Unable to import encrypted pool TrueNAS 13

[choujij]

Hello. I am not sure what I am doing wrong.

I experienced a failure in my boot drive (USB) for my TrueNAS 12.1 after mirroring the boot usb (boot pool, attach) USB to a new SSD, use all space. After that completed and I rebooted, neither the new SSD or the USB would boot into TrueNAS. As soon as it tries, a long list of "unsupported, unsupported, etc" scroll down the screen and it immediately quits. I cannot make out what the exact error is.

So I decided to install TrueNAS 13 to the new SSD and just import my pool. My pool was made on FreeNAS 9.3 and my ZFS pool (feature flags) have been upgraded as of a couple months ago. When I first installed FreeNAS 9.3, I backed up my keys and created a passphrase, which I've used ever since anytime I rebooted. All 8 disks are operational (no errors), no degraded state.

When I go to add the pool in my new installation of TrueNAS 13, I choose the option of GELI encrypted 11.3 or earlier.
I add my passphrase and attach a key. This part I'm not certain of, as I have a private and public key. Neither one enables me to successfully import the pool.

In my excel sheet I made when building the server, I also recorded two strings of keys, one I noted for my admin account, the other shorter key I noted as Key Fingerprint.


This is the error I'm getting:
Error: Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/middlewared/job.py", line 355, in run
await self.future
File "/usr/local/lib/python3.9/site-packages/middlewared/job.py", line 393, in __run_body
rv = await self.middleware.run_in_thread(self.method, *([self] + args))
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1155, in run_in_thread
return await self.run_in_executor(self.thread_pool_executor, method, *args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1152, in run_in_executor
return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
File "/usr/local/lib/python3.9/concurrent/futures/thread.py", line 58, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/local/lib/python3.9/site-packages/middlewared/schema.py", line 979, in nf
return f(*args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/disk_/encryption_freebsd.py", line 44, in decrypt
raise CallError(f'The following devices failed to attach: {", ".join(failed)}')
middlewared.service_exception.CallError: [EFAULT] The following devices failed to attach: gptid/138edb53-4fce-11e8-b87d-d05099a99642, gptid/195af7f8-4fce-11e8-b87d-d05099a99642, gptid/1a56e0bc-4fce-11e8-b87d-d05099a99642, gptid/14928088-4fce-11e8-b87d-d05099a99642, gptid/870ce043-dcc1-11ea-b88a-d05099a99642, gptid/1585ac2b-4fce-11e8-b87d-d05099a99642, gptid/1861e8ae-4fce-11e8-b87d-d05099a99642, gptid/73a11a5c-f926-11eb-9147-d05099a99642


Any help would be very very much appreciated.

Thank you.

 

[Samuel Tai]

Unfortunately, your pool is lost. With GELI encryption, you'd need to have saved both the pool encryption key and a pool recovery key, along with your passphrase. Furthermore, GELI is no longer supported in TrueNAS 13. Did you read the Release Notes BEFORE you started on this little misadventure?

Your only option is to restore from backup to a new pool.

 

[winnielinnie]

This part I'm not certain of, as I have a private and public key.

"Private" and "public" keys for GELI encryption?

 

[choujij]

I was on 12.1. Everything was functioning normally. My misadventure occurred from attaching a new ssd drive to mirror the boot pool, in case down the road something happened to the boot-usb (irony). After that completed, that's went it stopped booting. Both the USB and the SSD did not boot once they attached.

As soon as that happened, I create an image of my boot usb. I think something occurred with grub. I only downloaded 13 to see if I could "upgrade" the boot-os, in hopes of it correcting the boot issue. I was not aware that GELI was not supported in 13. I kinda... sorta ..tried that in a hurried panic, if you could imagine..

If possible, I'll likely need to try and read the contents of the image to try and retrive these keys. That's if, of course, if I cannot find the keys I backed up when I created the pool.

@winnie I found some keys pertaining to this installation, but I did not recall specifically the keys I'm looking for/ named.

 

[winnielinnie]

If you have the keyfile (or even the "recovery keyfile"), you should be able to unlock the GELI devices to import your pool.

If you never saved your keyfile anywhere, then you might have forever lost access to your pool; regardless of which version of TrueNAS.

 

[choujij]

Just an update to my previous dilemma.
I installed Linux on a spare pc and installed ZFS-fuse from the repository. It was unable to mount my TrueNAS usb due to it saying the file system on the drive is newer and not supported.

I then created a new TrueNAS 12 installation on a different drive, and tried to mount the ZFS pool from the cloned copy of the degraded usb stick.
I imported the usb pool, and saw all my partitions and it still showed as degraded even though it was not on the original stick. It would only allow me to assign SMB access to the GRUB partition and not the other partitions. I thought I would try something tricky and created a dataset. Then it allowed me to assign an smb share to that dataset. My attempt was to try to access the partition that stores the geli key through SMB and grab the encrypted key file, in hopes I could copy it to another installation. However, after I set up the smb share, that caused the GUI to hang with a please wait message. Rebooting didn't resolve the hang. The SMB share showed on the network, but would not allow me in.

Having seen my partitions on the stick, I saw that I was running TrueNAS 12-U4 at the time of the failure. So I wiped the clone stick I mucked around with, and recopied the image of the failed USB.

Going back to my original idea (albeit not using TN13 due to no support for geli encryption), I downloaded the TrueNAS 12-U5 installer and tried upgrading to that. I suspected all along something was wrong with the boot files, so I told the installer to upgrade TrueNAS leaving the boot files in hopes it did not crash/hang. The upgrade succeeded. I then downloaded the TrueNAS 12-U5.1 installer and this time told it to wipe the stick and create a new boot. It succeeded.

I rebooted back into my configuration. I downloaded the config file (including the geli key) and backed it up to several locations.

I unlocked my pool and have regained access to all my files.

So I'm glad I went with my gut feeling and that my pool was not simply lost. I wanted to post this here for anyone wanting to try some different ideas if they find themselves in a situation with a degraded boot pool that will not boot.