9.3: geli key doesn't work on encrypted tank?

[kooper2015]

Hi,
just yesterday couldn't remember my password for my encrytped tank.

Tried to use the geli-key, which I have saved that few weeks ago with 9.3-STABLE-201602031011. It didn't work with 9.3-STABLE-201604140556 (latest currently) neither.

Then I remembered my key... J

Now, with 9.3-STABLE-201602031011 and 9.3-STABLE-201604140556 I saved the geli.key (whith tank unlocked by password), locked it and tried to unlock the pool. It doesn't work:

Apr 15 20:17:55 freenas manage.py: [middleware.notifier:1338] [MiddlewareError: Unable to geli attach gptid/323db29e-ef8c-11e5-a495-38eaa7a60b04: geli: Wrong key for gptid/3blahh-ef8c-maehh-a495-3something.
]
Apr 15 20:17:55 freenas manage.py: [middleware.notifier:3518] Importing tank [875960291368668231] failed with: cannot import '875960291368668231': no such pool available
Apr 15 20:17:55 freenas manage.py: [middleware.exceptions:37] [MiddlewareError: Volume could not be imported: 4 devices failed to decrypt]

I know it has worked in earlier versions of FreeNAS. It is 4 HDDs, striped, various sizes. The pool is healthy.

The geli.key is an important possibility for emergency.

So, my question:
Can someone confirm this? And perhaps raise it to the devs? It should be also fixed in 9.3 series, and in 9.10, if this bug has made it that far.

Regards.

 

[dlavigne]

I'm not sure how many users are using encryption. But if it used to work for you and it isn't now, you should definitely create a bug report at bugs.freenas.org and post the issue number here.

 

[kooper2015]

Thanks, dlavigne.
It doesn't relly matter how many users are encrypting their pools.

I'm absolutely not sure what's wrong here, I tried my actual geli key with all versions back to 9.3-STABLE-201510290351 (setting boot to that version, then rebooted). That's 5 versions, including the latest 9.3-STABLE-201604140556. No joy.

But I KNOW that the geli key has worked 1 month ago, on 9.3-STABLE-201602031011), when I extended my pool by 1 HDD. The pool couldn't be unlocked after adding the HDD - only the geli key worked then. I did change my passphrase at that time. But then I would have to conclude that the geli key becomes invalid if e.g. a HDD is added.

When I use my actual key with the OLD 9.3-STABLE-201510290351, it doesn't work as well.
The gptids are different, but tank number is same. So this could probably be expected.

But still, why is my actual key not working with the configuration used for saving that geli key?
Hummm.

If nobody confirms this issue, it won't make sense at all to file this bug.

It always makes me feel like an idiot, when I report a bug which is then never fixed. Be it important, a show- stopper or cosmetic. Here or at work.

 

[Ericloewe]

It always makes me feel like an idiot, when I report a bug which is then never fixed. Be it important, a show- stopper or cosmetic. Here or at work.

Don't feel bad, it's an uphill battle for everyone. Just the othe
day, a serious regression caused FreeNAS to suggest that people upgrade their boot pools, rendering them unbootable.

The first reaction was to label it "not to be fixed". Fortunately, reason prevailed (quoting the original bug ticket helped) and the regression was fixed.

It doesn't relly matter how many users are encrypting their pools.

Unfortunately, it means few people have experience in the matter, making it more difficult to find help.

 

[kooper2015]

Don't feel bad, it's an uphill battle for everyone. Just the othe
day, a serious regression caused FreeNAS to suggest that people upgrade their boot pools, rendering them unbootable.

The first reaction was to label it "not to be fixed". Fortunately, reason prevailed (quoting the original bug ticket helped) and the regression was fixed.


Unfortunately, it means few people have experience in the matter, making it more difficult to find help.

Thanks, Eric. Little hope, then. But probably easy to reproduce and very few conditions apply (compared to issues with user/group rights while across various file systems). That's why I asked for confirmations here.

Found these 2 related bugs for 9.3:
https://bugs.freenas.org/issues/8793
https://bugs.freenas.org/issues/7068

Both have been closed apparently without merge (?)...

So this could be an older bug - as I noticed something very similar, see:
https://bugs.freenas.org/issues/8793#note-3
I believe I used the geli.key 1 month ago, but not sure any more (because of my tests and these 2 reports above). And I can't reproduce what was happening 1 month ago, as adding a 4th HDD to an encrypted pool is not something I do every day.

The encryption is one of the reasons why I picked FreeNAS for my server... In case the documented use of geli.key fails and no other help is available (e.g. password lost), one would lose the pool forever. Which is a really bad thing. And clearly a bug.

