firesyde424
Contributor
- Joined
- Mar 5, 2019
- Messages
- 155
I have an some data on an 8 drive RAIDZ1 pool sent to us on a third party "secure" device. The pool itself is unencrypted but contains a dataset encrypted with a Yubikey and a passcode for the Yubikey. The problem is that the appliance's backplane appears to be junk and we're having issues getting the pool online. The customer who sent us the device didn't pay for support from the vendor who makes the device so when we called the vendor, we got a polite middle finger.
The vendor goes to great lengths to hide their use of Linux and ZFS behind buzz words and "magic" but underneath their custom UI, it's just Debian Linux and ZFS.
In an last ditch attempt before asking the customer to resend the data, I moved the drives to a plain old Dell server with an LSI HBA, running TrueNAS Scale. I assumed this was the best option given the vendor's use of Linux in their appliance. I can see all 8 drives and successfully import the pool. When I do that, all 8 drives report healthy and the pool comes online with no problems. I performed some basic checks and all appears well. I was even able to replace one of the drives that the vendor's appliance said was bad(though my tests showed no problems) and successfully performed a resilver on the new drive.
However, I can't access the data because, of course, the dataset is encrypted. When I try to perform an unlock, it asks for a passphrase, so I assume the vendor is generating that passphrase on the appliance, with the Yubikey and the corresponding pin.
We do have the Yubikey and the pin, provided to us by the customer. Is it possible to generate the needed passphrase on a different system, or can this only be done on the system that was used to encrypt the dataset originally?
The vendor goes to great lengths to hide their use of Linux and ZFS behind buzz words and "magic" but underneath their custom UI, it's just Debian Linux and ZFS.
In an last ditch attempt before asking the customer to resend the data, I moved the drives to a plain old Dell server with an LSI HBA, running TrueNAS Scale. I assumed this was the best option given the vendor's use of Linux in their appliance. I can see all 8 drives and successfully import the pool. When I do that, all 8 drives report healthy and the pool comes online with no problems. I performed some basic checks and all appears well. I was even able to replace one of the drives that the vendor's appliance said was bad(though my tests showed no problems) and successfully performed a resilver on the new drive.
However, I can't access the data because, of course, the dataset is encrypted. When I try to perform an unlock, it asks for a passphrase, so I assume the vendor is generating that passphrase on the appliance, with the Yubikey and the corresponding pin.
We do have the Yubikey and the pin, provided to us by the customer. Is it possible to generate the needed passphrase on a different system, or can this only be done on the system that was used to encrypt the dataset originally?
