ZFS and GELI, Change Password problem

ShyRain

ShyRain

Hi,

I encrypted my /opt partition with ZFS and GELI. Everything is okay but when I try to change the password I can't get a successful result. In addition I can not find any article about this, How can I change the password after encrypting the disk?

I tried this command:
Code: 
# geli attach -k /dev/da1
# zfs mount -a

The disk got attached and everything is ok. Then I try to change the password:
Code: 
# geli detach -f /dev/da1
# geli setkey -k /root/keys/boot.key -n 1 /dev/ad1
# reboot
No error but when I try to decrypt after a reboot, the password is valid :(

The password can not change. Show me the way or an article about changing the password and passphase on GELI.

Edit;

I tried this code:
Code: 
# zfs unmount -a
# geli detach -f /dev/ad1
# geli setkey -k /root/keys/boot.key -n 1 /dev/ad1
# geli init -b -K /root/keys/boot.key -s 4096 -l 256 /dev/ad1
# reboot

After starting up FreeBSD 8.3:
Code: 
# geli attach -k /root/keys/boot.key /dev/ad1
# zfs mount -a

The new password is valid, but the disk is UNAVAIL :(
Code: 
zpool status
  pool: tank
 state: UNAVAIL
status: One or more devices could not be opened.  There are insufficient
	replicas for the pool to continue functioning.
action: Attach the missing device and online it using 'zpool online'.
   see: http://illumos.org/msg/ZFS-8000-3C
  scan: none requested
config:

	NAME                    STATE     READ WRITE CKSUM
	tank                    UNAVAIL      0     0     0
	  17471190731841604180  UNAVAIL      0     0     0  was /dev/ad1.eli
 
ShyRain said:
Code: 
# geli attach -k  geli attach -k /dev/da1
Click to expand...
That's a really strange command. I'd be surprised if this is correct. Judging from the code below, perhaps you meant geli attach -k /root/keys/boot.key /dev/ad1.

ShyRain said:
Code: 
# geli detach -f /dev/da1
# geli setkey -k /root/keys/boot.key -n 1 /dev/ad1
# reboot
Click to expand...
There's no need to detach a provider before changing passwords, nor is there a need to reboot. Also, you do know you're changing password 1 while geli init sets password 0, right? I suspect you may have been adding a second password rather than changing the first one.

ShyRain said:
Code: 
# geli init -b -K /root/keys/boot.key -s 4096 -l 256 /dev/ad1
[snip]
The new password is valid, but the disk is UNAVAIL :(
Click to expand...
I'm not an expert on ZFS, but I suspect that your geli init command erased whatever ZFS setup you had on there. geli init is destructive. I hope that either you have backups or there wasn't anything important in there yet.
 
@fonz you are right, I searched and decided to encrypt without key file.

I can't succeed and I can't find any example so I will try to encrypt with only a passphase and without key file and I will try to change the key.

I will write the result here.
 
Last edited by a moderator:
Solution

I solved my problem by not using a key file. While encrypting I used this code:
Code: 
geli init -s 4096 /dev/ad1
geli attach /dev/ad1
zpool create tank /dev/ad1.eli

Then I try to change password with setkey: geli setkey -n 1 /dev/ad1. These codes work for me for ZFS + GELI.
 
ShyRain said:
Code: 
geli init -s 4096 /dev/ad1
[snip]
geli setkey -n 1 /dev/ad1.
Click to expand...
Do keep in mind that you now have two passwords: the one you typed for geli init is password #0 and the one you typed for geli setkey -n 1 is the additional password #1. If that's what you want, it's ok. But I just thought I'd mention it.
 
You must log in or register to reply here.
Back
Top