 

[m0nkey_]

When adding or removing a drive to an encrypted pool, you're required to re-key. Did you get a copy of the key after such time? If not, you're probably out of luck.

http://doc.freenas.org/9.10/freenas_storage.html#encryption
http://doc.freenas.org/9.10/freenas_storage.html#replacing-an-encrypted-drive

 

[kooper2015]

When adding or removing a drive to an encrypted pool, you're required to re-key. Did you get a copy of the key after such time? If not, you're probably out of luck.

http://doc.freenas.org/9.10/freenas_storage.html#encryption
http://doc.freenas.org/9.10/freenas_storage.html#replacing-an-encrypted-drive

Hi m0nkey_,

I am able to access my pool, as noted in first post...

I am not sure if I rekeyed after adding the 4th HDD. (note #1)

So today, I rekeyed the unlocked tank and generated a new passphrase. ADDED a recovery key (button 'Add recovery key'), which lets you download a geli key.

THAT recovery geli key works, it unlocks the tank without any issues.

However, if I download the geli key again (button with tooltip 'Download key'), that 2nd geli key does NOT unlock the tank! (Error: Volume could not be imported: 4 devices failed to decrypt.)
~
I also tried to find out, if it makes a difference downloading the geli key: unlocking by passphrase vs. unlocking by the working geli key. It doesn't matter: the downloaded geli key will NOT work in both cases.
~
I wonder how many geli keys on how many machines will not unlock the pool. Something definitively is wrong and fishy with that button 'Download key' as of FreeNAS-9.3-STABLE-201604150515.
~
Furthermore, as rekeying is required after adding another HDD to the pool, downloading the geli key shouldn't be possible. Also locking after rekeying shouldn't be possible WITHOUT changing passphrase (I did not try that, because I would probably lose access to the pool). (note #2)

Edit 16.05.16, just for the record:
After adding another disk to the encrypted tank today, I can confirm the following (as of 9.3-STABLE-201604150515):

note #1: I am now sure I did the re-keying after adding the other disk.
note #2: Locking the tank with an newly added disk is not possible without re-keying in the GUI, because the button to lock the tank isn't shown. Well done.

 

[barny]

I also am unable to unlock my encrypted z-pool after the last update on 9.10 (FreeNAS-9.10-STABLE-201606072003 (696eba7)) a couple days ago. I also tried to decrypt it according to the manual section 8.1g and import it thinking it needed to be done again. Now I have an error saying the state of the volume is "unknown". Looks like there are some bug reports filed on this issue. I saved a new geli key and passphrase after my *upgrade* to 9.10 a couple months back.
I used 9.3 for a few years with no trouble. I have a backup of the data so I'm not worried. I may go back to 9.3 as I never had an issue with unencrypting drives after a restart or how freenas functioned.

Update:
I was able to get the volume unlocked after some time. I rebooted the server for the third time and then the geli key worked. No idea why.

 

[Arnis Juraga]

I have similar problem here:

- Old system was Freenas 9.2, I had 1 Encrypted volume (2 mirror disks). Previously - importing after reboot was working fine.
- Then - I updated 9.2 to 9.10 - and had a problem with import. I solved it with renaming .key file in geli folder (because of debug.log messages it was obvious). But imported disks correctly finally. So - I hade 9.10 working system with imported Encrypted volume.
- Now - I have another Freenas 9.10 system and I need to move these 2 drives to this system. The old Freenas has been shut down, disks disconnected and moved to another Freenas 9.10. Encrypted volumes are not importing.

My Encrypted volume is `Data01` - does not appears in "zpool list", but Volume disks are listed, when importing from GUI.

debug log:

Code:

[root@storage] /tmp# zpool list
NAME           SIZE  ALLOC   FREE  EXPANDSZ   FRAG    CAP  DEDUP  HEALTH  ALTROOT
freenas-boot  7.25G  3.89G  3.36G         -      -    53%  1.00x  ONLINE  -
storage       3.62T  2.84T   802G         -    21%    78%  1.00x  ONLINE  /mnt


[root@storage] /tmp# tail -f /var/log/debug.log

Jul 14 19:23:39 storage manage.py: [middleware.notifier:215] Popen()ing: geli attach -j /tmp/tmpt9P5zD -k /var/tmp/firmware/tmpTFvGQj gptid/a1a4ccbb-7551-11e4-b191-001b21875d55
Jul 14 19:23:39 storage manage.py: [middleware.notifier:222] geli attach -j /tmp/tmpt9P5zD -k /var/tmp/firmware/tmpTFvGQj gptid/a1a4ccbb-7551-11e4-b191-001b21875d55 -> 1 (geli: Wrong key for gptid/a1a4ccbb-7551-11e4-b191-001b21875d55.
)