Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

After upgrade to 9.3 I can't decrypt my Volumes

Western Digital Drives - The Preferred Drives of FreeNAS and TrueNAS CORE
Status
Not open for further replies.

pasco

Member
Joined
Dec 10, 2014
Messages
25
I updated the bug report in the meantime. Where can I specify the hw specs?
 

pasco

Member
Joined
Dec 10, 2014
Messages
25
Some new info on my issue:

I've set up a brand new installation of FreeNAS 9.2.1.8, 32bit, mirror with 2x 160 GB HDDs and I've chosen "Encryption". OK.

Then I tried following: I saved the "config.db" and the geli_recovery.key and geli.key. I shutdown the machine and installed again a brand new installation of FreeNAS 9.2.1.8 on another usb-stick for start-up.

I've started the brand new installed system, with the already configured HDDs as I mentioned above. I loaded the "config.db" and restarted the machine.

Now I have the same thing as with my productive server: the volume is locked. So far so good.

If I try to unlock the volume with the passphrase, I got the same error as mentioned in the very first post in this thread - it can't be unlocked. But if I choose the "geli.key", it works to decrypt/unlock.
If I detach the volume and auto-import it again, it works, if I gave the passphrase and the geli_recovery.key.

Obviously the unlocking works with only the geli.key or with passphrase AND geli_recovery.key, but NOT with the passphrase only (even if I loaded the config.db). This happens only, if I have a fresh install on the usb-start-stick and load the config.db afterwards. If I reboot the system on the "original system", the passphrase alone, without providing the geli.key, works.

So I guess I don't have the latest geli.key nor the geli_recovery.key for my productive system :-(. Maybe I encrypted it afterwards again, though with the same passphrase, but I got new geli.keys of which I don't have saved a copy as it seems..

Now my question: Is this a bug in FreeNAS? Is there hope, I can recover my data with only the passphrase and config.db, without geli.key or geli_recovery.key? Maybe it's not only a problem in FreeNAS 9.3, also in the 9.2 branch as it seems..

Thanks so much for your help in advance.
P@sco
 

solarisguy

Neophyte Sage
Joined
Apr 4, 2014
Messages
1,125
You can ignore the passphrase for a moment... It is geli that is responsible for the block device-layer disk encryption. Once you provide the geli key to FreeNAS for a particular volume, the system remembers it. So that is why you are seeing a request for the geli key only on import.

Take a break (like a long walk/stroll in a nice park, if it is not a middle of harsh winter at your place...), and afterwards re-think where you could have possible stored the geli keys.
 

pasco

Member
Joined
Dec 10, 2014
Messages
25
Well I got the geli.key and the geli_recovery.key. But they don't work. The geli keys are only stored on the usb-start-media, right? I think yes, because otherwise it wouldn't be a real security mechanism...

Is there a way to find out, if I got the latest, correct geli keys for my volume? I know that I've decrypted and encrypted it more than one time, so there where different geli keys and I don't know if I messed them up or if I even saved the latest geli keys. Can I somehow validate/verify that those a the correct geli keys for the actual decryption on my two mirrored drives?

BTW: Today is a good day for walking in the park at my place. I was looking on every machine I own if I find some more geli keys, but nothing. I was not aware, HOW important the geli keys are :-(. No I am, because I can't access pretty important data. This important, sensitive data is now very safe - actually way to safe, because I can't access them anymore as it seems.
 
Last edited:

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
Well I got the geli.key and the geli_recovery.key. But they don't work. The geli keys are only stored on the usb-start-media, right? I think yes, because otherwise it wouldn't be a real security mechanism...
They are stored on the boot media until you make a set of them. Then they shouldn't be stored on the boot media anymore.

Is there a way to find out, if I got the latest, correct geli keys for my volume? I know that I've decrypted and encrypted it more than one time, so there where different geli keys and I don't know if I messed them up or if I even saved the latest geli keys. Can I somehow validate/verify that those a the correct geli keys for the actual decryption on my two mirrored drives?
Nope. The key+passphrase or recovery key is a "works or doesn't work" as a package. In particular, for the key+passphrase, you must have both for it to decrypt properly. If it doesn't decrypt properly then at least one of them is incorrect. It is impossible to know which is incorrect (or if both are incorrect).

