ZFS Procedure for changing passphrase for encrypted ZFS

[micski]

What is the correct procedure for changing the passphrase for an encrypted ZFS file system on FreeBSD 10? The default installer configures the encryption and sets the passphrase to use.

 

[ondra_knezour]

As far as I know, there is no native support for the ZFS encryption outside closed source Solaris implementation now owned by Oracle. FreeBSD uses encrypting underlying partition/device method and you are probably looking for the geli(8) setkey command.

 

[micski]

I do agree, that the geli setkey command could be used for the procedure. This command can be expected to change the encryption key and re-encrypt the file system with the changed key. However, this is a critical task. You only have one shot to do it right - or you are facing a restore. There are examples of geli setkey usage on specific geli encrypted file systems, such a non operating file system on an external disk. I am not sure, that the same examples would apply for ZFS operating file systems.

 

[_martin]

Yes, only Solaris' zpool has native encryption support (since zpool version 30).

I've never changed passphrase on my crypto pools, but I did a test and it worked for me. I created a crypto pool (/tmp/test/bolt01 file was used as geli provider):

# cd /tmp/test
# dd if=/dev/random of=bolt01.key bs=64 count=1
# dd if=/dev/zero of=bolt01 bs=1024k count=512
# mdconfig -a -t vnode -f /tmp/test/bolt01
# geli init -s 4096 -K /tmp/test/bolt01.key /dev/md0
# geli attach -k /tmp/test/bolt01.key /dev/md0
# zpool create testpool /dev/md0.eli
# zfs create testpool/a
# cd /testpool/a/
# for i in `seq 1 12`; do echo "hi $i" > file$i; done

Pool has some data in it:

# ls -la
total 63
drwxr-xr-x  2 root  wheel  14 Feb 22 12:02 .
drwxr-xr-x  3 root  wheel  3 Feb 22 12:02 ..
-rw-r--r--  1 root  wheel  5 Feb 22 12:02 file1
-rw-r--r--  1 root  wheel  6 Feb 22 12:02 file10
-rw-r--r--  1 root  wheel  6 Feb 22 12:02 file11
-rw-r--r--  1 root  wheel  6 Feb 22 12:02 file12
-rw-r--r--  1 root  wheel  5 Feb 22 12:02 file2
-rw-r--r--  1 root  wheel  5 Feb 22 12:02 file3
-rw-r--r--  1 root  wheel  5 Feb 22 12:02 file4
-rw-r--r--  1 root  wheel  5 Feb 22 12:02 file5
-rw-r--r--  1 root  wheel  5 Feb 22 12:02 file6
-rw-r--r--  1 root  wheel  5 Feb 22 12:02 file7
-rw-r--r--  1 root  wheel  5 Feb 22 12:02 file8
-rw-r--r--  1 root  wheel  5 Feb 22 12:02 file9
#
# cat file2
hi 2
#

Now I'll detach the provider and change the passphrase.

# zpool export testpool
# geli detach md0


Changing the passphrase and importing back the pool afterwards:

# geli setkey -k /tmp/test/bolt01.key -K /tmp/test/bolt01.key /dev/md0
Enter passphrase:
Enter new passphrase:
Reenter new passphrase:
Note, that the master key encrypted with old keys and/or passphrase may still exists in a metadata backup file.
# geli backup /dev/md0 newmd0.eli
# geli attach -k /tmp/test/bolt01.key /dev/md0
Enter passphrase:  <NEW PASSPHRASE>
#
# zpool import testpool
# zfs list -r testpool
NAME  USED  AVAIL  REFER  MOUNTPOINT
testpool  464K  472M  96K  /testpool
testpool/a  152K  472M  152K  /testpool/a
#
# cat /testpool/a/file8
hi 8
#

I did a metadata backup to a file different than the default (/var/backups) so if something goes wrong I can still restore the metadata and attach the provider with old passphrase.