GELI confused...

[guermantes]

I find the manual section on encryption very confusing and not quite as clear as it probably could be. Is the geli_recovery.key my passphrase in key form? So if I forget the passphrase I can use the recovery key to unlock the pool?

Also, in a blue attention box the manual says: "While it is possible to separately back up disk master keys, it is usually not necessary or useful." Is the master key a third key different from the encryption key and the recovery key?

 

[Pitfrr]

Hello,

In this post is a good answer to your first question I'd say.
The encryption key is stored in the system dataset and if you don't use a passphrase, it will be unlocked automatically at boot time.
Have a look at this section of the documentation.



About the master key, if I understand it correctly, it is a specific key for each disk. As stated in the manual (for 11.3):

Loss of a disk master key due to disk corruption is equivalent to any other disk failure.

and:

There are two user keys that can be used to unlock the master key and then decrypt the disks.

So there is one master key per disk and the encryption key (with passphrase) or the recovery key contain these master key.