auto decrypt after ZFS Pool extention ?

[wtfuar]

Code:

Nov 24 18:15:22 freenas kernel: FreeBSD 9.1-STABLE #0 r+16f6355: Tue Aug 27 00:38:40 PDT 2013

Code:

[root@freenas] ~# zpool status
  pool: zfs1
state: ONLINE
status: The pool is formatted using a legacy on-disk format.  The pool can
        still be used, but some features are unavailable.
action: Upgrade the pool using 'zpool upgrade'.  Once this is done, the
        pool will no longer be accessible on software that does not support feature
        flags.
  scan: resilvered 1.25T in 12h32m with 0 errors on Sat Aug 24 07:37:39 2013
config:
 
        NAME                                                STATE    READ WRITE CKSUM
        zfs1                                                ONLINE      0    0    0
          raidz1-0                                          ONLINE      0    0    0
            gptid/27c029db-0c16-11e3-b6f5-002215ab012f.eli  ONLINE      0    0    0
            gptid/622428ec-9d54-11e2-9312-000c29cec408.eli  ONLINE      0    0    0
            gptid/634a7ede-9d54-11e2-9312-000c29cec408.eli  ONLINE      0    0    0
            gptid/64712091-9d54-11e2-9312-000c29cec408.eli  ONLINE      0    0    0
            gptid/65977639-9d54-11e2-9312-000c29cec408.eli  ONLINE      0    0    0
            gptid/66bc5d54-9d54-11e2-9312-000c29cec408.eli  ONLINE      0    0    0
          raidz2-1                                          ONLINE      0    0    0
            gptid/c3f1ecf4-52d1-11e3-90c3-002215ab012f.eli  ONLINE      0    0    0
            gptid/c68231a2-52d1-11e3-90c3-002215ab012f.eli  ONLINE      0    0    0
            gptid/c9180ca3-52d1-11e3-90c3-002215ab012f.eli  ONLINE      0    0    0
            gptid/cbb5eb1e-52d1-11e3-90c3-002215ab012f.eli  ONLINE      0    0    0
            gptid/ce53bf90-52d1-11e3-90c3-002215ab012f.eli  ONLINE      0    0    0
            gptid/d0d662bc-52d1-11e3-90c3-002215ab012f.eli  ONLINE      0    0    0
 
errors: No known data errors

raidz2-1 was added last week. The zfs pool was encrypted.

After I restarted freenas the pool was already decrypted! ^^

What happened here? Does something went wrong? Is the volume after I extended the pool permanently decrypted?
How do get the pool encrypted?

 

[cyberjock]

Yes. It's called you didn't follow the manual. The encryption key was recreated when you added the vdev, then didn't go in and resetup your keys. If you had done this with 8.3.x you'd have lost your pool right now. Lucky for you, with 9.x the key is stored on the USB stick unless you setup a password.

So go rekey your pool and resetup your passwords and all will be fixed.

 

[wtfuar]

Damn you'r fast man 0|0.

I thought I followed the manual. At least there was no information as it states in the man, that there will be a information when starting extention on an encrypted volume.

What I did - after RFM -.

1. started freenas
2. decrypted my existing zfs volume
3. started zfs volume manager
4. choose volume to extend
5. choose all the drives to be added
6. hit 'Extend Volume'
- no information was shown here what scared me a bit, because the manual said so-

after that was finished and all healthy and working I selected the volume and hit:
'Encryption Re-Key' 'Download Key' 'Add recovery key'. This created a new key and recovery-key.

So my question to your answer is:
What do you mean by: "So go rekey your pool and resetup your passwords and all will be fixed." ?
I think I missed anything here. Maybe I have to manually rekey my volume? that should be mentioned in the manual aside the commands to do so.

 

[cyberjock]

You have to do "Encryption Rekey", then "Create Passphrase", then "Download Key", then "Add Recovery Key". In that order.

 

[wtfuar]

I doing that right now. That should be added as tool tip in the ZFS Volume Manager at 'Extend Volume'.
Thank you for that.

 

[cyberjock]

I'm a little confused.. I went to go check the guide and it seems to already have this info. Correct me if I'm wrong:

If you read http://doc.freenas.org/index.php/Volumes#Extending_a_ZFS_Volume there's a NOTE. That note links to http://doc.freenas.org/index.php/Volumes#Creating_an_Encrypted_Volume which tells you what to do. Am I missing something?

 

[wtfuar]

Hi,

for a native english speaker it is possibly clear enough.
But from a noobs point of view I would ask myself, why create a "new" passphrase when the process is just a Re-Key.
As this is a requirement for extending an encrypted volume the process of extension must not end with just the extention.

After extension of an encrypted volume has "finished" there should be a dialogue for the Re-Key process, Step-by-Step, with information why this is necessary. This seems to be a must as it would result in a total data loss with just the previous release of freenas.

Edit: And it leads me to another question. When the -old- Key is stored on the stick to prevent the total data loss, what happens to it when I set a new pair of keys? Is the old one deleted? Do you have some information on that where I can read through? I smell upcoming security concerns on my side.

 

[Dusan]

Edit: And it leads me to another question. When the -old- Key is stored on the stick to prevent the total data loss, what happens to it when I set a new pair of keys? Is the old one deleted? Do you have some information on that where I can read through? I smell upcoming security concerns on my side.

An encrypted pool can have up to 2 user keys.
Key 2 is the recovery key and is not stored anywhere. You download it when it's created and that's it. If you lose it you have to create a new one.
Key 1 is a compound key consisting of a key file stored in /data/geli (you can download this key file anytime via the Download Key button). If you do not set a passphrase the pool will automount using the key file stored on the USB key. If you set the passphrase then both the key file and the passphrase are needed to unlock the pool.