An user key can be created from two components - a passphrase and/or a key file - you can use one, the other, or both. You can change the user keys as often as you want provided that you have at least one of them - you decrypt the master key with the old user key and encrypt it with the new one. Any of the user keys (if set) can be used to decrypt the master key and thus access the data. There are two "slots" for the encrypted master key in the geli metadata, which allows you to encrypt the master key with two user keys (0 and 1). The master key is stored in the geli metadata on the drive itself. You do need to upload the key file when you change/overwrite the USB stick.Įvery geli provider ("disk drive") has its own AES master key that can never be changed - you would have to rewrite (reencrypt) all data on the drive to change it. This means you do not need to provide the file when you reboot the server and want to unlock your pool - the passphrase is enough.
Yes, the key file you get when you click the Download Key button is always stored in /data/geli (4th partition on the USB stick).
0 kommentar(er)
