change geli password for encrypted zfs root partition

Heres how to change the geli password for encrypted zfs root partition

find the root partition

Bash:
ls /dev/ | grep eli

because i have an encrypted root and swap partition this returns 2 partitions
ada0p4.eli and ada0p5.eli

so we need to check /etc/fstab to see which partition is the swap and which is the root partition

Bash:
less /etc/fstab

this shows the swap partition is /dev/ada0p4 in the fstab
so we know the root partition is /dev/ada0p5

find the size of the existing /boot/encryption.key

Bash:
ls -l /boot/encryption.key

the size is 4096

create the new key file


create the new key file with dd at the same size as the existing key which is 4096

Bash:
sudo dd if=/dev/zero of=/boot/crypt.key bs=4096 count=1

set the new password on the new keyfile for the root partition
we need to pass in the existing key file which is /boot/encryption.key
the new key file which is /boot/crypt.key
and the root partition which is /dev/ada0p5

Bash:
sudo geli setkey -v -k /boot/encryption.key -K /boot/crypt.key /dev/ada0p5

you will be prompted for the new password and then confirm the new password, you wont be prompted to enter the old password

edit /boot/loader.conf

now we need to edit the /boot/loader.conf file and
change path to the key file

Bash:
sudo vim /boot/loader.conf

change the path to the key file from the default /boot/encryption.key
as shown below

Bash:
geli_ada0p5_keyfile0_name="/boot/encryption.key"

change the path to the new key file /boot/crypt.key

Bash:
geli_ada0p5_keyfile0_name="/boot/crypt.key"

save the file then reboot and use your new password
to unlock the encrypted root partition
 
Back
Top