Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

TrueNAS Core and legacy GELI encryption

Western Digital Drives - The Preferred Drives of FreeNAS and TrueNAS CORE

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,959
If you destroy with the GUI, FreeNAS goes nuclear and there shouldn't be anything left.
 

mgd

Member
Joined
Jan 8, 2017
Messages
46
Thanks again @mgd ! Can we be sure that there are absolutely no residues left of the old GELI encryption, if we just destroy the old pool? For this was the reason for me to first remove GELI (as I recall now). Otherwise, I will gladly follow your advise and skip the removal.
If you remove GELI you can be absolutely sure that your data in plaintext is all over the drive which is why I would never do that.

Unless there is some unknown vulnerability in GELI, the data on the drives is unaccessible without the encryption key and is indistinguishable from random noise.

As @Ericloewe writes, destroy the pool from the GUI. I guess that will wipe your encryption keys completely from FreeNAS/TrueNAS (although I cannot find any docs on this). Then create a new pool with your drives.

In any case, it is better than decrypting the drive first.

NB! Of course, I assume you have a backup of your pool / data before wiping the pool.
 

q/pa

Member
Joined
Mar 16, 2015
Messages
48

mgd

Member
Joined
Jan 8, 2017
Messages
46
@q/pa IMHO one of the benefits of drive encryption is that you do not have to wipe the drive when it needs to be reused or decommissioned. Throwing away the encryption key is equivalent to wiping the drive with random noise. @Ericloewe do you agree?
 

q/pa

Member
Joined
Mar 16, 2015
Messages
48
I know. Additional wiping only in case of GELI residues.
 

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,959
@q/pa IMHO one of the benefits of drive encryption is that you do not have to wipe the drive when it needs to be reused or decommissioned. Throwing away the encryption key is equivalent to wiping the drive with random noise. @Ericloewe do you agree?
Yeah, pretty much.
 

q/pa

Member
Joined
Mar 16, 2015
Messages
48
Step 1 accomplished! Upgrade 11.3-U5 to TrueNAS-12.0-U1 went without problems.
 

Voltrix

Junior Member
Joined
Dec 29, 2016
Messages
12
Sad to say, but it looks like @theyost is not the only one who suffered the consequences of having a GELI encrypted pool.
In my case, this happened after upgrading to TrueNAS 12.0-U2.1.

I can decrypt the disks but cannot zpool import nor using the GUI to unlock or import the pool.
See HELP! Upgrade from FreeNAS 11.3-U5 to TrueNAS 12.0-U2.1, attempted to upgrade GELI encrypted pool, it failed. Cannot unlock nor import pool

I may have to go the route of zfs send | zfs receive. And I'll have to search for new HDDs and exactly how to do that send\receive considering that ZFS can't even "see" the pool.
Maybe someone who's more savvy than I can please read the post linked above.

I don't know if zfs send | zfs receive will work because of this:
Code:
root@vtxnas1:~ # zdb -l /dev/adaXp2
failed to unpack label 0
failed to unpack label 1
failed to unpack label 2
failed to unpack label 3
 

Constantin

Vampire Pig
Joined
May 19, 2017
Messages
1,154
I suggest backing up the pool, destroying it, and then rebuilding the pool once TrueNAS has been installed. That also allows you to ensure that TrueNAS features are natively supported (ZFS encryption, sVDEVs, and so on.) and if there is a issue, so what, start over, and try again because the data is safe. Upgrading on a production server with GELI while possible seems like many more opportunities for stuff to go sideways.

Patrick M. Hausen listed a way to decrypt GELI disks one by one, but to me, torching it all and starting over seemed like a much better idea.
 
Last edited:
Top