SOLVED Export/Import Encrypted Pool

[scholztec]

I'm a long-time listener, first-time caller. I've spent most of the last year assembling and testing the system in my sig. Recently, I've been having some odd issues with jails and plugins, and before reaching out to the community for help, I figured I'd try reinstalling from scratch to rule out the possibility that I'd screwed them up somehow. These issues are briefly described below (for the curious), but are not relevant to this question, and will be posted separately if I am able to reproduce on the new install.

Show

Jails are issuing with duplicate MAC addresses. Once the MAC is fixed, jails are not automatically pulling IP addresses. The only fix has been to go into the shell and manually issue a dhclient <interface>.
Also, plugins are working only intermittently, often failing to start, and generating errors about being unable to locate JSON stuff.

I have 2 pools, one SSD and one disk (main).
My jails are on my SSD pool, which I would wipe/recreate for a new install.
My main pool is encrypted. I have saved the key and the recovery key.
If I reinstall FreeNAS, I'll need to import my main pool.

My googling on the subject has found only old bug reports, and link to FreeNAS docs. I have been unable to find anyone with this particular question/situation. According to the FreeNAS docs:

• Disks must be decrypted before import.
• Disks cannot be encrypted in-place. (point 10 in that link)

My take-away from the above links is that an encrypted pool

1. Can be exported, then imported,
2. Must be decrypted in the import process, and
3. Cannot be re-encrypted in place

I'm assuming that I've been an idiot, and am missing something obvious, as this seems like it couldn't be correct. I'm a fairly tech-savvy person, though I'm humble enough to admit that I've missed the obvious before.

All of the data currently on the system exists off of the system, so I could start over from the *very* beginning if I had to, but I'd rather not have to deal with re-transferring the 10TB of data I've already copied into the pool.

Someone please tell me that I'm wrong about the above limitations, and please let me know where I missed the correct answer.

 

[depasseg]

I never took "decrypt" to mean un-enecrypt. I thought it meant unlock. But I've never played with it.

If it were me, once I decided to take the plunge, I would pull out my existing USB FreeNAS install and put it in a safe place, and do the fresh install on a fresh USB stick. This way, I could revert or refer to the previous install.

 

[scholztec]

I never took "decrypt" to mean un-enecrypt. I thought it meant unlock.

That's an interesting point - I never thought about it that way. I assumed that since the UI uses the term "unlock" in volume management, it would be consistent. This may have been a foolish assumption.

If it were me, once I decided to take the plunge, I would pull out my existing USB FreeNAS install and put it in a safe place, and do the fresh install on a fresh USB stick. This way, I could revert or refer to the previous install.

I hadn't thought about that either. I installed my system to a SATA DOM, so I suppose I could remove the DOM and test re-installing on a USB stick. If it works, I can reinstall on the DOM.

Thanks for the suggestions! I'm interested to know if anyone else has knowledge of this. If this is just an issue of semantics, then it's not much of an issue at all.

 

[Ericloewe]

Must be decrypted in the import process, and

Opened, not converted into a non-encrypted pool.

 

[Ericloewe]

Opened, not converted into a non-encrypted pool.

huh, ninja'd by 20 minutes... That's a new low, XenForo.

 

[scholztec]

Happy to report that you *can* import a pool and keep encryption. This turns out just to be a semantics issue.

I'm considering filing a feature request to have consistency in the UI and documentation. In volume management, this process is referred to as "locking" or "unlocking" the drive. "Encryption" and "decryption" refer to altering the data physically on the disks.

Any thoughts about whether this would be a reasonable request?

 

[depasseg]

Makes sense to me. @dlavigne ?

 

[scholztec]

Thanks everyone for the help with this. Posted as a feature request to update UI and documentation https://bugs.pcbsd.org/issues/15088

Hopefully, I'm not the only idiot who was confused by this, but at least there's now info about it.