deli setkey geli delkey

J

jonxxon

Hello. I'm a freebsd beginner. In short, I tried to find out how to change the passphrase for geli encryption. I do not have deep technical understanding of how geli works. I have used luks1 and luks2 on linux and for adding and removing keys, which is where my technical expertise ends.

I didn't find a way to change a geli passphrase, but I saw there was an option to add a key and delete a key. Therefore I wrote

geli setkey /dev/nda0p5

I was prompted for a new passphrase.

When I tried to use

geli delkey -n 0 /dev/nda0p5,

it warns me that deleting the key will get rid of the last master key copy I have, which I do not understand assuming I added one with setkey.

Can you say how to get rid of the old key, such that I only will have the new key?
 
jonxxon said:
Can you say how to get rid of the old key, such that I only will have the new key?
Click to expand...
Depending on how the user key of the provider is retrospectively modified, the old key doesn't need to be deleted necessarily.

When the provider is initialized for the first time, the user key (passphrase, key file) is stored in the first slot (0) of two slots (0 and 1) in the providers metadata.

Later user key modifications allows the user key to be stored in slot #1 when explicitly instructed (with the -n option). If it is not instructed, slot 0 is used.

The old key is overwritten by the new key. When slot 0 has a user key stored, and a new passphrase/keyfile is set without specifying a slot, no further action is necessary. If slot 1 has a user key which you don't want to use anymore, only then it must be delete.

This is explained in the geli(8) "setkey" option:
Code: 
     setkey     Install a copy of the Master Key into the selected slot,
                encrypted with a new User Key.  If the selected slot is
                populated, replace the existing copy.  A provider has one
                Master Key, which can be stored in one or both slots, each
                encrypted with an independent User Key.  With the init
                subcommand, only key number 0 is initialized.  The User Key
                can be changed at any time: for an attached provider, for a
                detached provider, or on the backup file.  When a provider is
                attached, the user does not have to provide an existing
                passphrase/keyfile.
 
You must log in or register to reply here.
Back
Top