Darren J Moffat wrote:
Thanks for the reply,
> I strongly suggest upgrading to Solaris 11 there have been some
> important ZFS and specifically ZFS encryption related bug fixes.
Will do. (At least temporarily, until this
problem is solved. Long term plan is
switching to FreeNAS, even if that means
running an older version of ZFS)
>> They were created with encryption
>> on, forcing all others to be encrypted.
>>
>> The keysource for slice_?/base
>> was set to
>> "passphrase,prompt"
>> while creating the file systems.
>>
>> Then I stored the keys (one key per
>> pool) in files in a subdirectory
>> of home/user1, and set keysource for
>> slice_0/base to
>> "passphrase,file:///export/home/user1/keys/key_0"
>> (Similarly for the other two pools)
>
> Did you ever export the slice_0 pool and reimport it or reboot the
> server ? Basically are you and ZFS both 100% sure you had the correct
> passphrases stored in those files ?
The system was rebooted many times
during a period of weeks,without
any problems.
(This is a home file server,
powered up on only on evenings and
weekends, when I am at home.)
The trouble began when I tried to
change the passphrase location as
described below.
>> So far so good.
>> Several weeks and several terabytes
>> of data later, I decided to relocate
>> the files with the encryption keys
>> from a subdir of user1 to a subdir
>> of root. Copied the files and set
>> slice_0/base keysource to
>> "passphrase,file:///root/keys/key_0", etc.
>
> Exactly how did you do that ?
>
> zfs key -c -o keysource=passphrase,file:///root/keys/key_0
>
> or
>
> zfs set keysource=passphrase,file:///root/keys/key_0
>
> The first does a key change and actually reencryptes the on disk data
> encryption keys using the newly generated AES wrapping key that is
> derived from the passphrase. The second only change where to find the
> passphrase.
First, I did the 2nd. (Change location only)
I believe I tried the first form also *after*
things were already broken, but I'm sure the
passphrases were identical: slice_08, slice_18
and slice_28 for each pools 0/1/2. - The '8'
to bring the length to the minimal
requirement of 8 characters.
( My goal for using encryption was just to
obfuscate the contents if, for example, I
send a disk out for repair; not to hide
anything from the NSA )
Question: I believed the keys generated from a
passphrase depend only on the passphrase, and
not on how it is provided or where it is stored.
Is this a true statement?
>> That broke it. After doing that, the base
>> file systems (that contain no data files)
>> can be mounted, but trying to mount any
>> other fs fails with the message:
>> "cannot load key for 'slice_?/base/fsys_?_?': incorrect key.
>
> Can post some sample output of:
>
> zfs get -r encryption,keysource slice_0
Actual commands output for slice_2/... pasted at the end.
The keysource was originally, (in the still working
system,) inherited from slice_2/base. It is now set
locally. At this moment some filesystems use "prompt",
others use "file", neither works.
I did try setting the keysource to "prompt,
to "file" at the original location [ actual path:
file:///export/home/trouser/passphrases/slice_2_passphrase ]
to "file" at the new location [ actual path:
file:///root/passphrases/slice_2_passphrase ]
for all file systems. It always failed.
> In particular include a few examples of the filesystems you call 'base'
> and the fsys ones.
>
> What is important here is understanding where the encryption and
> keysource properties are set and where they are inherited.
