11.3: GELI attach: Wrong key despite correct passphrase

Marco Steinbach coco at executive-computing.de
Mon Aug 19 01:55:17 UTC 2019 

On Mon, 19 Aug 2019 06:27:34 +0800
Ben Woods <woodsb02 at gmail.com> wrote:

> On Mon, 19 Aug 2019 at 3:05 am, Marco Steinbach
> <coco at executive-computing.de> wrote:
> 
> > On Sun, 18 Aug 2019 10:20:51 -0500
> > CyberLeo Kitsana <cyberleo at cyberleo.net> wrote:
> >  
> > > On 8/18/19 8:46 AM, Marco Steinbach wrote:  
> > > > Hi.
> > > >
> > > > I have two bootable SSDs, both installed using a GELI encrypted
> > > > root on ZFS.  
> > >
> > > <snip>
> > >  
> > > > I've then imported the bootpool from da0, and mounted it, so I
> > > > can try using the key in boot/
> > > >
> > > > root at bsdbuch:~ # geli attach
> > > > -k /bootpool/boot/ada0p5.eli /dev/da0p5 Enter passphrase:
> > > > geli: Wrong key for da0p5.  
> > >
> > > Did you intend on combining both a keyfile AND a passphrase here?
> > > If not, include the -p option to instruct geli to avoid asking
> > > for a passphrase to mix in.
> > >
> > > It might also help to include the output of 'geli dump' for both
> > > of the affected providers. You can obscure the 'Salt' and 'Master
> > > Key' portions if you so desire.
> > >  
> >
> > I think there's a misunderstanding.
> >
> > I merely want to attach the GELI created by the 11.1 installer to a
> > newly installed 11.3 system.
> >
> > MfG CoCo  
> 
> 
> Indeed, but what secrets do you need to provide to decrypt the geli
> providers (passphrase, passfile, keyfile)? The command above will use
> both a keyfile and prompt for a passphrase - was this your intention?
> 
> The “attach” section of this manpage has more details if required:
> 
> https://man.freebsd.org/geli
> 

What secrets do I need to provide, if I installed a root on ZFS on top
of GELI using the FreeBSD installer (no manual intervention, really
just what the installer offered) on the 11.1-RELEASE memstick,
if I want to attach that provider to an 11.3-RELEASE system ?

As I wrote, I have two SSDs both installed using the FreeBSD installer
using root on ZFS on top of GELI. One was installed using the
11.1-RELEASE memstick, the other was installed using the 11.3-RELEASE
memstick.

I can attach the 11.3-RELEASE from the 11.1-RELEASE (just doing 'geli
attach /dev/da0p5), but not vice versa. Both use the same passphrase,
and both boot using this same passphrase.

Since GELI on the 11.3-RELEASE system told me 'geli: wrong key for
da0p5' when trying to attach the 11.1-RELEASE GELI provider, I tried
using the keyfile generated by the 11.1-RELEASE installer in
conjunction with the passphrase. That also failed.


MfG CoCo

More information about the freebsd-geom mailing list