Remove GELI encryption on mirrored zfs boot drives

Bucky

Member

Reaction score: 10
Messages: 51

I have a server I wish to be unattended (prolonged power failure -> auto reboot) perhaps even remote. When I built the server, I foolishly decided to use GELI encryption on the mirrored boot drives. Full Stop! That means it hangs at the encryption passphrase begging line...forever if it is unattended and the power fails beyond the UPS life.

So how to remove the GELI layer encryption on a working server? The March/April 2020 edition of the FreeBSD Journal, page 19 pointed the way.

The following does it easily on my GELI encrypted, zfs mirrored SSD drives (raid1). Tested on two different machines (FBSD v11.3), works perfectly. Enjoy.

root@Xeon_Left ~ # zpool status
Code:
        NAME            STATE     READ WRITE CKSUM
        zroot           ONLINE       0     0     0
          mirror-0      ONLINE       0     0     0
            ada0p3.eli  ONLINE       0     0     0
            ada1p3.eli  ONLINE       0     0     0

root@Xeon_Left ~ # zpool offline zroot ada0p3.eli

root@Xeon_Left ~ # zpool status
Code:
        NAME                     STATE     READ WRITE CKSUM
        zroot                    DEGRADED     0     0     0
          mirror-0               DEGRADED     0     0     0
            9766920236825613726  OFFLINE      0     0     0  was /dev/ada0p3.eli
            ada1p3.eli           ONLINE       0     0     0

root@Xeon_Left ~ # geli kill /dev/ada0p3.eli

root@Xeon_Left ~ # zpool replace zroot 9766920236825613726 /dev/ada0p3
*READ THE OUTPUT*

root@Xeon_Left ~ # gpart show

Code:
=>       40  500118112  ada0  GPT  (238G)
         40       1024     1  freebsd-boot  (512K)
       1064        984        - free -  (492K)
       2048    2097152     2  freebsd-swap  (1.0G)
    2099200  498018304     3  freebsd-zfs  (237G)
  500117504        648        - free -  (324K)

=>       40  500118112  ada1  GPT  (238G)
         40       1024     1  freebsd-boot  (512K)
       1064        984        - free -  (492K)
       2048    2097152     2  freebsd-swap  (1.0G)
    2099200  498018304     3  freebsd-zfs  (237G)
  500117504        648        - free -  (324K)

just in case...

gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada0
gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada1

reboot (the GELI password nagging should be gone)
 
Top