unlock encrypted volumes after reboot?

[MLML]

I have been running V11 for the last 6 months for personal use on my home netowrk - my first work with freenas. I upgraded to 11-1 last week and upon reboot I had to unlock the storage. I have 4 WD reds, encrypted with passphrase and key. After the upgrade, I had to unlock the storage. Also, the server shutdown about a week ago due to a power outage (automatic shutdown based on UPS power level). After reboot, the storage was again locked.

I am not often home, though I can VPN to the network to unlock the storage. Can the storage be automatically unlocked after a reboot if the storage is encrypted? I'd rather not remove the encryption as a work a round. Or, does anyone know a command line or script that can be run to unlock the storage?

Thanks,
Matt

 

[scrappy]

Encrypting your drive(s) only matters if you're looking to safeguard against a bad guy seeing your storage content in the event of physical theft of the drives and/or server. If you want your drives to automatically unlock themselves upon startup then it sort of defeats the purpose of encryption in the first place.

 

[IceBoosteR]

Hi Matt,

no there is no possiblity to unlock you pool when the server reboots. This is Security by Design, otherwise a thief could steal your server, boot it and get all your data.
You might run a shell script from crontab or init.d that after a boot process you automaticlaly decrypt your pool, but I would recommend it. Encryption/Safety comes always with some disadvantages, like worse usability.
There is no script around, you need to built some on your own. Unless you are experienced with unix and freebsd, I would not do it.

 

[danb35]

Do I not remember correctly that, if you haven't set a passphrase, the pool will import automatically?

 

[IceBoosteR]

I am not 100% sure but it might be true. Nevertheless this would reduce the security.

 

[danb35]

Nevertheless this would reduce the security.

Of course it would.

 

[MLML]

Thanks for the feedback!

 

[CyBiS]

The pool will be unlocked (and attached) automatically if there is no passphrase set. So the encryption recovery key must be stored somewhere on the boot device. Even for encrypted pools with a passphrase set unlocking is possible with the encryption recovery key. So I'm wondering if the keys for passphrase protected pools are also stored somewhere on the boot device?

 

[Ericloewe]

The pool will be unlocked (and attached) automatically if there is no passphrase set. So the encryption key must be stored somewhere on the boot device. Even for encrypted pools with a passphrase set unlocking is possible with the encryption key. So I'm wondering if the keys for passphrase protected pools are also stored somewhere on the boot device?

It's a temporary measure until you have downloaded the keys. If they're gone, so is your data.

 

[CyBiS]

Hm, for a pool that is not passphrase protected the recovery key must be stored on the boot device regardless if I download the recovery key or not, right? I'm just wondering because I want to encrypt my drives so that my data is protected in case of a theft (of course a passphrase will be set). But if the recovery keys are stored on the boot device then the pools can be decrypted again even without the passphrase.

I just realized that one can download both the GELI encryption key and the recovery key for an encrypted pool. The recovery key is used to decrypt the pool, even a passphrase protected one. According to the FreeNAS documentation the GELI encryption key should be backuped as well because the data on the disks won't be accessible if the key is lost. What's the difference between the encryption and the recovery keys? Is the GELI encrpytion key meant to be used for accessing a single disk and not the entire pool? If so, what's the point if the disk was in a RAIDZx pool?

 

[Krautmaster]

Hi.

I got a weird issue. I removed a cache disk of an encryted pool where i had to enter thepass after boot. I added a new disk to it as cache as well. Any how, the pool is now automatically unlocked after boot.

 

[Paul5]

I have been running V11 for the last 6 months for personal use on my home netowrk - my first work with freenas. I upgraded to 11-1 last week and upon reboot I had to unlock the storage.

Did you not have to unlock them before.

I have 4 WD reds, encrypted with passphrase and key. After the upgrade, I had to unlock the storage.

If they always had a passphrase you would have to have unlocked them manually.

I am not often home, though I can VPN to the network to unlock the storage. Can the storage be automatically unlocked after a reboot if the storage is encrypted? I'd rather not remove the encryption as a work a round. Or, does anyone know a command line or script that can be run to unlock the storage?

The simplest is to have the volumes without passphrase. However everything else you want is possible, just depends on how much time you want to spend on it.
-You can ssh and unlock your volumes that way
-You can setup script to automatically unlock your volumes. But this depends on what you want. I used to do this 2013 via two remote USB disks that needed to be connected to decrypt. In other words you stole the PC but didn't know about the remote USB's then they have access nothing.
Simplified version: USB1 encrypted but no passphrase with decryption script for USB2 Post init loads USB1's script to decrypt USB2 > USB1's script would also runs the decrypting script for the pools. The passphrases (Security through obfuscation ) would be in file in some obscure directory as the first line amongst other text.
-You can also set it so that a specific pool/s will decrypt on an IP address becoming available.

Most important bits:
You need: /data/geli/ and /dev/gptid keys.

Will give the gptid key
#zpool status "your pool"

Will give you the geli key
#sqlite3 /data/freenas-v1.db "select * from storage_volume"

AK8 posted a script: https://www.ixsystems.com/community...s-volume-via-shell-or-remotely-via-ssh.12018/

Example script below enter your corresponding info and # out the second drive, save as .sh file. To test lock your pool and run this script from the shell. This should give you a start then it's upto you how you want to do the nightmare.

****************************************************************************
#!/bin/sh
#2013 This file is to Auto Decrypt And Mount Encrypted ZFS Volumes.
#The passphrase file is not 'geli.key or the geli_recovery.key'.
#when adding a volume with multiple ZFS Drives the geli key is the same but the /dev/gptid's are different.

# Checks iF: /Passphrase file is available if not script cancels.

#if [ -e /mnt/Address to passphrase file ]; then
# echo "File Found..." >&2
#else
# echo "OOP's! Where is it??" >&2
# exit 1
#fi

##First VOLUME

#'Users' disk 3TB WD
geli attach -j "Address to passphrase file" -k /data/geli/your geli.key /dev/gptid/your gptid key
#Mounts the ZFS Volume pool

zpool import -R /mnt Users

#'Media' Volume 3TB WD disk

geli attach -j "Address to passphrase file" -k /data/geli/your geli.key /dev/gptid/your gptid key

#Mounts the ZFS Volume pool

zpool import -R /mnt Media

sleep 4


#Service restarts may not be needed by FN10+ Automatic upon decryption.

#Exits the script
exit 1
**********************************************************************************