I replicated an encrypted dataset from my main to my backup server. The dataset inherits encryption from the root which is protected with a key. The keys were downloaded using the ‘Export Key/Export All Keys’ button.
On my backup server I attempted to unlock the dataset which asked for the key. I chose ‘From a key file’ and proceeded to upload the downloaded keys from my main server. This throws an error. However, if I copy the key from that same file and use ‘Provide keys manually’ it will unlock.
Is this a bug? Am I crazy? I wiped out a 10tb dataset thinking I was dumb and never exported the key, but alas, I was dumb and didn’t think to try this before deleting it. I immediate did a mockup replication test to understand where I went wrong only to end up here… a little smarter?
Because the dataset names and hierarchy[1] between pools can differ. That’s why it fails.
What you need to do is manually unlock the dataset(s) as you did, and then re-export the .json keyfile from the new pool.
Yes, even the “pool” name is used for the root dataset name. So just because the child datasets share the same name between pools, their true path/hierarchy differs. ↩︎
Hmm… perhaps I’m missing something here. I created and tested an identical dataset replication in my lab The only other text in the key file are some braces and the name of the parent dataset. I replicated this exactly in my lab.
So, help me understand what about this key text is causing a problem when using the ‘From a key file’ with this keyfile? The pool name is identical and if I paste in just the key text it unlocks, but it fails with the ‘From a key file’ using this exact key.
I replicated my large dataset the exact same way today and tested it. I was not able to use the key file to unlock it, but worked when pasting in the actual key text. Once all were unlocked, I exported the key files again, which had 2 entries.
entry for the pool parent dataset
entry for the replicated dataset
I will try to unlock with this new key file export next time I reboot since you can only lock passphrase datasets manually.
I have two datasets on two different machines running Truenas SCALE.
Machine 1 has DatasetA and machine 2 has DatasetB. They are both the exact same because I did it via replication, just that the actual parent dataset name differs across both these machines.
On machine 1 everything is unlocked, while on machine 2 just the parent dataset is unlocked and all the child datasets are locked.
If I export the ZFS encryption key on machine 1 and then go straight to machine 2, click unlock and then paste the key in, it tells me “Provided key is invalid”.
It isn’t invalid because I have quite literally copy and pasted it from the source. If I export the key to a file from machine 1 and then try to import it into machine 2, it then reports “Key not provided”.
EDIT: So I guess the ZFS key differs depending on where you actually made the dataset? Half of them were created on one machine, I then moved the disks to a new machine, imported the pool, and created the other half. Continued using it this way until now, when I setup a second machine. I went back and looked at my previous ZFS keys that I had exported, and they differ to what it is showing now. Copy and pasting those worked for half the dataset, while the key I am copying directly from machine 1 worked for the other half.
Hope this helps
EDIT 2: Once everything is unlocked, set them all to inherit the properties from the parent and then generate a new ZFS encryption key so you don’t have this problem again in the future.
