geli, zpool, mirror and upgrade from 9.2.1.8 to 9.3

[pasco]

Hi 2gether

I got a serious problem: After an upgrade vom 9.2.1.8 to 9.3 I can't decrypt my mirrored disks / my volume anymore.

I got the geli masterkeys from the two disks (ada0p2 and ada1p2) and a user-key (geli.key) with passphrase and the recovery-key (geli_recovery.key). I also got the config.db from my 9.2.1.8 installation. I can also dump the geli metadata (masterkey?) with the command "geli dump".

But I can't unlock my volume on the 9.3 webinterface, nomatter if I try with the geli.key & passphrase or the recovery.key.

I tried on the CLI with the geli-command. I got follwing error:

Code:

~# geli attach -k geli_recovery.key /dev/ada1p2
Enter passphrase:
geli: Wrong key for ada1p2.

Same on ada0p2. But the key is not wrong.

What do I wrong? Do I need to import the zpool first? Or is it a problem because of the mirror? Do I need to mount the encrypted mirror pior to try to attach the volume?

Is there a possiblity to recreate a new userkey & passphrase just with the geli metadata (masterkeys?) from the mirrored drives and for example a former userkey&passphrase or recovery key?

Thanks so much!

P@sco

 

[pasco]

Perhaps my main problem is not the geli.key&passphrase or the geli_recovery.key but that there is no zpool?! My mirror is not listet if I do a "zpool list". So I can't decrypt it neither I guess...?

 

[cyberjock]

Your pool won't be listed if you do a zpool list because the pool won't be detected until you decrypt the partitions containing the zpool.

I don't know what you mean when you say you have the geli master keys from the two disks. Those don't help you decrypt your pool at all.

What you *should* have are either:

1. The geli key+passphrase from some time in the past when you created the pool and saved the keys from the WebGUI by clicking the button in the WebGUI to save the key.
2. The recovery key from some time in the past when you created the pool and saved the recovery key from the WebGUI.

Note that only one of those two parts are required to mount the pool, and you must have them from when the pool was mounted. If the pool wasn't mounted at the time you tried to get the key (which technically isn't possible from the WebGUI, but you are doing things from the CLI that scare me) then you are probably unable to decrypt your pool anymore.

Background:

When you first create a pool on FreeNAS, geli creates the keys and puts them on the USB stick. This is supposed to be temporary as you should be following the manual for pool creation and you'd have downloaded the key and the recovery key like a good admin should. Once you've downloaded the key and recovery key no keys are stored on the USB stick anymore. If you didn't download the two keys then all will appear to be fine until you upgrade. When you will have a problem as you'll upgrade to 9.3 and find you not only have no keys on your boot device but you never saved them onto your desktop (or USB stick, whatever). This means that no copy of your keys exists anymore and your data is permanently encrypted... forever.

So you need to go find your keys that you had before you upgraded (assuming you have them somewhere) or be ready to restore from backup.

 

[pasco]

OK, thanks for that info. So that should be normal.

You can dump the geli metadata on CLI with for example the command "geli dump /dev/ada0p2", I thougt. At least it shows me a "geli master key" and "geli salt key". And it's not encrypted as it looks. But what confuses me is the fact, that each disk of the mirror has it's own geli metadata, I thought there would be only one geli metadata for the mirror. I don't get it - and I'm far away of that. I really need an expert on that. The reason why I mentioned this "geli metadata" is because I've read somewhere that with the metadata you could generate a new (working) geli.key or geli_recovery.key because the geli metadata doesn't change unless you create a new pool. This means you would have to create a new pool and restore data from a backup to this new pool.

I also got geli.key and geli_recovery.key, downloaded from the GUI. But after the upgrade vom 9.2.1.8 to 9.3 and a fresh thumb drive installation with loading the config.db from 9.2.1.8 the encryption doesn't work. But I don't know why exactly. It says "wrong key", but it's not possible, it's the right key. I don't get it. Is there somewhere a specific log-file on what happens at this point, I mean when I try to decrypt the mirror/volume in FreeNAS GUI? The error messages don't help to debug the error/find the real problem. It just says there is an error in decrypting or importing the volume, but I have no clue what kind of error that is.

I have saved my keys and still have them - but they don't work and I don't know why...How can I debug?

Have a nice New Years Eve everyone!

Cheers,
P@sco