How do I remotely decrypt volume via ssh when using private key?

[Forrest]

I have my FreeNAS setup so I can remotely access it via ssh using a private key. I'm away from home for an extended trip, but when I received an email that a FreeNAS update is available, I opened an ssh tunnel as I typically do, and through SOCKS5 was able to use the WebUI to update the system. However, when I tried to ssh back in after the system reboot, my key is being rejected. Presumably, the problem is it's unable to compare the keys because my volumes are encrypted.

So the question is: is there a way I can remotely decrypt the volume when the only way I can usually get in is over ssh with a private key?

A similar question was asked a few years ago: https://forums.freenas.org/index.php?threads/how-do-i-decrypt-my-zfs-drive-via-ssh.17198/
but I don't see how the "solution" can be adapted to my situation. I tried the unlock API code posted there, but unsurprisingly python requests returned a "bad handshake" "unknown protocol" error.

Any ideas? I'm open to a 'future solution' too, that I wouldn't be able to implement until I'm back home.

 

[SweetAndLow]

So you make the ssh tunnel with freenas or another server on your network? Do you use the root user? How did you use the rest API? Is your server exposed to the internet?



Sent from my Nexus 5X using Tapatalk

 

[Forrest]

I make the ssh tunnel with FreeNAS. I use a ddns service and forward a port through my router for ssh access through the internet.

The ssh key is assigned to my user account, which has sudo privileges and I have accessed the WebUI remotely this way before with no problems.

I tried this python code

Code:

import json
import requests
r = requests.post(
'https://localhost/api/v1.0/storage/volume/<volume_name>/unlock/',
auth=('root', '<root_password>'),
headers={'Content-Type': 'application/json'},
verify=False,
data=json.dumps({'passphrase': '<volume_passphrase>'})
)
print(r.text)

from the question I linked to above where I made the necessary substitutes in bold. I also specified the port in the usual way (myurl.com : port) when specifying localhost (actually the web address of the FreeNAS). Of course this doesn't make use of the private key and if I try to ssh into the server as root I get an error with "Server sent: public key".

 

[Arwen]

In someways you want an account, (personal or 2nd personal), home directory on the FreeNAS boot pool.
Not a good idea for un-mirrored boot pool, nor perhaps USB boot pool. But, if the only thing it does is allow
remote login when the main pool needs to have it's encryption credentials installed, perhaps reasonable.

And of course, this could be lost after any update. Plus, certainly lost if you completely replace your boot pool
media devices.

 

[SweetAndLow]

Looks like you can't login. And that python code will never work. It uses http and port 80 not ssh/22.

Root has a home directory on the USB stick so you could log in using that use if you either have the private key or you allow password auth. Seems like you don't have either.

Sent from my Nexus 5X using Tapatalk

 

[Forrest]

Yeah, I was confident the python code wasn't going to work, I just wanted to say I'd at least looked at the solution to a similar question.

Sounds like next time I'm home I need to make an ssh key for root and that should solve this problem.