SOLVED How to find and save the 'enryption keys'?

[NumberSix]

Hi
This is a question that I've asked elsewhere without finding any answers, so I thought perhaps it's time to make it's own thread.

I'm still finding my feet with TrueNAS and one thing I want is to be prepared for a drastic system failure. I had thought that snapshots were helpful there but now I gather that's not so. I'm told I need to export the system config (go to the GUI and System/General/"Save Config") which I believe I've done, but I'm also told I need to save the 'encryption keys'. This part is much less clear.

The "Save" dialogue I mentioned above includes a checkbox "Include secret seed". Is that what was elsewhere refered to as "encryption keys"?

If I save a config file with the secret seed included, am I pretty much good to go in the event of a hard disk crash?

A couple of questions there, really.

Thank you for your thoughts.

 

[Samuel Tai]

According to the manual, secret seeds are for account passwords. You'll want to export your pool keys using this procedure from the manual:

https://www.truenas.com/docs/core/storage/pools/storageencryption/, and scroll down to the Key Files section.

 

[sretalla]

In the other thread from this OP, it is mentioned that those options are missing...

My guess is either the pool is not encrypted or it's GELI.

Could the OP please share the output from zpool status -v on that pool?

 

[NumberSix]

As noted by sretalla, the options given in the lower part of this illustration are in fact missing:

There is no "Export Dataset Keys" option. That would solve the problem if it was like the manual says it is.

 

[NumberSix]

Could the OP please share the output from zpool status -v on that pool?

I hope this is the information you asked for: I'm a total noob when it comes to CLI work.

There are just two pools: NAS and system, relating to the HDDs and the SSD respectively.

 

[Samuel Tai]

Your pool isn't encrypted with GELI, as none of the members have an .eli suffix. Does your pool exhibit a lock in the GUI?

 

[NumberSix]

Yes. I encrypted a dataset in the NAS pool when I created it>

 

[sretalla]

Did you select the encrypt with passphrase option? in that case I don't think you get an option to download keys as your passphrase is already effectively the key.

 

[Redcoat]

I had thought that snapshots were helpful there but now I gather that's not so

When the encryption keys topic above has been fully dealt with, would you care to expand on your snapshot observation?

 

[NumberSix]

Did you select the encrypt with passphrase option? in that case I don't think you get an option to download keys as your passphrase is already effectively the key.

Oh really srtalla?
Gosh that is interesting. Yes, I DID select a passphrase. But my (partial) understanding is that passphrase + keys = decryption. Is that wrong? Could well be. This is not my strong suit, hence asking about it here.

 

[NumberSix]

When the encryption keys topic above has been fully dealt with, would you care to expand on your snapshot observation?

Hi Redcoat
My understanding is that snapshots are some kind of reflection of content. Perhaps an audit of some kind? I don't see how they can be useful in the event of data loss since, for example in my case, with 8Tb X 2 drives (mirrored), if you have 5Tb of data, if a snapshot takes up much less than 5Tb (as it certainly seems to in my case) then it simply cannot contain a copy of the 5Tb you have, therefore it cannot restore it if you loose it.

Unfortunately I don't have a second NAS or other resources to duplicate the data I have to, and my snapshots appear to be small enough to comfortable fit in the approximately 3Tb of storage I still have free. Hence my starting point is saying I don't think snapshots are helpful in the event of system failure. If I'm significantly wrong I would be delighted to learn how, but there are more things in heaven and earth so - please correct me if that's an option!

 

[Samuel Tai]

It appears possible to extract the keys via the API. I'm experimenting with the syntax currently.

 

[Redcoat]

Well, for sure, if the snapshots are on your NAS then they won't help you in the case of full system failure.

I can assure you that a set of replicated snapshots can be used to restore a complete system. Earlier this year I nuked a snapshotted 4 drive pool, added a couple more drives to the box for a 6-drive pool, and restored from the replicated snapshots on my backup NAS. The first replication of a snapshot, or a set of them, produces a file that contains everything in the snapshot(s) and will be about the same size as the dataset.

 

[NumberSix]

It appears possible to extract the keys via the API. I'm experimenting with the syntax currently.

Thank you Samuel. Let me know how you get on please!

 

[NumberSix]

Well, for sure, if the snapshots are on your NAS then they won't help you in the case of full system failure.

I can assure you that a set of replicated snapshots can be used to restore a complete system. Earlier this year I nuked a snapshotted 4 drive pool, added a couple more drives to the box for a 6-drive pool, and restored from the replicated snapshots on my backup NAS. The first replication of a snapshot, or a set of them, produces a file that contains everything in the snapshot(s) and will be about the same size as the dataset.

So one inference from what you said is that one would need available external storage of equivalent size (at least) to the backed up dataset(s) in order to truly take full advantage of Snapshots. Is that a fair conclusion sir?

 

[Redcoat]

Yes, that's a fair conclusion if you want to use snapshots as disaster recovery.

 

[NumberSix]

Thank you Redcoat.

Still waiting for illumination on the fundamental question though: how do I find and save 'encryption keys' - together with the recently acquired question 'do I need encryption keys if I use password protection for my pools?'.

I live in hope :)

 

[Redcoat]

Well, FWIW, the way I read the docs, you don't have keys if you use the passphrase (same reading as @sretalla it seems).

 

[NumberSix]

Thank you Redcoat.
I'll take your identical reading as confirmation, stop worrying about this issue and move on!
Really, thank you though. I think I can mark this thread as solved now. Cheers all!

 

[Samuel Tai]

Thank you Samuel. Let me know how you get on please!

Unfortunately, it appears the only time the keys can be exported is when the encrypted dataset is first created. I tried various API methods on my encrypted backup pool, and they all returned 405 Method not allowed, which makes sense, as the keys are stored within the pool itself, and not as a file.