FreeNAS webui setup for HTTPS only:
System General: Protocol = HTTPS
System General: WebGUI HTTP -> HTTPS Redirect = unchecked
Create a pool. Add a recovery password.
Go to Storage->Pool click on the lock symbol and select "Download Encryption Key"
key is downloaded securely via https [same protocol that the web ui was connected to as]
actual behavior: link is ALWAYS sent as HTTP url:
If you have disabled HTTP and HTTP TO HTTPS redirect...this means the download url is invalid (no http server listening on port 80).
Work around is to manually edit the url and add "https:" in the address bar and press enter.
Even though FreeNAS is not listening on port 80, the request with the auth-key download was still sent in the clear. A man in the middle could potentially use this to download the key by modifying the link to https. I was able to paste the https version of the url into a new incognito chrome window and download the key. I.e. There is a very very small window but an unauthenticated user who is man in the middle can download an encryption key before you can.
Note, if you have enabled HTTP and HTTPS as protocols (but only use the webui as https and don't have http->https redirect)...then all your key downloads are sent in the clear via http even if you only use the web ui with https. Easier man in the middle grabbing.
So ranging from bug unable to download recovery key...to downloading keys in the clear depending on http/https config.