TrueNAS Core and legacy GELI encryption

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,176
If you destroy with the GUI, FreeNAS goes nuclear and there shouldn't be anything left.
 

mgd

Dabbler
Joined
Jan 8, 2017
Messages
46
Thanks again @mgd ! Can we be sure that there are absolutely no residues left of the old GELI encryption, if we just destroy the old pool? For this was the reason for me to first remove GELI (as I recall now). Otherwise, I will gladly follow your advise and skip the removal.

If you remove GELI you can be absolutely sure that your data in plaintext is all over the drive which is why I would never do that.

Unless there is some unknown vulnerability in GELI, the data on the drives is unaccessible without the encryption key and is indistinguishable from random noise.

As @Ericloewe writes, destroy the pool from the GUI. I guess that will wipe your encryption keys completely from FreeNAS/TrueNAS (although I cannot find any docs on this). Then create a new pool with your drives.

In any case, it is better than decrypting the drive first.

NB! Of course, I assume you have a backup of your pool / data before wiping the pool.
 

q/pa

Explorer
Joined
Mar 16, 2015
Messages
64

mgd

Dabbler
Joined
Jan 8, 2017
Messages
46
@q/pa IMHO one of the benefits of drive encryption is that you do not have to wipe the drive when it needs to be reused or decommissioned. Throwing away the encryption key is equivalent to wiping the drive with random noise. @Ericloewe do you agree?
 

q/pa

Explorer
Joined
Mar 16, 2015
Messages
64
I know. Additional wiping only in case of GELI residues.
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,176
@q/pa IMHO one of the benefits of drive encryption is that you do not have to wipe the drive when it needs to be reused or decommissioned. Throwing away the encryption key is equivalent to wiping the drive with random noise. @Ericloewe do you agree?
Yeah, pretty much.
 

q/pa

Explorer
Joined
Mar 16, 2015
Messages
64
Step 1 accomplished! Upgrade 11.3-U5 to TrueNAS-12.0-U1 went without problems.
 

Voltrix

Dabbler
Joined
Dec 29, 2016
Messages
12
Sad to say, but it looks like @theyost is not the only one who suffered the consequences of having a GELI encrypted pool.
In my case, this happened after upgrading to TrueNAS 12.0-U2.1.

I can decrypt the disks but cannot zpool import nor using the GUI to unlock or import the pool.
See HELP! Upgrade from FreeNAS 11.3-U5 to TrueNAS 12.0-U2.1, attempted to upgrade GELI encrypted pool, it failed. Cannot unlock nor import pool

I may have to go the route of zfs send | zfs receive. And I'll have to search for new HDDs and exactly how to do that send\receive considering that ZFS can't even "see" the pool.
Maybe someone who's more savvy than I can please read the post linked above.

I don't know if zfs send | zfs receive will work because of this:
Code:
root@vtxnas1:~ # zdb -l /dev/adaXp2
failed to unpack label 0
failed to unpack label 1
failed to unpack label 2
failed to unpack label 3
 

Constantin

Vampire Pig
Joined
May 19, 2017
Messages
1,828
I suggest backing up the pool, destroying it, and then rebuilding the pool once TrueNAS has been installed. That also allows you to ensure that TrueNAS features are natively supported (ZFS encryption, sVDEVs, and so on.) and if there is a issue, so what, start over, and try again because the data is safe. Upgrading on a production server with GELI while possible seems like many more opportunities for stuff to go sideways.

Patrick M. Hausen listed a way to decrypt GELI disks one by one, but to me, torching it all and starting over seemed like a much better idea. in particular, the sVDEV will not get filled with small files or metadata until you move said files around. So if your pool has oodles of space, you might be able to do that locally. I just thought it simpler to make multiple backups and then move the data back once the new pool was set up.

Obviously, there is a cost to redoing the pool, i.e. remaking all the relevant directories, and so on. However, I was also switching from an AFP-heavy/SMB-lite hybrid to SMB-only, so I had to redo all the sharing setups/ACLs/etc. anyway.
 
Last edited:
Top