Does encyption key contain passphrase?

c3p · Jun 11, 2016

I created an encrypted pool in Freenas 9.10 using the provided Wizard. Afterwards i input a passphrase for the volume.

The Handbook advises me to download and store the Recovery Key:

Download Key: click this icon to download a backup copy of the GELI encryption key. [...] Since the GELI encryption key is separate from the FreeNAS® configuration database, it is highly recommended to make a backup of the key. If the key is every lost or destroyed and there is no backup key, the data on the disks is inaccessible.

[...]

Note: the passphrase, recovery key, and encryption key need to be protected. Do not reveal the passphrase to others. On the system containing the downloaded keys, take care that that system and its backups are protected. Anyone who has the keys has the ability to re-import the disks should they be discarded or stolen.

Does that mean that the key file also contains the Passphrase and is in itself enough to mount the pool?

dlavigne · Jun 11, 2016

Does that mean that the key file also contains the Passphrase and is in itself enough to mount the pool?

No, you will still need to know the passphrase.

c3p · Jun 11, 2016

Thank you for your answer!
Just out of curiosity: Is the answer in the FreeNas manual or should i have searched in the manual for geli? (edit: or is it "obvious" and i just didn't know it because i'm new to FreeNas/ZFS/BSD? ;)

fta · Jun 13, 2016

If you set and download a recovery key, you do not need a passphrase if you use the recovery key. Keep it well protected.

c3p · Jun 13, 2016

dlavigne said:
No, you will still need to know the passphrase.

fta said:
If you set and download a recovery key, you do not need a passphrase if you use the recovery key. Keep it well protected.

The answers seem to contradict each other. Either there are 2 types of keys and you are both right or one of you is wrong.

fta · Jun 13, 2016

c3p said:
The answers seem to contradict each other. Either there are 2 types of keys and you are both right or one of you is wrong.

There are two types of keys. The regular key that can be passphrased, and the recovery key which is not passphrased. The point of the recovery key is recovery, i.e. you forget your passphrase.

Spacemarine · Jul 10, 2016

Here is a very clear explanation, of how the encryption system works, as this does not become evident from the manual:
https://forums.freenas.org/index.php?threads/recover-encryption-key.16593/#post-85497

After reading this post, I finally understood the system.

Important Announcement for the TrueNAS Community.

Does encyption key contain passphrase?

c3p

Cadet

dlavigne

Guest

c3p

Cadet

fta

Contributor

c3p

Cadet

fta

Contributor

Spacemarine

Contributor

Similar threads