===========================================
zfs get -r encryption,keysource slice_2
===========================================
NAME PROPERTY VALUE
SOURCE
slice_2 encryption on
local
slice_2 keysource
passphrase,file:///export/home/trouser/passphrases/slice_2_passphrase local
slice_2/base encryption on
local
slice_2/base keysource
passphrase,file:///export/home/trouser/passphrases/slice_2_passphrase local
slice_2/base/bitsavers encryption on
inherited from slice_2/base
slice_2/base/bitsavers keysource
passphrase,file:///export/home/trouser/passphrases/slice_2_passphrase local
slice_2/base/codesourcery encryption on
inherited from slice_2/base
slice_2/base/codesourcery keysource
passphrase,file:///export/home/trouser/passphrases/slice_2_passphrase local
slice_2/base/embedded encryption on
inherited from slice_2/base
slice_2/base/embedded keysource
passphrase,file:///export/home/trouser/passphrases/slice_2_passphrase local
slice_2/base/flightgear encryption on
inherited from slice_2/base
slice_2/base/flightgear keysource
passphrase,file:///export/home/trouser/passphrases/slice_2_passphrase local
slice_2/base/forth encryption on
inherited from slice_2/base
slice_2/base/forth keysource
passphrase,file:///export/home/trouser/passphrases/slice_2_passphrase local
slice_2/base/functional encryption on
inherited from slice_2/base
slice_2/base/functional keysource
passphrase,file:///export/home/trouser/passphrases/slice_2_passphrase local
slice_2/base/linux encryption on
inherited from slice_2/base
slice_2/base/linux keysource
passphrase,file:///export/home/trouser/passphrases/slice_2_passphrase local
slice_2/base/minix encryption on
inherited from slice_2/base
slice_2/base/minix keysource
passphrase,file:///export/home/trouser/passphrases/slice_2_passphrase local
slice_2/base/modula_n_oberon encryption on
inherited from slice_2/base
slice_2/base/modula_n_oberon keysource
passphrase,file:///export/home/trouser/passphrases/slice_2_passphrase local
slice_2/base/trimslice encryption on
inherited from slice_2/base
slice_2/base/trimslice keysource
passphrase,file:///export/home/trouser/passphrases/slice_2_passphrase local
slice_2/base/ubuntu encryption on
inherited from slice_2/base
slice_2/base/ubuntu keysource
passphrase,file:///export/home/trouser/passphrases/slice_2_passphrase local
slice_2/base/unclassified_2 encryption on
inherited from slice_2/base
slice_2/base/unclassified_2 keysource
passphrase,file:///export/home/trouser/passphrases/slice_2_passphrase local
slice_2/base/x-plane encryption on
inherited from slice_2/base
slice_2/base/x-plane keysource
passphrase,file:///export/home/trouser/passphrases/slice_2_passphrase local
========================================
zfs get all slice_2
========================================
NAME PROPERTY VALUE
SOURCE
slice_2 type filesystem
-
slice_2 creation Sun Aug 14 0:16 2011
-
slice_2 used 136G
-
slice_2 available 2.83T
-
slice_2 referenced 74.5K
-
slice_2 compressratio 1.00x
-
slice_2 mounted yes
-
slice_2 quota none
default
slice_2 reservation none
default
slice_2 recordsize 128K
default
slice_2 mountpoint /slices/slice_2
local
slice_2 sharenfs off
local
slice_2 checksum sha256-mac
local
slice_2 compression off
local
slice_2 atime off
local
slice_2 devices off
local
slice_2 exec on
default
slice_2 setuid on
default
slice_2 readonly off
default
slice_2 zoned off
default
slice_2 snapdir hidden
default
slice_2 aclinherit restricted
default
slice_2 canmount on
default
slice_2 xattr on
default
slice_2 copies 1
default
slice_2 version 5
-
slice_2 utf8only on
-
slice_2 normalization none
-
slice_2 casesensitivity sensitive
-
slice_2 vscan off
default
slice_2 nbmand off
default
slice_2 sharesmb off
default
slice_2 refquota none
default
slice_2 refreservation none
default
slice_2 primarycache all
default
slice_2 secondarycache all
default
slice_2 usedbysnapshots 0
-
slice_2 usedbydataset 74.5K
-
slice_2 usedbychildren 136G
-
slice_2 usedbyrefreservation 0
-
slice_2 logbias latency
default
slice_2 dedup off
default
slice_2 mlslabel none
default
slice_2 sync standard
default
slice_2 encryption on
local
slice_2 keysource
passphrase,file:///export/home/trouser/passphrases/slice_2_passphrase local
slice_2 keystatus available
-
slice_2 rekeydate Sun Aug 14 0:16 2011
local
slice_2 rstchown on
default
========================================
zfs get all slice_2/base
========================================
NAME PROPERTY VALUE
SOURCE
slice_2/base type filesystem
-
slice_2/base creation Sun Aug 14 0:16 2011
-
slice_2/base used 136G
-
slice_2/base available 2.83T
-
