I have a TrueNAS CORE system that I’ve been running for a couple of years. I’m looking to migrate over to SCALE, but that means I need to be very sure I do not have GELI encryption enabled. It has two pools, one small ssd-based pool for the system dataset and one large storage RAIDZ1 pool of with 5 drives.
The storage pool is the one I’m not sure about. My previous FreeNAS system used GELI and I thought I had not done so again because it ended up being a pain to manage. However when I look at the UI Pools page it shows:
“storage (Legacy Encryption)”
which I thought means that the pool is GELI encrypted and currently unlocked for use.
In contrast zpool status shows names that do not include “eli”
zpool status storage
pool: storage
state: ONLINE
scan: scrub in progress since Fri Oct 25 08:08:15 2024
5.47T scanned at 1.94G/s, 2.95T issued at 1.05G/s, 22.1T total
0B repaired, 13.35% done, 05:12:06 to go
config:
NAME STATE READ WRITE CKSUM
storage ONLINE 0 0 0
raidz1-0 ONLINE 0 0 0
gptid/de810821-88c4-11ed-8d09-a8a159461b59 ONLINE 0 0 0
gptid/de7d7e89-88c4-11ed-8d09-a8a159461b59 ONLINE 0 0 0
gptid/de77f44f-88c4-11ed-8d09-a8a159461b59 ONLINE 0 0 0
gptid/de7f9c64-88c4-11ed-8d09-a8a159461b59 ONLINE 0 0 0
gptid/de7eb210-88c4-11ed-8d09-a8a159461b59 ONLINE 0 0 0
errors: No known data errors
I also tried running this to see if there are any ecrypted disks, though I’m not certain this is a correct way to check:
/usr/local/bin/sqlite3 /data/freenas-v1.db "select count(*) from storage_encrypteddisk;"
0
That was the full output for each of zpool status storage, zfs get encryption storage, geli list, and geli status, if that’s what you are asking. I wish I knew why it was saying Legacy Encryption in the dashboard. That’s what has me nervous. I don’t want to risk losing the pool in a SCALE migration. It also shows an unlocked padlock icon between the “storage” and the “(Legacy Encryption)” text.
To put it another way: If there was no GUI, it would appear to be a zpool with no GELI encryption involved. (Aside from GELI used for the swap partitions.)
I would ask someone from iXsystems. Something is not making sense here…
If there’s no GELI involved, than SCALE (or any Linux distro with modern ZFS) should be able to import the pool.
If you click the gear icon for the pool back on the UI in the Storage section (Pool Operations), do you see a list of Encryption Actions on the menu, like this?
If I put a SCALE image onto a usb stick, boot from there, and try to import the pool, would that be a good test to see if its really GELI encrypted? Any danger of messing up the pool itself in a way that prevents me from rebooting to the real drives to be back where I am now?
Well opening the bug was useless. Despite the inconsistency it was closed because “the UI provides the information the user is requesting” without any information about which of the two things it is telling me to believe or why. They also added that I needed to have removed GELI encryption prior to upgrading to 13.0, which disagrees with the documentation.
That’s true only if the pool is in fact GELI encrypted, right? And that would not be destructive to the pool. On the other hand if the pool is not GELI encrypted it would be able to import. That would tell me whether it is or is not GELI encrypted. But what I’m not sure of is whether importing the pool into the SCALE system crosses any one way doors. Does that change anything about the pool itself that would p0revent me from shutting down the system, unplugging the USB drive, and booting back up on the existing CORE system and using the pool from there?
You mean the config of the TrueNAS system? I suspect it does quite badly. The migration documentation says upgrading to SCALE is one way only. Preparing to Migrate | TrueNAS Documentation Hub. Ultimately I want to make that migration, however what I was talking about as a pre-check on the GELI issue was a new, fresh install of SCALE from the iso onto a new usb thumb drive. Boot that and try to import the pool. Leave the existing system pool and config alone. If that works then great, no GELI is being used. Shutdown the server, remove the usb drives, boot back into CORE then continue going through the migration checklist - eventually updating via the UI system->update.
Thanks for the detailed steps. Sounds like I have a weekend project.
I agree that it is concerning that the GUI and nothing else indicated legacy encryption. I wish I knew how it was coming to that determination. The worry in the back of my mind is there’s some entry in a db or config somewhere that incorrectly says it’s encrypted. I’ll find the pool “available” via the test above, but when I actually try to migrate the live system SCALE will see whatever weird config stuck around and refuse to import.
