How to change passphrase for encrypted ZFS disk?

ikevin8me

Active Member

Reaction score: 12
Messages: 198

How to change passphrase for encrypted ZFS disk for FreeBSD 13?

I saw this post, but "/boot/encryption.key" is not found. Do I change the passphrase by booting into the disk, or booting into the install-disk? And, if I boot into the install-disk, how do I mount the specific partition to change the passphrase?
 

T-Daemon

Daemon

Reaction score: 829
Messages: 1,694

How to change passphrase for encrypted ZFS disk for FreeBSD 13?

I saw this post, but "/boot/encryption.key" is not found.
A encrypted root-on-ZFS installed by bsdinstall(8) from a installer images/CD/DVD installation dialog doesn't create a key file. Also the guided FreeBSD installer root-on-ZFS dialog doesn't offer a key file option.

Looking at the installer zfsboot script, the /boot/encryption.key file is used under certain circumstances. I haven't investigated what circumstances these are.

Do I change the passphrase by booting into the disk ...
That would be the preferred method. The passphrase can be changed after booting the system by executing, assuming ada0p3 as the freebsd-zfs root partition (check with gpart show -p):

geli setkey -n 0 ada0p3

... or booting into the install-disk?
That method is also possible but unnecessary laborious:
  1. Boot installer image
  2. gpart show -p ada0 , check freebsd-zfs root partition
  3. geli attach ada0p3 , enter old passphrase
  4. geli setkey -n 0 ada0p3 , enter new passphrase
  5. Power down system
  6. Remove installer image
  7. Boot encrypted system, enter new passphrase
 
OP
I

ikevin8me

Active Member

Reaction score: 12
Messages: 198

I did the above, and there is a message:
"Note, that the master key encrypted with old keys and/or passphrase may still exists in a metadata backup file"
Does anyone know where could the "metadata backup file" be (ie. the location)? Thanks!
 

T-Daemon

Daemon

Reaction score: 829
Messages: 1,694

Unless specified with the init -B backupfile argument and option, or backup <provider> <backupfile> argument, the default location is in /var/backups/, details in geli(8) manual.

But in case of a "Auto (ZFS) Guided Root-on-ZFS" installation, there is no metadata backup file.
 
Top