[SOLVED] Can unlock pool with encryption key but not datasets

zeno

zeno

Dabbler
Joined
Sep 12, 2022
Messages
10
As the title states. For some odd reason, I can unlock the ZFS pool + root dataset with the key I exported, but not any of the child datasets.
I've tried exporting and re-importing the pool again, rebooting, unlocking the child dataset with the encryption key etc. but to no avail.

I pressed 'Export all keys' to get the keys I'm using to (try to) unlock the datasets... am I missing something?

Here's a screenshot and please let me know if there's something else you need.
 

Attachments

  • dataset.png
    dataset.png
    51.4 KB · Views: 178
winnielinnie

winnielinnie

MVP
Joined
Oct 22, 2019
Messages
3,641
Where did those child datasets (backups, documents, ext4bkp, etc) come from?

Did you create them on this pool? Or were they replicated from another pool?

By your screenshot, they appear to all be their own "encryptionroot": which means they have their own passphrase or keyfile to unlock them. Their encryption property are not related to the parent datasets above them.
 
zeno

zeno

Dabbler
Joined
Sep 12, 2022
Messages
10
winnielinnie said:
Where did those child datasets (backups, documents, ext4bkp, etc) come from?

Did you create them on this pool? Or were they replicated from another pool?

By your screenshot, they appear to all be their own "encryptionroot": which means they have their own passphrase or keyfile to unlock them. Their encryption property are not related to the parent datasets above them.
Click to expand...
I used a replication task from my old pool onto this new one (bkps). Does that mean that I have to unlock them using the key file from the old pool?

Also, the "Fetching encryption summary" either takes ages or it's stuck... is it safe to abort/refresh the page?
 

Attachments

  • Screenshot_20230311_195055.png
    Screenshot_20230311_195055.png
    7.7 KB · Views: 165
winnielinnie

winnielinnie

MVP
Joined
Oct 22, 2019
Messages
3,641
zeno said:
I used a replication task from my old pool onto this new one (bkps). Does that mean that I have to unlock them using the key file from the old pool?
Click to expand...
Yes, because you replicated them to this pool, and likely let them keep their own properties: including encryption properties.

But since their encryptionroot parent lives on the other pool, not this one, then on this new pool they are all treated as their own encryptionroot. Which means you'll have to unlock ALL of them individually. :oops:
 
winnielinnie

winnielinnie

MVP
Joined
Oct 22, 2019
Messages
3,641
zeno said:
Also, the "Fetching encryption summary" either takes ages or it's stuck... is it safe to abort/refresh the page?
Click to expand...
I'm not familiar with that. How did you get there?
 
zeno

zeno

Dabbler
Joined
Sep 12, 2022
Messages
10
winnielinnie said:
Yes, because you replicated them to this pool, and likely let them keep their own properties: including encryption properties.

But since their encryptionroot parent lives on the other pool, not this one, then on this new pool they are all treated as their own encryptionroot. Which means you'll have to unlock ALL of them individually. :oops:
Click to expand...
Damn... Do I have to do this using the CLI? Really appreciate the help!
 
winnielinnie

winnielinnie

MVP
Joined
Oct 22, 2019
Messages
3,641
You can unlock all of them individually (one by one).

After which, you can then (one by one) have each one "inherit" their encryption properties.

This will make them all part of the bkps "encryptionroot". Which means that unlocking bkps will automatically unlock them.

However, repeated replications will reset all of this work, since the replication will set their encryption properties back to how they previously were.
 
zeno

zeno

Dabbler
Joined
Sep 12, 2022
Messages
10
winnielinnie said:
You can unlock all of them individually (one by one).

After which, you can then (one by one) have each one "inherit" their encryption properties.

This will make them all part of the bkps "encryptionroot". Which means that unlocking bkps will automatically unlock them.

However, repeated replications will reset all of this work, since the replication will set their encryption properties back to how they previously were.
Click to expand...
Hmmm... I'm trying to unlock them using the encryption keys of the old pool, but it doesn't seem to work.
Is there any way to do this manually?

EDIT: scratch that; I managed to unlock them! I just had to choose to deselect 'Unlock with key file' and then manually paste in the key. Odd...

Anyway, thank you very much for helping me sort this out. I have backups of all the data in a third location, so I would've managed to retrieve them :smile: But this makes it a lot easier for me.
 

Attachments

  • Screenshot_20230311_220741.png
    Screenshot_20230311_220741.png
    10.7 KB · Views: 167
Last edited:
You must log in or register to reply here.

Similar threads

SeaFox
New Encryption vs Old
Replies
6
Views
750
winnielinnie
winnielinnie
winnielinnie
Confused by native ZFS encryption, some observations, many questions
2 3
Replies
47
Views
17K
Phil1295
P
S
ZFS doesn't unlock pool on import
Replies
0
Views
549
sfatula
S
W
Upgrade to 11.3 now can't unlock pool
Replies
1
Views
645
PhiloEpisteme
PhiloEpisteme
D
Practical replication and encryption between home networks
Replies
2
Views
932
Darkhog
D
Top