trying to run "geli setkey -n 1 gpt/hd01" on a detached geli provider asks me for the master password, and after entering the right password just prints "Note, that the master key encrypted with old keys and/or passphrase may still exists in a metadata backup file." - so it does not ask me for the userpassword I want to set to slot 1 (as one woud expect). So either the man page should be changed to inform the user that setkey only works with attached providers or the program should be adapted so that after entering the right master password the user is asked for the user password. (IIRC this has already worked the last time - quite some time ago - when I used it) "geli setkey -n 1 gpt/hd01" works when the provider is already attached - the dialogue: Enter new passphrase: Reenter new passphrase: Note, that the master key encrypted with old keys and/or passphrase may still exists in a metadata backup file. System: FreeBSD mach2020 12.2-RELEASE-p6 FreeBSD 12.2-RELEASE-p6 GENERIC amd64
same behaviour on 13.0-RC5
I can confirm this bug. It exists in 12.2-RELEASE-p6 and 13.0-RELEASE, but _not_ in 11.4-RELEASE-p9. Steps to reproduce: # mdconfig -a -t malloc -s 10M -u md10 # echo aaa | geli init -J - md10 # echo aaa | geli attach -j - md10 # geli status md10.eli # geli detach md10 At this point, md10 is a geli volume with passphrase "aaa". Now, observe the failure of geli setkey: # geli setkey -n0 md10 This command asks for the existing passphrase and then does nothing. It _should_ ask for the new passphrase (and correctly does so on 11.4-RELEASE). The same happens when using passfiles: # echo aaa > oldkey # echo bbb > newkey # geli setkey -n0 -j oldkey -J newkey md10 At this point, "aaa" is still the passphrase in slot 1 of md10.eli, even though it should be "bbb". Confirm this by: # geli attach -j newkey md10 ... which fails, and: # geli attach -j oldkey md10 ... which succeeds (but shouldn't). Note that all is well when using geli setkey on md10.eli when it is attached. This bug only affect unattached volumes.
I might have found the problem. It seems to be caused by the use of cached_passphrase (to attach multiple providers with the same passphrase). However, when using geli setkey on a detached provider it does not make any sense. This patch (13.0) works for me: --- geom_eli.c.ORIG 2021-05-24 21:11:15.718321000 +0200 +++ geom_eli.c 2021-05-24 21:30:47.511489000 +0200 @@ -1387,6 +1387,12 @@ bcopy(mkey, mkeydst, sizeof(mkey)); explicit_bzero(mkey, sizeof(mkey)); + /* + * The previous eli_genkey() set cached_passphrase, we do not want + * to use that for the new passphrase so always prompt for it + */ + explicit_bzero(cached_passphrase, sizeof(cached_passphrase)); + /* Generate key for Master Key encryption. */ if (eli_genkey(req, md, key, true) == NULL) { explicit_bzero(key, sizeof(key));
(In reply to Arjan de Vet from comment #3) Arjan, this patch looks plausible to me, I'm submitted it to github so it can get broader exposure: https://github.com/freebsd/freebsd-src/pull/780
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=2b7b09ac9675023869fddbae4911c9b674b1155a commit 2b7b09ac9675023869fddbae4911c9b674b1155a Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2023-08-28 14:58:43 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2023-08-28 15:06:42 +0000 geli tests: Add a regression test for geli setkey -J Make sure that it can be used to change the passphrase of both attached and detached providers. PR: 254966 MFC after: 1 week Sponsored by: The FreeBSD Foundation tests/sys/geom/class/eli/setkey_test.sh | 59 +++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=88d13bf33754bd4b0c5df92eef83d6fadb9b4944 commit 88d13bf33754bd4b0c5df92eef83d6fadb9b4944 Author: Arjan de Vet <freebsd@devet.org> AuthorDate: 2023-08-28 14:54:18 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2023-08-28 15:03:55 +0000 geli: Fix geli setkey -J for detached providers Clear cached_passphrase before generating a new key, otherwise the operation nonsensically tries to reuse the old passphrase. PR: 254966 Pull Request: https://github.com/freebsd/freebsd-src/pull/780 MFC after: 1 week lib/geom/eli/geom_eli.c | 6 ++++++ 1 file changed, 6 insertions(+)
thank you very much, mark. Will this be MFC'd to 14 or 13, or even 12, where it was reported on?
(In reply to Mina Galić from comment #7) Yes, I set the MFC timeout period to 1 week.
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=472fce62bb536b00d7af98d4be73bb8efbdb169b commit 472fce62bb536b00d7af98d4be73bb8efbdb169b Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2023-08-28 14:58:43 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2023-09-04 12:55:17 +0000 geli tests: Add a regression test for geli setkey -J Make sure that it can be used to change the passphrase of both attached and detached providers. PR: 254966 MFC after: 1 week Sponsored by: The FreeBSD Foundation (cherry picked from commit 2b7b09ac9675023869fddbae4911c9b674b1155a) tests/sys/geom/class/eli/setkey_test.sh | 59 +++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=b785ac18c7d36cfa84ce8ff8705dc10edd7d2013 commit b785ac18c7d36cfa84ce8ff8705dc10edd7d2013 Author: Arjan de Vet <freebsd@devet.org> AuthorDate: 2023-08-28 14:54:18 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2023-09-04 12:55:15 +0000 geli: Fix geli setkey -J for detached providers Clear cached_passphrase before generating a new key, otherwise the operation nonsensically tries to reuse the old passphrase. PR: 254966 Pull Request: https://github.com/freebsd/freebsd-src/pull/780 MFC after: 1 week (cherry picked from commit 88d13bf33754bd4b0c5df92eef83d6fadb9b4944) lib/geom/eli/geom_eli.c | 6 ++++++ 1 file changed, 6 insertions(+)
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=134d36676e94a42bb280a010bf36b31163fccc65 commit 134d36676e94a42bb280a010bf36b31163fccc65 Author: Arjan de Vet <freebsd@devet.org> AuthorDate: 2023-08-28 14:54:18 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2023-09-04 14:11:01 +0000 geli: Fix geli setkey -J for detached providers Clear cached_passphrase before generating a new key, otherwise the operation nonsensically tries to reuse the old passphrase. Approved by: re (kib) PR: 254966 Pull Request: https://github.com/freebsd/freebsd-src/pull/780 MFC after: 1 week (cherry picked from commit 88d13bf33754bd4b0c5df92eef83d6fadb9b4944) lib/geom/eli/geom_eli.c | 6 ++++++ 1 file changed, 6 insertions(+)
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=34e146632e623b5f208b745a99e2fdbed22bd942 commit 34e146632e623b5f208b745a99e2fdbed22bd942 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2023-08-28 14:58:43 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2023-09-04 14:11:04 +0000 geli tests: Add a regression test for geli setkey -J Make sure that it can be used to change the passphrase of both attached and detached providers. Approved by: re (kib) PR: 254966 MFC after: 1 week Sponsored by: The FreeBSD Foundation (cherry picked from commit 2b7b09ac9675023869fddbae4911c9b674b1155a) tests/sys/geom/class/eli/setkey_test.sh | 59 +++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+)