TrueNAS CORE behavior with encrypted pools.

Apollo

Wizard
Joined
Jun 13, 2013
Messages
1,449
I am doing some testing with TrueNAS CORE running in a VM.
I have 6 virtual disks, 4 of which are part of en encrypted RAIDZ2 and 2 are not used.

The encrypted pool has been detached and the next step for me is to import the pool.
Under the "Decrypt pool" steps I have noticed the following behavior (Encryption key has been selected and no passphrase is required):

If I select all 6 disks (because I don't know which are the one part of the encrypted pool) and press "Next", I will get the "Error decrypting disks" with the following message:

Error: Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/middlewared/job.py", line 362, in run
await self.future
File "/usr/local/lib/python3.8/site-packages/middlewared/job.py", line 401, in __run_body
rv = await self.middleware.run_in_thread(self.method, *([self] + args))
File "/usr/local/lib/python3.8/site-packages/middlewared/utils/run_in_thread.py", line 10, in run_in_thread
return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))
File "/usr/local/lib/python3.8/site-packages/middlewared/utils/io_thread_pool_executor.py", line 25, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/local/lib/python3.8/site-packages/middlewared/schema.py", line 977, in nf
return f(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/disk_/encryption_freebsd.py", line 49, in decrypt
raise CallError(f'The following devices failed to attach: {", ".join(failed)}')
middlewared.service_exception.CallError: [EFAULT] The following devices failed to attach: gptid/b7dc7051-5b33-11ea-b4ad-080027898941, gptid/b73b4e1d-5b30-11ea-8fa3-080027898941



Instead, if I select only 1 disk ( only 1 which belongs to the encrypted pool), upon pressing the "Next" button, then the next "Select pool to import" step does provide me with the list of available pool. If I select the pool and press "Next" the pool will be imported attaching the 3 disks that were not part of the original selection. The pool will be healthy.

Then, I decided to create a new mirrored pool with the 2 unused disk.
I then detach both pools.

I proceed to importing the non-encrypted pool and the pool name shows up. I proceed with the import and the pool is available and healthy.
I proceed with importing the encrypted pool by selecting only 1 disk but on the next step, the list of pools to import is empty.
I go back, select the second member of the pool and this time the pool appears in the following step. I procedd with the import of the encrypted pool with only the 2 selected disk (out of 4).
This time, the pool is imported but the pool is also in a DEGRADED state. (2 of the disks are shown as "UNAVAIL").
Detaching the encrypted pool and trying to import it again selecting all 4 members of the pool will allow the pool to be ONLINE but showing as "Unhealthy".
Running a scrub of the pool doesn't seem to bring the pool back to being Healthy.
Trying to Reset the key or Download the key as a result failed to bring the GUI to save the key.

Trying to export the encrypted pool wasn't an issue but trying to import it back using the old encryption key file is no longer possible.
The pool is now forever lost.

I find the entire import process for encrypted pool lacking robustness and safeguards.
 

CoffeeMan

Cadet
Joined
Jan 13, 2021
Messages
1
Thank you for this! I was scared I lost my pool until I saw that I had to select enough drives to unencrypt which would "build" the pool.

You're not kidding that this is missing some guidance.
 
Top