Re: GELI zfs encryption removal

On Wed, Feb 14, 2024 at 4:09 PM void <void@f-m.fm> wrote:
>
> Hi,
>
> I'd like to remove GELI encryption. It was installed
> when the OS was installed; the option to encrypt data was
> chosen when auto-zfs was selected.
>
> At the moment, when it reboots, it prompts for the GELI
> passphrase, which I have to enter from the console[1], and it
> then boots normally. [1] is a nuisance to access, so I'd like to
> (safely) remove it. Is this possible, without having to transfer
> all the data out, reformat, then transfer it all back in again?

Short answer: no

Long answer, maybe.  There are two possibilities.

If your pool is mirrored, then you can remove one device from the
mirror, reformat it without geli, add it back to the pool with "zpool
attach", wait for resilver to complete, then do the same with the
other device.

If this is not your boot pool, then you may be able to simply set the
key to use a passfile instead of a passphrase.  Just create the
passfile on the unencrypted boot pool, and use "geli setkey" to
replace your geli device's passfile with this passphrase.  If you do
that, the data will still be encrypted but it will no longer prompt
for a password on boot.  Of course, that encryption won't do you any
good if somebody steals the entire computer ...