Unable to decrypt dataset

I am relatively new to truenas, but recently configured a new NAS with this. I chose to encrypt one of the datasets and I made a copy of the passphrase and stored it in my password manager. I have rebooted a couple of times and successfully decrypted the dataset. However this last time it will not decrypt it. Error: Key is incorrect. Read through the forum on it for a bit and tried to do it via the command line as well. Getting error “Key load error: Incorrect key provided”. I am hoping that someone will be able to shed some light on what I may have done incorrectly.

While I doubt you did anything wrong, once the system tells you that you have the wrong key, your data is encrypted and will stay that way. There is no work around that I am aware of, it is security and having a master key is a liability.

I assume you have powered the system down completely and powered back up. Make sure CAPS LOCK is off, replace the keyboard with a different one just incase one key is FUBAR. And typed the passphrase in slowly.

I wish you the best of luck, no one likes to hear someone lost data. Hopefully you have the data backed up somewhere you can access it.

1 Like

Yeah, everything important is backed up. Just a frustration of actually getting everything back. Still not exactly what happened here. Working in IT support myself when people say that they are sure they remember a password I generally chock it up to pebkac, but I am fairly sure I have the correct passphrase.

There is a tool out there that can “crack” a native ZFS passphrase if you provide it with a “close enough” passphrase.

So for example, if your passphrase was Peanut butter jelly 2024!

You might have mis-remembered it as Peanut Butter Jelly 2024!

Providing the tool with Peanut Butter Jelly 2024! has a high likelihood of finding the real passphrase.

Or maybe that was for LUKS? I’ll try to find it.

EDIT: Never mind. It was indeed made for LUKS.

Did you “manually write” it into your password manager, or copy+paste it?


Did you ever “receive” a replication to this server?

No, it’s a pretty new server. I have a setup a couple VMs and Apps, but that is about it.

Edit: I also setup snapshots

Maybe you’re missing something, and didn’t remember correctly?

What does this reveal?

zfs list -r -t filesystem -o name,encryptionroot,keyformat,keylocation

It is indeed a passphrase, and it is indeed its own encryptionroot.

Can you provide more context? Is this SCALE? Core? What version? Did you do an upgrade recently?

What happens if you try this command:

zfs load-key -n "Spinning Guys"/BulkStorage

This is scale. 23.10.2
No recent upgrades. I setup the NAS WEdnesday, and it was up to date when I checked, so no I have never had a need to update it.
That command is what I tried after searching the forums here a bit first. I used the ctrl+insert to paste the passphrase in here, but I have also tried typing it.

One other change I have made after configuring the encryption was to change the time server to my own, and correct the time zone. However the time is correct on the system, so I don’t think that would affect this. Let em know if I am wrong though.

Is this a passphrase with “words” and/or one that you would normally type? Or is it randomly generated and highly complex?

It’s a string of real words that form a sentence.

If you’re up for it, you can generate a “wordlist” with every combination of lowercase and uppercase letters, and then feed that into a script that loops zfs load-key -n and saves the results to a logfile.

If there’s a single successful hit, you’ll see it in the logfile.

It’s rudimentary, but I’ve never tried it myself.

Given the length of time it will take to get the backup this is worth a shot. I will try it.

I should have thought of this earlier, but where is the log file located?

Assuming you have a “passlist” named passlist.txt, you can feed it into this command, like so:

while read -r pass ; do echo $pass | zfs load-key -n "Spinning Guys"/BulkStorage 2>/dev/null  >> results.txt  ; done < passlist.txt

This is a very crude script.

Make sure to run it as the “root” user, so that it doesn’t prompt you for the admin password via sudo.

When it’s done, you can check the contents of results.txt and look for the line that reads: 1 / 1 key(s) successfully verified

Its “placement” in results.txt will coincide with the correct passphrase in passlist.txt.

So for example, within the flood of lines that read 0 / 1 key(s) successfully verified, if you find the one line that reads 1 / 1 key(s) successfully verified, you will then note which “line” it resides. If it’s on line #54, then it means the passphrase is the one found on line #54 in passlist.txt.

Off the top of my head, I’m not sure how to generate a “passlist” with every combination of lowercase, uppercase, and spaces, dashes, underscores, periods, etc.

There is no logfile. I was speaking “theoretically”. (See my above post for a crude script you can feed a 'passlist" into.)

You need to generate a “passlist” first.

Thank you. I found a powershell script to generate the password list. Trying now, but there is roughly 2 million variations, so it might take a bit.

I am unable to add any more replies for the day because this is a new account, so I will have to just edit this here to add the link to the powershell script.

1 Like