ZFS Recovering accidentally removed truenas config

M

mangof60

So I blundered today. I reset the config of my truenas server wanting to only reset the network config without realizing it would reset everything (yes I know, it says that in the manual). The problem is that my dataset is encrypted and the key I saved isn't working for some reason. I took out the boot drive and I want to try to recover the removed config db file which stores the keys and all the other config information.

Since truenas is based on FreeBSD, I figured I'd ask here to see if anyone can help. Is there any way to recover this deleted data from the boot drive? I can plug it in to a Windows or Linux machine to use any tools you suggest. I know of a few tools but I don't know how to use them. My backup plan is to find a data recovery service, but those seem expensive from what I've seen and I don't even know if that will work.

Thanks

Edit: The file setup of my NAS is a couple RAID drives, which are still in tact and the encrypted data is still there, and a boot drive which is undamaged, but the config file I want is a .db file which inside it holds the key to decrypt the RAID on startup. I believe the boot drive is a ZFS filesystem just like the RAID drives, and the OS is truenas which is build on FreeBSD.
 
mangof60 said:
My backup plan is to find a data recovery service
Click to expand...
The thing about encryption is that it's not possible (or at least feasible) to break the encryption. Data recovery services work on damaged disks, or deleted files, they cannot "unencrypt" your data if you lose your keys. Encryption would be utterly useless if it was easy to circumvent.
 
SirDice said:
The thing about encryption is that it's not possible (or at least feasible) to break the encryption. Data recovery services work on damaged disks, or deleted files, they cannot "unencrypt" your data if you lose your keys. Encryption would be utterly useless if it was easy to circumvent.
Click to expand...
he wants them to recover the deleted keys not to decrypt the data
 
You may check the sleuth kit (look in ports), maybe you can get something with that. It depends on the file system.
And, as always, make an image copy of the whole drive and put the original in a safe place. You never fiddle with the original data.
 
Right, misread some things. I was in the same boat some years ago. Reinstalled the OS but forgot to backup the encryption key to unlock an external drive. Tried using all manor of tools to recover that key. But the thing about those keys is that they're just a file with random data in it. There's nothing 'recognizable' in them for any sleuthing kit to latch onto. Trying to recover 64 (that was the size of my key) random bytes on a disk was nothing more than an exercise in futility. That key is gone and, by extension, so was the data on that encrypted disk.
 
Alain De Vos said:
With the danger of being mister obvious, also check keyboard language settings & numlock.
Click to expand...
The input is in the form of a keyfile. It's a .json file that stores the pool name and the key to decrypt it, I don't actually type anything. I think what happened is that I saved my backup keyfile and then later must have reset the key without saving the new one, so I thought I had the correct backup but really it was outdated.
 
covacat said:
he wants them to recover the deleted keys not to decrypt the data
Click to expand...
Yes that's right.
Not sure how familiar everyone is with truenas, but the config is stored in a .db file on the boot drive (which is separate from the RAID drives, in my case it's a 60GB SSD). That .db file has, among other things, the pool metadata (can be imported with the RAID disks which are still in tact), and the keyfiles to unlock any encrypted pools. I figure if I can recover that db file then I can use that to replace the config I accidentally blew away.

SirDice said:
Right, misread some things. I was in the same boat some years ago. Reinstalled the OS but forgot to backup the encryption key to unlock an external drive. Tried using all manor of tools to recover that key. But the thing about those keys is that they're just a file with random data in it. There's nothing 'recognizable' in them for any sleuthing kit to latch onto. Trying to recover 64 (that was the size of my key) random bytes on a disk was nothing more than an exercise in futility. That key is gone and, by extension, so was the data on that encrypted disk.
Click to expand...
In terms of the file being recognizable, I think it should be since that key is just an entry in the database file. So if I find the file then I can restore it and have the key back as well... that's what I hope at least.
 
what kind of db ? berkeley, sqllite3 ?
if it cant be identified by file(1) command you can script something do recover it
 
I would scan the disc image (again, image it and store safely) for the pool name and check if that area of the data looks like a ..jason file. You might be able to lift the key using pen&paper then.
 
covacat said:
what kind of db ? berkeley, sqllite3 ?
if it cant be identified by file(1) command you can script something do recover it
Click to expand...
The config is sqlite I believe. I found a forum post detailing exactly where everything is and I pasted that below:
The config backup is just a TAR archive of the contents of your TrueNAS /data directory. Uploading the config extracts the contents of the TAR and writes them back into /data. At a minimum, the config backup contains /data/freenas-v1.db, which is the complete configuration database being restored. It may also contain /data/pwenc_secret, which are the secret keys for the password database, and /data/geli/*, which are the GELI encryption keys for your pool, depending on the options selected during the backup.
Click to expand...
The GELI keys are what I'm looking for here.

Crivens said:
I would scan the disc image (again, image it and store safely) for the pool name and check if that area of the data looks like a ..jason file. You might be able to lift the key using pen&paper then.
Click to expand...
I'm making a copy of the boot drive to a linux machine now so I can work on it. My current plan is to use photorec, a tool I found online that should hopefully work, and just get any data I can from it. If I can get the db file then I'll try the code from the link VladiBG posted and see if I can extract the key. Or perhaps the key is still living in /data/geli (maybe).

Of course this all depends on the data still being on the drive anyway, I don't know exactly what process truenas does to erase that config so I'm just hoping it's still there.
 
You must log in or register to reply here.
Back
Top