Bug 134113 - [geli] Problem setting secondary GELI key
Summary: [geli] Problem setting secondary GELI key
Status: In Progress
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 7.2-PRERELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-geom mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-30 14:40 UTC by Terje Elde
Modified: 2016-04-04 15:16 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Terje Elde 2009-04-30 14:40:03 UTC
Created a GELI-setup using only a keyfile, partition to be mounted at boot.

When trying to set the secondary-key (key 1) using a passphrase incase the keyfile is lost, the following happens:

------------------------------------------------
42-gw# geli setkey -v -n 1 /dev/mirror/world
Enter new passphrase:
Reenter new passphrase: 
Calculating number of iterations...
Done, using 138302 iterations.
geli: Only already defined key can be changed when '-i' option is used.
------------------------------------------------

Note that the provider was attached at the time.

Fix: 

Workaround:

Setting the first key (key 0) that was used for attaching the provider with a keyfile, works:

------------------------------------------------
42-gw# geli setkey -v -n 0 /dev/mirror/world
Enter new passphrase:
Reenter new passphrase: 
Calculating number of iterations...
Done, using 80194 iterations.
Done.
------------------------------------------------

After that, setting the secondary key also works:

------------------------------------------------
42-gw# geli setkey -v -n 1 /dev/mirror/world
Enter new passphrase:
Reenter new passphrase: 
Done.
42-gw# 
------------------------------------------------

After that, I can set the primary key back to the keyfile.
How-To-Repeat: Create a GELI slice with only a keyfile, no password, to be mounted on boot, then try to set secondary key while the provider is attached.
Comment 1 Mark Linimon freebsd_committer 2009-05-02 22:48:39 UTC
Responsible Changed
From-To: freebsd-bugs->freebsd-geom

Over to maintainer(s).
Comment 2 Thomas Zander 2009-10-31 14:04:55 UTC
I can confirm that this pr applies to 8.0RC2 as well.
Is anyone working on this? I am happy to test patches.

Riggs
Comment 3 Fabian Keil 2016-04-04 15:16:29 UTC
By design, geli only stores one iteration count on disk and
as a result, some key combinations are not supported.

Setting both keys to passphrase+keyfile is fine and so is
using a passphrase for one key and passphrase+keyfile for the
other one.

Letting only one of two keys use a passphrase is not supported
because this would require different iteration values which
can't be stored on disk.

Your "workaround" does not actually work around this limitation
because it does not require two different iteration counts.

It could be argued that the error message is a bit cryptic
and that geli.8 should document this limitation more explicitly,
but the fact that you get an error message itself is not a bug.