You're leaking an entire disk's worth of data encrypted with a key that sits in a known location, encrypted. It's not likely at all that it's going to be decrypted in useful time, but if it is, you can use it on the other old disks.
I am discarding a disk that is encrypted with military grade AES256 encryption using a unique, random master key. Yes, the master key sits on the disk but is encrypted with the user key (and possibly a passphrase) in slot 0 and with a recovery key in slot 1.
If someone can derive the master key from that information within reasonable time and decrypt the entire drive, there is a serious problem with GELI and/or AES or with the way FreeNAS generates the user key. Even if they can, they cannot use that information to decrypt any other drive in the pool because each drive has its own unique, random master key – so no, they cannot use it on the other old disks.
In order to decrypt the rest of the drives in the pool they would either have to find their master keys or derive the user key from the master key of the discarded drive.
I am not saying this is not possible – just that it is very hypothetical.
Mostly. Don't forget you have two independent keys. Now, it's been a while since I've looked into this, so I don't know what the GUI is doing, exactly (the abstracted terms used don't help), but the sane option is to do it for one slot, then the other once the first one has been confirmed to have finished.
The problem is (verified on FreeNAS 11.1 U4):
- After replacing a drive in a pool, the existing recovery key (slot 1) is invalid for the new drive – because it is not known to the system, there is no way to encrypt the new drive's master key with the existing recovery key.
- Re-keying the pool zaps the passphrase (protecting the user key in slot 0).
- Creating a new passphrase invalidates the existing recovery key (slot 1) for the remaining drives in the pool – so even if you started out by setting a new recovery key, it would invalidated by now.
So after re-keying and adding a new passphrase, one is in the situation that a crash of the boot device which holds the new user key (generated by re-keying) will have the dire consequence that all your data is lost. And the only reason we are taking that risk is because FreeNAS forces you to re-key after replacing a failed drive – to mitigate a very theoretical risk that someone derives your user key and/or passphrase from the discarded drive.
Even if FreeNAS did not require a re-key after drive replacement, then if you at some point in time wanted to re-key your pool because you feared your user key, recovery key or passphrase had been compromised, you would have the same problem.
A simple solution would be that setting a new passphrase would not invalidate the recovery key – and from my (limited?) knowledge of GELI I do not understand why it is necessary. With that change, one could start out by setting and downloading a new recovery key for the entire pool. With that safely stored, one could then re-key the pool getting a new user key generated and then set a new passphrase. Doing this, there would be no point in time where you did not have information moved off the system necessary for unlocking the pool and the risk would be eliminated.
For details about how GELI is used by FreeNAS, please see this excellent description (which is also linked from
section 8.1.1.1 in the official documentation):
I apologise if there is something I have misunderstood and I welcome everybody to correct me if I am wrong.