slice_2/base referenced 77.0K
-
slice_2/base compressratio 1.00x
-
slice_2/base mounted yes
-
slice_2/base quota none
default
slice_2/base reservation none
default
slice_2/base recordsize 128K
default
slice_2/base mountpoint /slices/slice_2/base
local
slice_2/base sharenfs off
local
slice_2/base checksum sha256-mac
local
slice_2/base compression off
local
slice_2/base atime off
local
slice_2/base devices off
local
slice_2/base exec on
default
slice_2/base setuid on
default
slice_2/base readonly off
default
slice_2/base zoned off
default
slice_2/base snapdir hidden
default
slice_2/base aclinherit restricted
default
slice_2/base canmount on
default
slice_2/base xattr on
default
slice_2/base copies 1
default
slice_2/base version 5
-
slice_2/base utf8only on
-
slice_2/base normalization none
-
slice_2/base casesensitivity sensitive
-
slice_2/base vscan off
default
slice_2/base nbmand off
default
slice_2/base sharesmb off
local
slice_2/base refquota none
default
slice_2/base refreservation none
default
slice_2/base primarycache all
default
slice_2/base secondarycache all
default
slice_2/base usedbysnapshots 0
-
slice_2/base usedbydataset 77.0K
-
slice_2/base usedbychildren 136G
-
slice_2/base usedbyrefreservation 0
-
slice_2/base logbias latency
default
slice_2/base dedup off
default
slice_2/base mlslabel none
default
slice_2/base sync standard
default
slice_2/base encryption on
local
slice_2/base keysource
passphrase,file:///export/home/trouser/passphrases/slice_2_passphrase local
slice_2/base keystatus available
-
slice_2/base rekeydate Sun Aug 14 0:16 2011
local
slice_2/base rstchown on
default
========================================
zfs get all slice_2/base/bitsavers
========================================
NAME PROPERTY VALUE
SOURCE
slice_2/base/bitsavers type filesystem
-
slice_2/base/bitsavers creation Sun Aug 14 0:16 2011
-
slice_2/base/bitsavers used 79.5K
-
slice_2/base/bitsavers available 2.83T
-
slice_2/base/bitsavers referenced 79.5K
-
slice_2/base/bitsavers compressratio 1.00x
-
slice_2/base/bitsavers mounted no
-
slice_2/base/bitsavers quota none
default
slice_2/base/bitsavers reservation none
default
slice_2/base/bitsavers recordsize 128K
default
slice_2/base/bitsavers mountpoint /global/bitsavers/
local
slice_2/base/bitsavers sharenfs off
local
slice_2/base/bitsavers checksum sha256-mac
inherited from slice_2/base
slice_2/base/bitsavers compression off
inherited from slice_2/base
slice_2/base/bitsavers atime off
inherited from slice_2/base
slice_2/base/bitsavers devices off
inherited from slice_2/base
slice_2/base/bitsavers exec on
default
slice_2/base/bitsavers setuid on
default
slice_2/base/bitsavers readonly off
default
slice_2/base/bitsavers zoned off
default
slice_2/base/bitsavers snapdir hidden
default
slice_2/base/bitsavers aclinherit restricted
default
slice_2/base/bitsavers canmount on
default
slice_2/base/bitsavers xattr on
default
slice_2/base/bitsavers copies 1
default
slice_2/base/bitsavers vscan off
default
slice_2/base/bitsavers nbmand off
default
slice_2/base/bitsavers sharesmb name=bitsavers
local
slice_2/base/bitsavers refquota none
default
slice_2/base/bitsavers refreservation none
default
slice_2/base/bitsavers primarycache all
default
slice_2/base/bitsavers secondarycache all
default
slice_2/base/bitsavers usedbysnapshots 0
-
slice_2/base/bitsavers usedbydataset 79.5K
-
slice_2/base/bitsavers usedbychildren 0
-
slice_2/base/bitsavers usedbyrefreservation 0
-
slice_2/base/bitsavers logbias latency
default
slice_2/base/bitsavers dedup off
default
slice_2/base/bitsavers mlslabel none
default
slice_2/base/bitsavers sync standard
default
slice_2/base/bitsavers encryption on
inherited from slice_2/base
slice_2/base/bitsavers keysource
passphrase,file:///export/home/trouser/passphrases/slice_2_passphrase local
slice_2/base/bitsavers keystatus unavailable
-
slice_2/base/bitsavers rekeydate Sun Aug 14 0:16 2011
local
slice_2/base/bitsavers rstchown on
default
========================================
trying to mount
========================================
root@turbofan:~# cat /export/home/trouser/passphrases/slice_2_passphrase
slice_28
root@turbofan:~# zfs mount slice_2/base/bitsavers
cannot load key for 'slice_2/base/bitsavers': incorrect key.
root@turbofan:~# zfs set keysource=passphrase,prompt slice_2/base/bitsavers
root@turbofan:~# zfs mount slice_2/base/bitsavers
Enter passphrase for 'slice_2/base/bitsavers': [ entering slice_28 ]
cannot load key for 'slice_2/base/bitsavers': incorrect key.
root@turbofan:~#
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
