the pool that contains the disk that was just replaced and click the Add Recovery Key button to save the new recovery key. The old recovery key will no longer function, so it can be safely discarded.

11.2:
9.4.1.1. Replacing an Encrypted Disk

If the ZFS pool is encrypted, additional steps are needed when replacing a failed drive.

First, make sure that a passphrase has been set using the instructions in Managing Encrypted Pools before attempting to replace the failed drive. Then, follow steps 1 and 2 as described above. During step 3, there will be a prompt to enter and confirm the passphrase for the pool. Enter this information, then click REPLACE DISK. Wait until resilvering is complete.

Next, restore the encryption keys to the pool. If this additional step is not performed before the next reboot, access to the pool might be permanently lost.

1. Highlight the pool that contains the recently replaced disk and click Add Recovery Key to save the new recovery key. The old recovery key will no longer function, so it can be safely discarded.

Is this correct for 11.2?

 

[Warloxx]

Nothing official, but anecdotally I can say this: The now shortened version of the described process, works already in 11.1-U6 and earlier. It's more the documentation was describing unnecessary steps than changes introduced in 11.2.

As per this post you can see that it already worked like this since at least 11.1-U4. And I myself did replace a drive successfully (using 11.1-U6) by only adding a new recovery key. The normal key and passphrase should be setup by freenas once you replace a drive. But since freenas can't know your latest recovery key it can not set that up for you, so this has to be done manually. If you where to re-boot before adding a new recovery key you should still be able to unlock the drive via the usual key+passphrase, but the old recovery key won't work since the new drive does not have one.

Also see this post for a nice explanation on the different keys and how they are used and what happens when changing keys.

The old way with extra steps might have been to make sure to make the data on the replaced drive totally unreadable. By re-keying all current drives the old key for the replaced drive effectively gets deleted. If there are no copies of that key anywhere (backups) the old drive is now irrecoverably encrypted. Otherwise the current key still could be used (with the additional passphrase) to decrypt the old replaced drive.

I guess it is an attempt at forward secrecy. So the extra steps might be technically unnecessary but might be good practice?
While we are at it, is it even necessary to have a passphrase set or is that also just good practice? Maybe the docs should differentiate between those two.

 

[trinxie]

Nice summary and good links, thanks a lot! I will keep this link.

Good practice is always good. Use-cases as well.
How about this rule:
if the recovery key is saved in a safe place after replacing a disk - the pool can always be unlocked