SOLVED I can unlock an encrypted pool with my passphrase, but not with geli.key

[oRAirwolf]

I am running FreeNAS-11.1-U1. I created a new encrypted volume with 2 striped disks for testing purposes and have been toying with locking and unlocking them before doing this on my main disk array. If I put in my password, it unlocks the volume with no problems. The problem I am running into is that when I go to unlock the volume, if I choose my geli.key file, I get the following error in the UI:

Code:

Environment:

Software Version: FreeNAS-11.1-U1 (f7e246b8f)
Request Method: POST
Request URL: http://10.10.0.23/storage/volume/3/unlock/?X-Progress-ID=4b4ec991-6bae-405b-8cb3-46872ebcee53

Traceback:
File "/usr/local/lib/python3.6/site-packages/django/core/handlers/exception.py" in inner
  42.			 response = get_response(request)
File "/usr/local/lib/python3.6/site-packages/django/core/handlers/base.py" in _legacy_get_response
  249.			 response = self._get_response(request)
File "/usr/local/lib/python3.6/site-packages/django/core/handlers/base.py" in _get_response
  178.			 response = middleware_method(request, callback, callback_args, callback_kwargs)
File "./freenasUI/freeadmin/middleware.py" in process_view
  162.		 return login_required(view_func)(request, *view_args, **view_kwargs)
File "/usr/local/lib/python3.6/site-packages/django/contrib/auth/decorators.py" in _wrapped_view
  23.				 return view_func(request, *args, **kwargs)
File "./freenasUI/storage/views.py" in volume_unlock
  1005.			 form.done(volume=volume)
File "./freenasUI/storage/forms.py" in done
  2792.			 raise MiddlewareError(msg)

Exception Type: MiddlewareError at /storage/volume/3/unlock/
Exception Value: [MiddlewareError: Volume could not be imported: 2 devices failed to decrypt]

Here is what I see in the console:

Code:

Feb 18 11:31:09 epsilonshrike uwsgi: [middleware.exceptions:36] [MiddlewareError: Unable to geli attach gptid/1c77f259-135c-11e8-bf2e-a0369f1178a4: geli: Wrong key for gptid/1c77f259-135c-11e8-bf2e-a0369f1178a4.]
Feb 18 11:31:09 epsilonshrike uwsgi: [middleware.notifier:603] [MiddlewareError: Unable to geli attach gptid/1c77f259-135c-11e8-bf2e-a0369f1178a4: geli: Wrong key for gptid/1c77f259-135c-11e8-bf2e-a0369f1178a4.]
Feb 18 11:31:09 epsilonshrike uwsgi: [middleware.exceptions:36] [MiddlewareError: Unable to geli attach gptid/1d502a35-135c-11e8-bf2e-a0369f1178a4: geli: Wrong key for gptid/1d502a35-135c-11e8-bf2e-a0369f1178a4.]
Feb 18 11:31:09 epsilonshrike uwsgi: [middleware.notifier:603] [MiddlewareError: Unable to geli attach gptid/1d502a35-135c-11e8-bf2e-a0369f1178a4: geli: Wrong key for gptid/1d502a35-135c-11e8-bf2e-a0369f1178a4.]
Feb 18 11:31:09 epsilonshrike uwsgi: [middleware.notifier:2524] Importing EncryptedVolume [6177185692294345268] failed with: cannot import '6177185692294345268': no such pool available
Feb 18 11:31:09 epsilonshrike uwsgi: [middleware.exceptions:36] [MiddlewareError: Volume could not be imported: 2 devices failed to decrypt]

If I decrypt the volume using the password, this is what I see in the console...Does this look normal?

Code:

Feb 18 11:41:12 epsilonshrike GEOM_ELI: Device gptid/1c77f259-135c-11e8-bf2e-a0369f1178a4.eli created.
Feb 18 11:41:12 epsilonshrike GEOM_ELI: Encryption: AES-XTS 256
Feb 18 11:41:12 epsilonshrike GEOM_ELI:	 Crypto: hardware
Feb 18 11:41:14 epsilonshrike GEOM_ELI: Device gptid/1d502a35-135c-11e8-bf2e-a0369f1178a4.eli created.
Feb 18 11:41:14 epsilonshrike GEOM_ELI: Encryption: AES-XTS 256
Feb 18 11:41:14 epsilonshrike GEOM_ELI:	 Crypto: hardware
Feb 18 11:41:14 epsilonshrike ZFS: vdev state changed, pool_guid=6177185692294345268 vdev_guid=6522193428091623649
Feb 18 11:41:14 epsilonshrike ZFS: vdev state changed, pool_guid=6177185692294345268 vdev_guid=3126616867256274448
Feb 18 11:41:22 epsilonshrike smbd: dnssd_clientstub ConnectToServer: connect()-> No of tries: 1
Feb 18 11:41:35 epsilonshrike nfsd: can't register svc name
Feb 18 11:41:44 epsilonshrike syslog-ng[7320]: syslog-ng shutting down; version='3.7.3'
Feb 18 11:41:44 epsilonshrike syslog-ng[9964]: syslog-ng starting up; version='3.7.3'
Feb 18 11:41:51 epsilonshrike smbd: dnssd_clientstub ConnectToServer: connect()-> No of tries: 1
Feb 18 11:41:52 epsilonshrike savecore: /dev/da7p1: Operation not permitted
Feb 18 11:41:52 epsilonshrike savecore: /dev/da6p1: Operation not permitted
Feb 18 11:41:53 epsilonshrike savecore: /dev/da5p1: Operation not permitted
Feb 18 11:41:53 epsilonshrike savecore: /dev/da4p1: Operation not permitted
Feb 18 11:41:53 epsilonshrike savecore: /dev/da3p1: Operation not permitted
Feb 18 11:41:53 epsilonshrike savecore: /dev/da2p1: Operation not permitted
Feb 18 11:41:53 epsilonshrike savecore: /dev/da1p1: Operation not permitted
Feb 18 11:41:53 epsilonshrike savecore: /dev/da0p1: Operation not permitted

