How to change GELI passphrase on FreeBSD 11 Root-On-ZFS system with mirror RAID?
Swap devices are also mirrored and ancrypted.
I have /dev/ada0p5.eli /dev/ada1p5.eli and /dev/mirror/swap.eli devices.
Thank You.
SnapOverflow
How to change GELI passphrase on FreeBSD 11 Root-On-ZFS system with mirror RAID?
Swap devices are also mirrored and ancrypted.
I have /dev/ada0p5.eli /dev/ada1p5.eli and /dev/mirror/swap.eli devices.
Thank You.
In a vanilla FreeBSD 11 install with ZFS on encrypted disks you can change the encryption key for your data discs only while you take down the device of the mirror.
Data disks:
In a vanilla install the encrypted devices are da0p3.eli and da1p3.eli, in your case you will have to repeat the procedure for the devices you have (ada0p5.eli, ada1p5.eli):
Now, wait for the the drive to be resilvered again. This should be fast if there were not many writes in between, the content of the drive has not been altered, because the master key is still the same, only its password changed:
Now that everything is up again, you should apply the same procedure to your second drive.
Swap drives
In a vanilla install a fresh random key for your swap drives will be generated on each boot again and forgotten afterwards, so there is no change needed (your pass phrase is not used there).
Danger!
Please note: While you have one disk off the mirror, it is vulnerable to data loss when the remaining disk is failing. You can avoid that by adding a temporary third disk to the mirror and wait until it's resilvered before you do the key change and remove it again once you're done with the whole procedure.