'Export Keys' files fail to unlock a replicated dataset

TrueNAS General
1

I replicated an encrypted dataset from my main to my backup server. The dataset inherits encryption from the root which is protected with a key. The keys were downloaded using the ‘Export Key/Export All Keys’ button.

On my backup server I attempted to unlock the dataset which asked for the key. I chose ‘From a key file’ and proceeded to upload the downloaded keys from my main server. This throws an error. However, if I copy the key from that same file and use ‘Provide keys manually’ it will unlock.

Is this a bug? Am I crazy? I wiped out a 10tb dataset thinking I was dumb and never exported the key, but alas, I was dumb and didn’t think to try this before deleting it. I immediate did a mockup replication test to understand where I went wrong only to end up here… a little smarter?

2024-08-17 21-22-02

2024-08-17 21-22-10
2024-08-17 21-22-10749×536 16.9 KB
strong text

2

Because the dataset names and hierarchy[1] between pools can differ. That’s why it fails.

What you need to do is manually unlock the dataset(s) as you did, and then re-export the .json keyfile from the new pool.

  1. Yes, even the “pool” name is used for the root dataset name. So just because the child datasets share the same name between pools, their true path/hierarchy differs. ↩︎

1 Like
3

Hmm… perhaps I’m missing something here. I created and tested an identical dataset replication in my lab The only other text in the key file are some braces and the name of the parent dataset. I replicated this exactly in my lab.

NAS (Dragonfish Latest)

  • Pool: TANK (Encrypted)
    • Dataset: TEST (Encryption Inherited)

BACKUP NAS (Dragonfish Latest)

  • Pool: TANK (Replicated, Encrypted)
    • Dataset: TEST (Replicated, Encryption Inherited)]

{“TANK”: “fakekey14ecc41960fa9e35878a900edc3a53z0cbaa0c7cca54d5878a900edc3”}

So, help me understand what about this key text is causing a problem when using the ‘From a key file’ with this keyfile? The pool name is identical and if I paste in just the key text it unlocks, but it fails with the ‘From a key file’ using this exact key.

4

How did you configure the Replication Task options?

5

Nothing special. Just the basics.

Replication Settings

6

I replicated my large dataset the exact same way today and tested it. I was not able to use the key file to unlock it, but worked when pasting in the actual key text. Once all were unlocked, I exported the key files again, which had 2 entries.

  • entry for the pool parent dataset
  • entry for the replicated dataset

I will try to unlock with this new key file export next time I reboot since you can only lock passphrase datasets manually.