I have re-downloaded the key after unlocking the volume with the password and tried the new key. I still get the same results. Any ideas as to why this may be happening?

Here's a video of it happening:

 

[rs225]

If you have a password, then geli.key is going to require the password. All elements are required.

A recovery key can be used without a password.

 

[oRAirwolf]

If you have a password, then geli.key is going to require the password. All elements are required.

A recovery key can be used without a password.

I guess I am a little confused. What is the point of having the recovery key if you need the password? When is it used if you have a password protected volume?

 

[rs225]

The recovery key can be used without the password, or the working FreeNAS config. It should kept somewhere safe. It would be used when SHTF.

warning for everyone: encryption is for people with backups and who know what they are doing.

 

[oRAirwolf]

The recovery key can be used without the password, or the working FreeNAS config. It should kept somewhere safe. It would be used when SHTF.

warning for everyone: encryption is for people with backups and who know what they are doing.

I appreciate the warning. So if I only need to use a password to unlock my volume, what is the recovery key for? If I have to transfer the drives to a new host, is the recovery key needed, as well as the password, to decrypt the drives? Will the password itself not be sufficient in a new machine/install of FreeNAS?

 

[gary_1]

With freenas/geli there's always a key involved, even when you're only appearing to enter a password.

When you unlock a regular pool, freenas has your encrypted user key stored on data volume (see /data/geli/). You thus only need to provide the password to unlock it as it already has the keys for those volumes.

If however that directory is lost or you wish to import your zfs pool on another machine, that key will not be available.

At that point you'll need either the "recovery key" OR the "regular key"+password you downloaded from the UI when you created the pool.

The idea of the key+password and recovery key with no password, is that you can put the recovery key somewhere super safe and use it as a failsafe should you forget your regular key password (super safe as anyone getting access to it can use it without a password). Your regular key on the other hand you don't need to keep as super safe, you can keep it in a more convenient location to use for unlocking as long as you're using a strong passphrase. Since anyone gaining access to that key would need the corresponding passphrase too.

 

[oRAirwolf]

With freenas/geli there's always a key involved, even when you're only appearing to enter a password.

When you unlock a regular pool, freenas has your encrypted user key stored on data volume (see /data/geli/). You thus only need to provide the password to unlock it as it already has the keys for those volumes.

If however that directory is lost or you wish to import your zfs pool on another machine, that key will not be available.

At that point you'll need either the "recovery key" OR the "regular key"+password you downloaded from the UI when you created the pool.

The idea of the key+password and recovery key with no password, is that you can put the recovery key somewhere super safe and use it as a failsafe should you forget your regular key password (super safe as anyone getting access to it can use it without a password). Your regular key on the other hand you don't need to keep as super safe, you can keep it in a more convenient location to use for unlocking as long as you're using a strong passphrase. Since anyone gaining access to that key would need the corresponding passphrase too.

Thank you for explaining this more clearly. It makes perfect sense now.

 

[EsTaF]

with my geli.key and password, that I always had enter before update freenas, I have problem:

Code:

File "/usr/local/lib/python3.6/site-packages/middlewared/job.py", line 332, in run
    await self.future
  File "/usr/local/lib/python3.6/site-packages/middlewared/job.py", line 365, in __run_body
    rv = await self.middleware.run_in_thread(self.method, *([self] + args))
  File "/usr/local/lib/python3.6/site-packages/middlewared/main.py", line 1005, in run_in_thread
    return await self.loop.run_in_executor(executor, functools.partial(method, *args, **kwargs))
  File "/usr/local/lib/python3.6/concurrent/futures/thread.py", line 56, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/local/lib/python3.6/site-packages/middlewared/schema.py", line 668, in nf
    return f(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/middlewared/plugins/disk.py", line 253, in decrypt
    raise CallError(f'The following devices failed to attach: {", ".join(failed)}')
middlewared.service_exception.CallError: [EFAULT] The following devices failed to attach: gptid/f4aaa779-272f-11e9-8f12-002590d29258, gptid/4409ec70-1c1b-11e9-a174-002590d29258

 

[Redcoat]

This thread has "SOLVED" in its subject. This may mean that it is not often looked at.

I suggest you start a new thread describing your problem in order to catch more eyeballs.

 

[EsTaF]

I don't speak English. my lang worst. Can't create right topic, that decide it. On Russian one people can't help me also. https://www.ixsystems.com/community/threads/Вопрос-по-шифрованию.73990/