SOLVED Why am I unable to import my encrypted volumes?

[anderstn]

I just re-installed FreeNAS. My old installation was running one of the latest 9.x releases before 11.1 came out (probably a year or so old). Now I can't import my old encrypted disks.

My problem is that the error message I get when I try to import them really doesn't reveal what's wrong as it only says:
"The following disks failed to attach: gptid/f880df32-a79b-11e7-a822-b06ebf35e404, gptid/f7cd6221-a79b-11e7-a822-b06ebf35e404"

The error message is very vague. Is the recovery key and passphrase incompatible or is there something else going on? If somebody can send me in the direction of a log file that can provide more answers or a guide to mount this through CLI I would be eternally grateful.

 

[Ericloewe]

You don't use the recovery key with the password. The password is used in combination with the regular key. The recovery key unlocks devices on its own.

 

[anderstn]

Holy crap. You have no idea how happy I am right now. For a moment there I really thought I had re-keyed volumes. That said the tutorial really doesn't make this clear at all given the sparse instructions It's natural to assume you should fill in every field in the dialogue box you get after pressing Import Volume:

Since I find the documentation somewhat confusing on the subject of recovering these encrypted volumes is there anything I should do after using the "Import Volume" function?

 

[Ericloewe]

Ask around a bit more, but what bugs me is that you effectively lost one of the key slots and thus should rekey the pool, theoretically. But that feels wrong.
Above all keep that recovery key very safe, print it out, even.

 

[anderstn]

That jives fairly well with the understanding I have from setting this up back in 9.x.

The way I understand it I should now re-key my pool in order to unlock it using just the passphrase as this is used in conjunction with some master key that's stored by FreeNAS in the system volume. I can, and probably will, use the same passphrase as before however I should also create a new recovery key since the re-key procedure does some behind the scenes magic that may break my old key even if I use the same passphrase. Does this sound correct?

 

[Ericloewe]

Yeah, I think rekeying will change both key slots, even though it's not strictly necessary.

 

[anderstn]

By that do you mean that I can just set a passphrase without doing a re-key and it will work and let my old recovery key remain untouched and functional?

 

[Ericloewe]

No, I mean that GELI allows for that to happen, but the GUI does things in a weird way.