I tested following case as a bug of "geli setkey": - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # truncate -s 1M testfile # # mdconfig -f testfile md0 # geli init -e AES-XTS -l 256 -B none -s 4096 md0 Enter new passphrase: Reenter new passphrase: # geli attach md0 Enter passphrase: # geli setkey -i $((65536*65536-1)) md0 Enter new passphrase: Reenter new passphrase: Note, that the master key encrypted with old keys and/or passphrase may still exist in a metadata backup file. # geli detach md0 # geli attach md0 geli: Missing -p flag. geli: There was an error with at least one provider. # geli attach -p md0 geli: No key components given. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I found this issue because I tried reset passphrase key like "geli setkey -k keyfile -P md0". But I couldn't reset passphrase, so I noticed that the "md_iterations" doesn't reset to -1 (= 2^32-1 = 65536*65536-1). SEE ALSO: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=196834 So there is a bug of "geli setkey -P doesn't reset md_iterations" yet. To reset iterations, "geli setkey -P" should reset the md_iteratitons, or describe how to reset passphrase by setting iterations and save no key compoents status.