Managing Encrypted Volumes in relate to GELI

[hua_qiu]

I have number of questions on "Managing Encrypted Volumes" function in relate to GELI. I read through user document and did some researches online/forums but could not find all the answers.

1. Download Key
What exactly is the key downloaded in this action? I assume it is the geli master key secured by the geli user key(passphase and/or key file).
What if user hasn't secure it via either passphase or key file, e.g. when the encrypted volume just being created? In this case, is it just the plan master key?

2. Why is the Downloaded Key required during re-import an encrypted volume? Isn't there metadata structure on the last sector of the encrypted volume which contain the encrypted geli master key?

3. What is the recovery key? Is it related to the second encrypted master key in key slot 1 described by GELI?

4. What did encryption re-key do actually, generating a new geli master key or re-encrypt geli master key with a newly generated user key? If it is the first case, I assume all the data on the encrypted volume have to be decrypted with the old geli master key and re-encrypted with the new one. Is it correct?

Thanks in advance

 

[hua_qiu]

I read through the user guide again and found my answer
#14
It answers all my questions above. Here is a little bit more information about the recovery key usage I observed(FreeNAS 9.3)
The very first time the recovery key is used to unlock/attach a encrypted volume, it is through the encrypted geli master key in slot1 of the metadata. This can be verified by issuing command "geli list". At the same time, FreeNAS will copy the slot1 key material to slot0. This will invalidate the geli key downloaded before via FreeNAS GUI(it is actually the key file component of the geli user key) and the passphase(if every set by user). The subsequent unlock/attach is though the encrypted geli master key in slot0. This can be verified by geli list command.