BTW: Today is a good day for walking in the park at my place. I was looking on every machine I own if I find some more geli keys, but nothing. I was not aware, HOW important the geli keys are :-(. No I am, because I can't access pretty important data. This important, sensitive data is now very safe - actually way to safe, because I can't access them anymore as it seems.
If you can't decrypt with the keys you have (and/or with the passwords you have) then I think it's a fairly safe bet to say the data is gone. If you have the old USB stick you might be able to pull the old keys off the thumbdrive, assuming you haven't reformatted it or anything.
 

pasco

Member
Joined
Dec 10, 2014
Messages
25
Nope. The key+passphrase or recovery key is a "works or doesn't work" as a package. In particular, for the key+passphrase, you must have both for it to decrypt properly. If it doesn't decrypt properly then at least one of them is incorrect. It is impossible to know which is incorrect (or if both are incorrect).
How do I see, if the key is decrypted properly? I'm 99.9% sure, I got the correct geli.key und geli_recovery.key. With the passphrase I'm 100% sure.
But decrypting still doesn't work.

If you can't decrypt with the keys you have (and/or with the passwords you have) then I think it's a fairly safe bet to say the data is gone. If you have the old USB stick you might be able to pull the old keys off the thumbdrive, assuming you haven't reformatted it or anything.
I've already reformatted the USB stick - too bad. But I saved the keys, but they don't work after the upgrade to 9.3 anymore.

Because my old machine couldn't handle the new GPT-Partition of 9.3 I had to switch to newer hw (Core 2 64bit system, means a new motherboard and 8 GB ram). Perhaps that's why I can't decrypt it anymore? Is it possible, that my problems resulting of changing the hardware?
 

pasco

Member
Joined
Dec 10, 2014
Messages
25
Yes, I tried that already. But no luck. Then I upgraded my system again to 9.3, I did exactly the same steps. Imported my config.db first to my 9.2.1.8 installation and upgraded to 9.3. As a result of this, I couldn't start my (old) system up, because of that "old BIOS can't start the new GPT-Partition on the thumbdrive problem". So I had to switch to the newer hardware again. And I've tried both: Unlocking the volume with geli.key + passphrase and import the volume with the geli_recovery.key.

If I try to decrypt/unlock the volume, I still got this error (no matter if providing only the geli_recovery.key or geli_recovery.key AND the passphrase):

Code:
Error: Volume could not be imported: 2 devices failed to decrypt


If I try to import the volume, I still got this error(s):

Code:
The following disks failed to attach: gptid/a1a11b02-5e98-11e4-95e3-00300598d47b, gptid/a1fce450-5e98-11e4-95e3-00300598d47b
 

pasco

Member
Joined
Dec 10, 2014
Messages
25
So I really must say goodbye to my data? Is there really no other chance?

What is the first partition on the data disks for? I mean I got following partitions:

- HDD1: adaj0p1 (2.1 GB) and ada0p2 (2 TB)
- HDD2: adaj1p1 (2.1 GB) and ada1p2 (2 TB)

Could I get the masterkey from the adaj0p1 or adaj1p1 perhaps?
 

pasco

Member
Joined
Dec 10, 2014
Messages
25
Further questions:

- After creating an encrypted volume there is a key-file on the thumbdrive in /data/geli. Is this the geli.key or the geli_recovery.key from the webinterface?
- is it possible, that it doesn't load my "geli_recovery.key" from webinterface correct to the freenas-server?
- if I want to copy my "geli_recovery.key" or "geli.key" myself (manual) to the /data/geli directory, does the name of this file matter, as long as it ends with "key"? I'm asking this because I saw on a fresh install a file like
"d3dbd9b0-71a8-4504-9e12-f1cdc6ead163.key" there and not "geli.key" or "geli_recovery.key" as it is named when I download it via webinterface
- is there another possibility to try import the geli key to my freenas-server? Like with a terminal CLI-command?

Thanks so much in advance.

Pasco
 
Last edited:
Status
Not open for further replies.
Top