Replacing a Failed Encrypted Disk

paulh

Cadet
Joined
Jan 24, 2019
Messages
1
Wondering if someone could offer some guidance on replacing a failed encrypted disk. My NAS is running FreeNAS version 9.10.2 with a four disk RAIDZ1 pool where one of the disks has failed and is showing as "Unavailable". After a reboot, I was unable to unlock the volume with the passphrase (although I'm certain it was the correct passphrase) and needed to use the recovery key.

The relevant entries in /var/log/messages when trying to unlock the volume using the passphrase are as follows
Code:
Jan 21 23:15:34 nas1 manage.py: [middleware.exceptions:37] [MiddlewareError: Unable to geli attach gptid/437c2d59-d05c-11e6-9fe5-94188237bde4: geli: Wrong key for gptid/437c2d59-d05c-11e6-9fe5-94188237bde4.]
Jan 21 23:15:34 nas1 manage.py: [middleware.notifier:1333] [MiddlewareError: Unable to geli attach gptid/437c2d59-d05c-11e6-9fe5-94188237bde4: geli: Wrong key for gptid/437c2d59-d05c-11e6-9fe5-94188237bde4.]
Jan 21 23:15:34 nas1 manage.py: [middleware.exceptions:37] [MiddlewareError: Unable to geli attach gptid/4442cef7-d05c-11e6-9fe5-94188237bde4: geli: Cannot open gptid/4442cef7-d05c-11e6-9fe5-94188237bde4: No such file or directory.]
Jan 21 23:15:34 nas1 manage.py: [middleware.notifier:1333] [MiddlewareError: Unable to geli attach gptid/4442cef7-d05c-11e6-9fe5-94188237bde4: geli: Cannot open gptid/4442cef7-d05c-11e6-9fe5-94188237bde4: No such file or directory.]
Jan 21 23:15:35 nas1 manage.py: [middleware.exceptions:37] [MiddlewareError: Unable to geli attach gptid/4507584e-d05c-11e6-9fe5-94188237bde4: geli: Wrong key for gptid/4507584e-d05c-11e6-9fe5-94188237bde4.]
Jan 21 23:15:35 nas1 manage.py: [middleware.notifier:1333] [MiddlewareError: Unable to geli attach gptid/4507584e-d05c-11e6-9fe5-94188237bde4: geli: Wrong key for gptid/4507584e-d05c-11e6-9fe5-94188237bde4.]
Jan 21 23:15:37 nas1 manage.py: [middleware.exceptions:37] [MiddlewareError: Unable to geli attach gptid/45d46510-d05c-11e6-9fe5-94188237bde4: geli: Wrong key for gptid/45d46510-d05c-11e6-9fe5-94188237bde4.]
Jan 21 23:15:37 nas1 manage.py: [middleware.notifier:1333] [MiddlewareError: Unable to geli attach gptid/45d46510-d05c-11e6-9fe5-94188237bde4: geli: Wrong key for gptid/45d46510-d05c-11e6-9fe5-94188237bde4.]
Jan 21 23:15:37 nas1 manage.py: [middleware.notifier:3547] Importing pool1 [10760730400820451254] failed with: cannot import '10760730400820451254': no such pool available
Jan 21 23:15:37 nas1 manage.py: [middleware.exceptions:37] [MiddlewareError: Volume could not be imported: 4 devices failed to decrypt]


The relevant entries in /var/log/messages when trying to unlock the volume using the recovery key are as follows
Code:
Jan 21 23:34:07 nas1 manage.py: [middleware.exceptions:37] [MiddlewareError: Unable to geli attach gptid/4442cef7-d05c-11e6-9fe5-94188237bde4: geli: Cannot open gptid/4442cef7-d05c-11e6-9fe5-94188237bde4: No such file or directory.]
Jan 21 23:34:07 nas1 manage.py: [middleware.notifier:1333] [MiddlewareError: Unable to geli attach gptid/4442cef7-d05c-11e6-9fe5-94188237bde4: geli: Cannot open gptid/4442cef7-d05c-11e6-9fe5-94188237bde4: No such file or directory.]
Jan 21 23:34:07 nas1 GEOM_ELI: Device gptid/437c2d59-d05c-11e6-9fe5-94188237bde4.eli created.
Jan 21 23:34:07 nas1 GEOM_ELI: Encryption: AES-XTS 128
Jan 21 23:34:07 nas1 GEOM_ELI:     Crypto: hardware
Jan 21 23:34:07 nas1 GEOM_ELI: Device gptid/4507584e-d05c-11e6-9fe5-94188237bde4.eli created.
Jan 21 23:34:07 nas1 GEOM_ELI: Encryption: AES-XTS 128
Jan 21 23:34:07 nas1 GEOM_ELI:     Crypto: hardware
Jan 21 23:34:07 nas1 GEOM_ELI: Device gptid/45d46510-d05c-11e6-9fe5-94188237bde4.eli created.
Jan 21 23:34:07 nas1 GEOM_ELI: Encryption: AES-XTS 128
Jan 21 23:34:07 nas1 GEOM_ELI:     Crypto: hardware
Jan 21 23:34:09 nas1 ZFS: vdev state changed, pool_guid=10760730400820451254 vdev_guid=15284981435399470886
Jan 21 23:34:09 nas1 ZFS: vdev state changed, pool_guid=10760730400820451254 vdev_guid=5336657918979603785
Jan 21 23:34:09 nas1 ZFS: vdev state changed, pool_guid=10760730400820451254 vdev_guid=11073823045779350297


I'm ready to replace the failed disk and looking at section 8.1.10.1 of the manual it says to make sure that a passphrase has been set before attempting to replace the failed disk.

Do I need to make sure the volume can be unlocked using the passphrase instead of using the recovery key first or is it safe to go ahead and follow the steps outlined in section 8.1.10.1?
 

pro lamer

Guru
Joined
Feb 16, 2018
Messages
626
Why can't you unlock using the password? Have you forgotten it or the key file is corrupted? If the latter then I'd recommend checking the boot drive - if it is broken then writing the new keys (recovery and the regular one. Edit: not checked if the recovery key is written anywhere to any pool) may fail and whole pool might get locked... Dunno - newbie here....

Sent from my phone
 
Last edited:
Top