Disk replacement procedure with legacy encryption?

[Dwarf Cavendish]

I started out my NAS with FreeNAS 11.1, using legacy encryption. Due to having a busy life the last couple of years I haven't come around to migrating away from it yet.

Now I was recently confronted with the possibility of having to replace a disk in my pool. And something that I burnt into my memory is: rekey after replacing a disk, otherwise I'll lose access to my pool. It's a procedure I even practiced on a VM years back. So I was just looking into how things now look in the TrueNAS Core UI and it looks like the terminology changed. I think that it's called "Reset Keys" now. So the procedure would then be:

1. Hook up replacement disk.
2. Boot up my server.
3. Unlock the pool using my passphrase.
4. Replace the faulty disk in the GUI.
5. While resilvering, reset the keys in the GUI.
6. Wait for resilvering to finish.
7. Shut down server and remove faulty disk.
8. Boot up my server.
9. Unlock pool using my passphrase and live happily ever after.

Is there anything I'm overlooking here?

 

[danb35]

Somewhat orthogonal to your question, but if you're going to be replacing a disk anyway, maybe you should consider moving away from legacy encryption entirely:

How to remove encryption from a ZFS volume (while keeping the data)

Hi, all, my first post - I have a little procedure to share. I successfully removed the geli encryption from a live ZFS pool in FreeNAS 9.1.1 with the following steps: 0. Make sure you either have a separate backup of your data, or are willing to take the risk of losing everything. Second...

www.truenas.com

Pinging @Patrick M. Hausen, since it's his guide.

 

[Samuel Tai]

@Dwarf Cavendish, IIRC, after replacing each disk in a GELI-encrypted pool, you'll need to both reset the pool encryption keys AND recreate your passphrase AND regenerate the pool recovery key after the resilver.

8. Storage — FreeNAS®11.1-U7 User Guide Table of Contents

www.ixsystems.com

However, I'm not sure if TrueNAS 13.0-U4 continues to expose those options, and you may need to perform these operations via CLI. I was able to convert my GELI-encrypted pool to a non-encrypted pool using @Patrick M. Hausen's guide, as GELI has been deprecated and is no longer supported.

 

[Samuel Tai]

1. First, run midclt call pool.query | jq get the SQL index ID for your encrypted pool. This will be the value in the JSON key "id" corresponding to the name of your pool. Use this ID in the following API calls as the pool ID.
2. Rekey pool: midclt call pool.rekey <pool ID> '{ "admin_password": "<password for root>" }'
3. Download key: midclt call pool.download_encryption_key <pool ID> "geli.key"
4. Reset passphrase: midclt call pool.passphrase <pool ID> '{ "passphrase": "<new passphrase>", "admin_password": "<password for root>" }'
5. Regenerate and download recovery key: midclt call core.download "pool.recoverykey_add" '[ <pool ID>, { "admin_password": "<password for root>" } ]' "recovery.key". This will generate a download URL path good for about 10 minutes. Navigate to https://<your TrueNAS hostname>/<URL path from download job output> to download the recovery key.

 

[Dwarf Cavendish]

@danb35 , @Samuel Tai , you're right, this might actually be a good moment to take care of moving away from legacy encryption altogether. I'll just have to bite that bullet soon.

 

[Dwarf Cavendish]

I went through the procedure to remove geli encryption today. Turns out that I was more nervous about it than necessary, it was a breeze ! One thing I do want to check if the export and subsequent import has affected the periodic snapshot tasks that I had. And one thing that I didn't see mentioned is that TrueNAS Core 13 has a checkbox for removing sharing data (or something to that effect), which I disabled. Started SMB after the import and everything was back as usual.

I found it very impressive to actually see how everything remained operational throughout most of the procedure and have come to appreciate more the benefits that OpenZFS is getting me. And there is little reason for me to be nervous about having to actually replace a disk now .

Thanks, @Patrick M. Hausen , @danb35 !