Recovery key issues

[anderstn]

Hi

I have just moved my drives from an old FreeNAS box to some new hardware. Now one of my encrypted ZFS pools won't decrypt using the freshly downloaded recovery key from the old system. How is that even possible when the same pool is unlocked just fine using my passphrase on the old machine?Alternatively is there a way for me to fix this by forcing the creation of a new recovery key without messing up the passphrase that is already present on the old system and just sidestep the whole issue?

 

[anderstn]

So still really not sure what's going on here, but I did manage to import the pool now. For some reason this pool (I imported two in total) wanted both the recovery key and the passphrase while the other one only wanted the recovery key. I'm not sure what's causing the difference in behaviour while importing. The only difference between the two pools is the ZFS version as one is made on a much more recent version of FreeNAS than the other.

 

[PhiloEpisteme]

To make this a little easier to talk about I'll use geli terminology.

User Key 1 This is the key that the FreeNAS system generates for your pool when you first create an encrypted pool. It is stored on your boot disk and supports adding a password.
User Key 2 This is the key that is created when you click "generate recovery key". This key is not stored anywhere on your FreeNAS system. FreeNAS does not support using a passphrase with this key (at least up to 11.2-U3). This key is unaffected by a passphrase set on User Key 1.

Both keys can and should be downloaded and stored in a safe location. If you have to import your drives into another system etc these keys are how you get access to your data again.

Now one of my encrypted ZFS pools won't decrypt using the freshly downloaded recovery key from the old system. How is that even possible when the same pool is unlocked just fine using my passphrase on the old machine?

Unlocking with the passphrase uses User Key 1, which is stored on the system's boot drive. When you replace a disk in an encrypted pool the system has access to User Key 1 but not User Key 2. The guide instruct users to regenerate the recovery key immediately upon replacing a disk. It is possible that you replaced a disk in the past and forgot this last step. The result is that your old recovery key doesn't unlock the newly replaced disk. If you followed all other replacement procedures this could result in your passphrase and User Key 1 combo unlocking your pool but not the recovery key. I can't say for sure if this is what happened in your case, but it certainly can happen fairly easily.

Alternatively is there a way for me to fix this by forcing the creation of a new recovery key without messing up the passphrase that is already present on the old system and just sidestep the whole issue?

Yes, if you can unlock the pool with your passphrase in the old system you can use the UI to regenerate a recovery key (User Key 2) and then use this new key.

For some reason this pool (I imported two in total) wanted both the recovery key and the passphrase while the other one only wanted the recovery key.

While I can't say for sure, my guess is that you didn't use the recovery key (User Key 2) and passphrase for one of the pools but instead used User Key 1 and the passphrase for that pool and User Key 2 (recovery key) for the other pool. I haven't yet used versions newer than 11.2-U3 but AFAIK FreeNAS doesn't support adding a passphrase to User Key 2.


It sounds like you got it all sorted out though? If so, I would recommend that for every encrypted pool you backup and store both keys. In my version of FreeNAS you would select "Download Encrypt Key" and "Add Recovery Key" to backup User Key 1 and User Key 2 respectively. Keep in mind that the latter option replaces prior recovery keys so once you add a new recovery key your old key for that pool will no longer be valid and can be discarded.


I hope this helps!