Urgent: ZFS Pool Encrypted (AES-256-GCM) - Keylocation "prompt" after reboot/upgrade - Need recovery assistance

TrueNAS General
1

"To the iXsystems Support Team / Community,

I am reaching out regarding a critical data access issue on my TrueNAS Core system (Version 13.0-U6.8).

The Problem: After a system reboot and update, my main data pool (‘Backup’, ~7.6TB) was unmounted. ZFS reports the pool is encrypted with aes-256-gcm, but the keylocation is set to prompt.

Technical Background:

  1. The pool was originally managed by the TrueNAS WebUI. I never manually set a passphrase; it was handled automatically by the system.

  2. zpool history shows that the system used to load keys from temporary files in /tmp/ (e.g., zfs load-key -L file:///tmp/tmp...).

  3. After the update, the storage_encrypteddataset table in freenas-v1.db appears to be missing or empty for this pool, and storage_volume marks vol_encrypt as 0, even though ZFS layer confirms it IS encrypted.

  4. I have access to the pwenc_secret and several freenas-v1.db backups from previous Boot Environments (November 2025 and April 2026).

Request: Is there a known procedure to re-derive or extract the ZFS Master Key from the pwenc_secret and the configuration database when the WebUI metadata has been desynchronized? I need to recover the keyfile to run zfs load-key.

I am a long-time user and this pool contains critical data. Any advanced CLI guidance or recovery tool recommendation would be deeply appreciated.

Best regards, Lucas."

2

This is a long shot, as without the key, your data is lost. The pwenc_secret has no relation to the pool key or the GELI key.

If you can monitor the console during boot, try to select the previous boot environment. This may get the system up from its pre-upgrade state. Otherwise, we’re out of options.

3

It is possible. See this post.

2 Likes