3

How to change GELI passphrase on FreeBSD 11 Root-On-ZFS system with mirror RAID?

Swap devices are also mirrored and ancrypted.

I have /dev/ada0p5.eli /dev/ada1p5.eli and /dev/mirror/swap.eli devices.

Thank You.

Norbert
  • 31
  • 2

1 Answers1

1

In a vanilla FreeBSD 11 install with ZFS on encrypted disks you can change the encryption key for your data discs only while you take down the device of the mirror.

Data disks:

In a vanilla install the encrypted devices are da0p3.eli and da1p3.eli, in your case you will have to repeat the procedure for the devices you have (ada0p5.eli, ada1p5.eli):

$ zpool status
NAME           STATE     READ WRITE CKSUM
tank           ONLINE       0     0     0
  mirror-0     ONLINE       0     0     0
    da0p3.eli  ONLINE       0     0     0
    da1p3.eli  ONLINE       0     0     0

$ zpool offline tank da0p3.eli    # take one drive off the mirror

$ zpool status
NAME                     STATE     READ WRITE CKSUM
tank                     DEGRADED     0     0     0
  mirror-0               DEGRADED     0     0     0
    7324435067442038086  OFFLINE      0     0     0  was /dev/da0p3.eli
    da1p3.eli            ONLINE       0     0     0

$ geli detach da0p3.eli           # detach encryption

$ geli setkey da0p3               # set new encryption pass phrase
Enter passphrase: 
Enter new passphrase: 
Reenter new passphrase: 

$ geli attach da0p3               # reattach with new pass phrase
Enter passphrase: 

$ zpool online tank da0p3.eli     # take the drive online again to the mirror

Now, wait for the the drive to be resilvered again. This should be fast if there were not many writes in between, the content of the drive has not been altered, because the master key is still the same, only its password changed:

$ zpool status
NAME           STATE     READ WRITE CKSUM
tank           ONLINE       0     0     0
  mirror-0     ONLINE       0     0     0
    da0p3.eli  ONLINE       0     0     0
    da1p3.eli  ONLINE       0     0     0

Now that everything is up again, you should apply the same procedure to your second drive.

Swap drives

In a vanilla install a fresh random key for your swap drives will be generated on each boot again and forgotten afterwards, so there is no change needed (your pass phrase is not used there).

Danger!

Please note: While you have one disk off the mirror, it is vulnerable to data loss when the remaining disk is failing. You can avoid that by adding a temporary third disk to the mirror and wait until it's resilvered before you do the key change and remove it again once you're done with the whole procedure.

hoeni
  • 111
  • 4