# How to change passphrase for encrypted ZFS disk?



## ikevin8me (Jul 9, 2021)

How to change passphrase for encrypted ZFS disk for FreeBSD 13?

I saw this post, but "/boot/encryption.key" is not found. Do I change the passphrase by booting into the disk, or booting into the install-disk? And, if I boot into the install-disk, how do I mount the specific partition to change the passphrase?


----------



## T-Daemon (Jul 9, 2021)

ikevin8me said:


> How to change passphrase for encrypted ZFS disk for FreeBSD 13?
> 
> I saw this post, but "/boot/encryption.key" is not found.


A encrypted root-on-ZFS installed by bsdinstall(8) from a installer images/CD/DVD installation dialog doesn't create a key file. Also the guided FreeBSD installer root-on-ZFS dialog doesn't offer a key file option.

Looking at the installer zfsboot script, the /boot/encryption.key file is used under certain circumstances. I haven't investigated what circumstances these are.



ikevin8me said:


> Do I change the passphrase by booting into the disk ...


That would be the preferred method. The passphrase can be changed after booting the system by executing, assuming ada0p3 as the `freebsd-zfs` root partition (check with `gpart show -p`):

`geli setkey -n 0 ada0p3`



ikevin8me said:


> ... or booting into the install-disk?


That method is also possible but unnecessary laborious:

Boot installer image
`gpart show -p ada0` , check `freebsd-zfs` root partition
`geli attach ada0p3` , enter old passphrase
`geli setkey -n 0 ada0p3` , enter new passphrase
Power down system
Remove installer image
Boot encrypted system, enter new passphrase


----------



## mtu (Jul 12, 2021)

T-Daemon said:


> That method is also possible but unnecessary laborious:
> 
> Boot installer image
> `gpart show -p ada0` , check `freebsd-zfs` root partition
> ...


Note that you could theoretically just skip step 3, but a bug (PR 254966) currently prevents this from working correctly.


----------



## ikevin8me (Sep 8, 2021)

I did the above, and there is a message: 


> "Note, that the master key encrypted with old keys and/or passphrase may still exists in a metadata backup file"


Does anyone know where could the "metadata backup file" be (ie. the location)? Thanks!


----------



## T-Daemon (Sep 8, 2021)

Unless specified with the `init -B backupfile` argument and option, or `backup <provider> <backupfile>` argument, the default location is in /var/backups/, details in geli(8) manual.

But in case of a "Auto (ZFS) Guided Root-on-ZFS" installation, there is no metadata backup file.


----------

