# ZFS and GELI, Change Password problem



## ShyRain (Sep 17, 2013)

Hi,

I encrypted my /opt partition with ZFS and GELI. Everything is okay but when I try to change the password I can't get a successful result. In addition I can not find any article about this, How can I change the password after encrypting the disk?

I tried this command:

```
# geli attach -k /dev/da1
# zfs mount -a
```

The disk got attached and everything is ok. Then I try to change the password:

```
# geli detach -f /dev/da1
# geli setkey -k /root/keys/boot.key -n 1 /dev/ad1
# reboot
```
No error but when I try to decrypt after a reboot, the password is valid 

The password can not change. Show me the way or an article about changing the password and passphase on GELI.

Edit; 

I tried this code:

```
# zfs unmount -a
# geli detach -f /dev/ad1
# geli setkey -k /root/keys/boot.key -n 1 /dev/ad1
# geli init -b -K /root/keys/boot.key -s 4096 -l 256 /dev/ad1
# reboot
```

After starting up FreeBSD 8.3:

```
# geli attach -k /root/keys/boot.key /dev/ad1
# zfs mount -a
```

The new password is valid,  but the disk is UNAVAIL 

```
zpool status
  pool: tank
 state: UNAVAIL
status: One or more devices could not be opened.  There are insufficient
	replicas for the pool to continue functioning.
action: Attach the missing device and online it using 'zpool online'.
   see: http://illumos.org/msg/ZFS-8000-3C
  scan: none requested
config:

	NAME                    STATE     READ WRITE CKSUM
	tank                    UNAVAIL      0     0     0
	  17471190731841604180  UNAVAIL      0     0     0  was /dev/ad1.eli
```


----------



## fonz (Sep 17, 2013)

ShyRain said:
			
		

> ```
> # geli attach -k  geli attach -k /dev/da1
> ```


That's a really strange command. I'd be surprised if this is correct. Judging from the code below, perhaps you meant `geli attach -k /root/keys/boot.key /dev/ad1`.



			
				ShyRain said:
			
		

> ```
> # geli detach -f /dev/da1
> # geli setkey -k /root/keys/boot.key -n 1 /dev/ad1
> # reboot
> ```


There's no need to detach a provider before changing passwords, nor is there a need to reboot. Also, you do know you're changing password 1 while `geli init` sets password 0, right? I suspect you may have been _adding_ a second password rather than _changing_ the first one.



			
				ShyRain said:
			
		

> ```
> # geli init -b -K /root/keys/boot.key -s 4096 -l 256 /dev/ad1
> ```
> [snip]
> The new password is valid,  but the disk is UNAVAIL


I'm not an expert on ZFS, but I suspect that your `geli init` command erased whatever ZFS setup you had on there. `geli init` is destructive. I hope that either you have backups or there wasn't anything important in there yet.


----------



## ShyRain (Sep 18, 2013)

@fonz you are right, I searched and decided to encrypt without key file.

I can't succeed and I can't find any example so I will try to encrypt with only a passphase and without key file and I will try to change the key.

I will write the result here.


----------



## ShyRain (Sep 18, 2013)

*Solution*

I solved my problem by not using a key file. While encrypting I used this code:

```
geli init -s 4096 /dev/ad1
geli attach /dev/ad1
zpool create tank /dev/ad1.eli
```

Then I try to change password with setkey: `geli setkey -n 1 /dev/ad1`. These codes work for me for ZFS + GELI.


----------



## fonz (Sep 18, 2013)

ShyRain said:
			
		

> ```
> geli init -s 4096 /dev/ad1
> ```
> [snip]
> `geli setkey -n 1 /dev/ad1`.


Do keep in mind that you now have two passwords: the one you typed for `geli init` is password #0 and the one you typed for `geli setkey -n 1` is the additional password #1. If that's what you want, it's ok. But I just thought I'd mention it.


----------

