From owner-freebsd-questions@freebsd.org  Wed Jun 14 16:13:52 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A060FB95F11
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Wed, 14 Jun 2017 16:13:52 +0000 (UTC)
 (envelope-from dpchrist@holgerdanske.com)
Received: from holgerdanske.com (holgerdanske.com [184.105.128.27])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "holgerdanske.com", Issuer "holgerdanske.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 8FB756EBB3
 for <freebsd-questions@freebsd.org>; Wed, 14 Jun 2017 16:13:52 +0000 (UTC)
 (envelope-from dpchrist@holgerdanske.com)
Received: from 99.100.19.101 ([99.100.19.101]) by holgerdanske.com with ESMTPSA
 (ECDHE-RSA-AES128-GCM-SHA256:TLSv1.2:Kx=ECDH:Au=RSA:Enc=AESGCM(128):Mac=AEAD)
 (SMTP-AUTH username dpchrist@holgerdanske.com, mechanism PLAIN)
 for <freebsd-questions@freebsd.org>; Wed, 14 Jun 2017 09:13:48 -0700
Subject: Re: How to change passphrase for FreeBSD 11.0 encrypted ZFS root?
To: freebsd-questions@freebsd.org
References: <1fb7f3d1-dfb5-ab75-ab75-12dcc81423ca@holgerdanske.com>
 <CADyrUxNgfu-g24hcQA9Fc-YATTJA0tmkq+N9u3Rta+1-Cp+=hw@mail.gmail.com>
From: David Christensen <dpchrist@holgerdanske.com>
Message-ID: <b1143059-fe17-e024-4e6d-d6dfd4e56464@holgerdanske.com>
Date: Wed, 14 Jun 2017 09:13:11 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CADyrUxNgfu-g24hcQA9Fc-YATTJA0tmkq+N9u3Rta+1-Cp+=hw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jun 2017 16:13:52 -0000

On 06/14/2017 05:35 AM, Jov wrote:
> On 06/14/2017 2:20 PM，"David Christensen wrote:
>> I issued the following command:
>>
>> toor@freebsd:/root # geli setkey -n 0 /dev/ada0s1d Enter new
>> passphrase: Reenter new passphrase: Note, that the master key
>> encrypted with old keys and/or passphrase may still exists in a
>> metadata backup file.
>>
>> Now when I boot, I enter the passphrase at the boot menu, a bunch
>> of stuff scrolls by, and then I see:
>>
>> Enter passphrase for ada0s1d:
>>
>> I enter the new passphrase and I see:
>>
>> GEOM_ELI: Wrong key for ada0s1d.  Tries left: 2. Enter passphrase
>> for ada0s1d:
>
> You change the passphrase without key file？ the default geli boot
> will read key files in /boot dir，the key file name is set in
> /boot/loader.conf, you shoud remove the settings if you not set it.

Thank you for the clue.


I would now like to edit /boot/loader, to see if I can adjust the 
settings so that GELI will decrypt my root partition using just a 
passphrase.


When I boot the FreeBSD 11.0 i386 installer into single-user mode:

# mount /dev/ada0s1a /mnt
mount /dev/ada0s1a: Invalid argument


Why is mount(8) complaining?

# ls -l /dev/ada0s1a
crw-r-----  1 root  operator  0x5b Jun 14 15:53 /dev/ada0s1a


David