Password recovery

[Wo1fie]

Hi all,
I have had a FreeNAS system running 11 with encrypted drives. I believe it 11? anyway, I recently upgraded to TrueNAS12 and stupidly decided to change my password, lock down the console to require a password (and I believe the menu stoped displaying).
Anyway I now can’t log back in via a local KVM or via the webgui.. as the password does not work.
I removed my drives, installed a clean copy (on another drive in the same server) of TrueNAS, however I guess my drives are still encrypted as I require my key when trying to import them to this new build - I have the pass phrase.
So two questions..
One, what would the extension of the key file be ( I know I have made backups)
Two, is there a way to reset my old TrueNAS password or reset it?
I don’t really care much about my old config, I just want access to my data on a working up to date TrueNAS .
Thanks.

 

[Wo1fie]

Hi all, I don’t seem to be able to find and backups of my GELI key. So I am going to have to try and reset my root password, or disable the password prompt from the CLI to access the rest menu. I can access single user mode but I don’t know where to go from there.. mount -urw and passwd root - does not work :(

 

[Wo1fie]

My backed up keys do not work with my passphrase on a clean install via import. I can see the encryption keys on the old USB boot drive from single user mode, but don’t know how to export them to be able to use them on the new build? Do I just add a FAT usb and mount it somehow?

Is there a way to change the boot config to disable the “required login prompt” via single user mode?

 

[Wo1fie]

I guess I am looking for something like the process here, but for TrueNAS https://www.truenas.com/community/threads/ancient-freenas-box-unable-to-recover-root-password.78152/ to reset the password.

"python /usr/local/www/freenasUI/manage.py changepassword root" ??

 

[winnielinnie]

My backed up keys do not work with my passphrase

Are you referring to the "Recovery" keys or the "Primary" keys?

Did you use key + passphrase for the main userslot, and then create a recovery key for the secondary userslot?

 

[Wo1fie]

Are you referring to the "Recovery" keys or the "Primary" keys?

Did you use key + passphrase for the main userslot, and then create a recovery key for the secondary userslot?

Hi winnielinne, On my new clean build of TrueNAS CORE 13.0-U5 I have tried to import the pool, by selecting all the drives, using either the geli.key or geli_recovery.key with my passphrase, but nithier worked at decrypting my drives.
My pool auto decrypts on my TrueNAS12 build, but I snookered myself with the passwords and cli login prompt.

What to you mean by main and secondery userslot?

Thaanks.

 

[winnielinnie]

My pool auto decrypts on my TrueNAS12 build, but I snookered myself with the passwords and cli login prompt.

How can you confirm this if you're locked out of your TrueNAS Core 12 system?

What to you mean by main and secondery userslot?

GELI allows two "userslots". FreeNAS presented these as "Encryption Key" and "Recovery Key". (It was optional to also incorporate a passphrase to the main userslot.)


The idea was that you'd decrypt the GELI devices with your "encryption key" (userslot 0), which them made them available for a ZFS import. (Since the underlying vdev devices are accessible now.)

If you lost this key, or used a passphrase that you also forgot, there was a secondary method labeled as "Recovery Key", which was really just another keyfile used for userslot 1. Using this keyfile was enough to decrypt the GELI devices.

If using the "Recovery Key" isn't working, then it's likely because it's an outdated keyfile. (Every time you create a new Recovery Key, the old one becomes useless.)


So now you have to figure out:

1. Did I make a backup copy of my "Encryption Key" (userslot 0)?
2. Did I also require a passphrase with my "Encryption Key" (userslot 0)?
3. Did I create a "Recovery Key" (userslot 1)?
4. Did I ever create a new "Recovery Key" (userslot 1) at some point afterward?

If you did #4, then you must find this relevant "Recovery Key", since the original/earlier one will no longer work.

If you did #2, then it means the "Encryption Key" is not enough. You need to supply the correct keyfile + passphrase.

My pool auto decrypts on my TrueNAS12 build, but I snookered myself with the passwords and cli login prompt.

Which you cannot login nor reset the root password because you disabled the console?

Technically, it's feasible to boot an Ubuntu live USB and then access the contents of your TrueNAS boot-pool (ZFS), to retrieve the config file, secret seed, and encryption keyfiles.


But it's still murky what's going on with your situation.

 

[winnielinnie]

geli.key or geli_recovery.key with my passphrase

What about the other way around? geli.key + passphrase? or geli_recovery.key without passphrase?

 

[Wo1fie]

What about the other way around? geli.key + passphrase? or geli_recovery.key without passphrase?

Hi Winnielinnie.. Thank you so much for your responce.. I was just writing out a step by step, of how I got myself in this mess, when i saw this suggestion.. I just tried it and It worked.. geli_recovery.key + no passphrase!! Wow I have my pool back.. imported in to Truenas 13 U5.3 :)

So, I belive I removed (?) the passphrase, backed up the two geli keys and upgraded from FreeNAS 11 to TrueNAS 12, I had a working system and no longer had to unlock the pool, like I used to on FreeNAS after a rooboot. I then went about locking down the CLI and changing my password.. wow, not doing that again.. well not in that order..

Thansk again.. !

 

[Davvo]

Wasn't geli deprecated with 13?

 

[winnielinnie]

Wasn't geli deprecated with 13?

You can still import drives encrypted with GELI. The GUI calls it “legacy encryption” in the import wizard.