I think that my confusion is due to my personal lack of knowledge about GELI. To test FreeNAS in depth, I'm trying to reproduce FreeNAS' encryption sequence on a standard and clean installation of FreeBSD 9.1.
I followed these steps (da3 is the target drive):
1) dd if=/dev/random of=/var/backups/first.key bs=64 count=1
# this sets a new keyfile
2) geli init -s 4096 -P -K /var/backups/first.key /dev/da3
# this is the initial condition (I suppose) when, in FreeNAS, we set the encryption, but no passphrase has been entered yet;
Now I stop at step 2), because I can't match FreeNAS' terminology with geli manpage list of options. The next step should be add password/passphrase, but if I write:
3) geli setkey -n 0 -k /var/backups/first.key /dev/da3
#it overwrites the Master Key with the password/passphrase and doesn't add the passphrase to the keyfile; I'm not using "-n 1" because the next step should be "generate recovery key" which obviously should take place into "slot" (or "keyno", as the man page calls it) # 1 of user's keys (slots available are and 1).
So:
FreeNAS terminology GELI terminology
passphrase passphrase (this is OK)
key keyfile? Master Key? keyfile in slot # 0 with passphrase?
recovery key 2nd keyfile, slot # 1, without password?