Solved System wide GELI encryption password change

Bink

New Member


Messages: 12

I've set up remote VPS systems with GELI disk encryption, including swap encryption, during FreeBSD 12.2 installation.

I've locked down SSH quite securely too so I presume now when remoting in, security is reasonably assured.

I want to address the possibility that within the VPS terminal's web interface, having entered the GELI passphrase there, it's within the realm of possibility that the passphrase could be intercepted.


I rarely intend to restart the server (and re-enter the GELI passphrase through the web interface). When I need to however, I'd like to afterwards be able to SSH in and change the passphrase so if anything was intercepted, it's effectively outdated.


How does one change the GELI passphrase to system wide encryption?
 
OP
B

Bink

New Member


Messages: 12

With some pointers from the geli man page, and this post, I was able to change the GELI boot time passphrase on the root partition.

I placed the old and new passphrase in files, to avoid issues with special characters.

geli setkey -v -j ~/old.passphrase -J ~/new.passphrase /dev/vtbd0p3

/dev/vtbd0p3 would need to be modified to your own device.
 
Top