[Bug 218512] Geli arbitrarily prevents setting passphrases

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218512

            Bug ID: 218512
           Summary: Geli arbitrarily prevents setting passphrases
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: fhriley at gmail.com

In the geli metadata, there is one field that specifies the pkcs5v2 iterations,
which means it used for both keys. Because of this, the code needs to prevent
the user from setting a passphrase with a given (or calculated) iterations, and
then setting a second passphrase with a different iterations. If it didn't, the
first passphrase would get invalidated. The existing geli code does this, but
in a naive way that leads to weird failures that, logically, should not fail,
and drastically reduce the usability of geli. For example, the current code
prevents the following:

  - Set two keys, then set a passphrase on one key
  - Set one key, then set a second key with passphrase using -i
  - Set one passphrase, then change the iterations

The first and second ones are especially bad because it means you have to
reissue keys if you want to set password on an existing key (FreeNAS does
this).

Also, if you set two keys with passphrases, geli will forever think a
passphrase is set, even if you replace those two keys without passphrases,
because the current code has no way to know if a passphrase is set on a key.

I am submitting a git pull request to fix all of the above.

-- 
You are receiving this mail because:
You are the assignee for the bug.