Local to Local Replication... but target encrypted? (SOLVED)

[theyost]

I am running an almost-fresh install of TrueNAS-12.0-BETA

I tried the replication task for the first time to move a dataset from one pool to another.

Everything worked as expected until the very end.

For some reason the target dataset is encrypted...

I tried the key from the old pool but that didn't work.

Anyone know how to unlock the dataset?

Or to use the Replication feature without having the target be encrypted?

>> This could be a BIG problem if deleted the old dataset thinking the transfer was successful <<

Here are the settings from my Replication task:

 

[Yorick]

This is ZFS-native per-dataset encryption, is that right? If so, I'd expect "include dataset properties" to replicate encryption as well. Now why it won't unlock, that's a good question. Time for a jira ticket?

 

[theyost]

The only encryption on the source was pool-level encryption (when pool was created)
... There was not any add'l dataset encryption or password.

 

[theyost]

Found the problem. Looks like key files are being replaced with keys files (note the 's')

With new encryption scheme datasets can have their own encryption. Now when you download the keys for the pool it will download the key for all datasets within the pool in a dataset...keys*.json files that look something like this:

{"tenTB.spinners.m": "5a63ec06keykeykeykeykeykeykeykeykeykeykeykeykeykeykeykeykeb080e8bfc"}

(the 'keykeykey' part will not be on your key)

I was able to unlock the new replicated pool by inserting this key as a password. I am not sure if this will sick after reboot so I might need to create a simple key file with the number/key alone to upload.

 

[2twisty]

where did you find these key files? I am trying to replicate from one truenas to another, and the targets are locked and I can't seem to find the key. I have the key for the pool for both the source and destination. However, there is only one key in the json file, for the top level of the pool.

I can't find any .json files that give me the keys for the sub-datasets.

These pools are not legacy geli pools -- they were created fresh when I installed TrueNAS 12 Core

 

[2twisty]

I figured it out, but not in a way that makes me happy. I could not find the keys for the sub-datasets for my pool. When I created the pool, there were no sub-datasets, and when I created the sub-datasets, I told it to inherit the encryption from the parent. This tells me that I should be able to use the same key as the pool used, but it didn't like it.

I even opened the freenas.db file in a sqlite browser and found the "key" for the sub datasets, but it must be hashed or something because I couldn't copy-paste the entry into the GUI (it was more than 64 chars)

So, my solution was to reset the key on the pool to something I could remember (thus not super great as an encryption key) and then I was able to unlock the remote replicated datasets with that key.

Works, but I sure would like to use an auto-generated key and have it stored properly in the dataset_pool_keys.json file...

I suppose I could manually edit it, but that's a PITA. It would be nice if there was a way to export that json file with all the updated keys after the fact, but I can't find anywhere in the GUI to do that, and my ZFS commandline-fu is very, very weak.