This is all described in the
9.3 Guide, Section 8.1.8.1:
In order from left to right, these additional encryption buttons are used to:
Create/Change Passphrase: click this button to set and confirm the passphrase associated with the GELI encryption key. You will be prompted to input and repeat the desired passphrase and a red warning reminds you to “Remember to add a new recovery key as this action invalidates the previous recovery key”. Unlike a password, a passphrase can contain spaces and is typically a series of words. A good passphrase is easy to remember (like the line to a song or piece of literature) but hard to guess (people who know you should not be able to guess the passphrase).
Remember this passphrase as you can not re-import an encrypted volume without it. In other words, if you forget the passphrase, the data on the volume can become inaccessible if you need to re-import the pool. Protect this passphrase as anyone who knows it could re-import your encrypted volume, thwarting the reason for encrypting the disks in the first place.
Once the passphrase is set, the name of this button will change to “Change Passphrase”. After setting or changing the passphrase, it is important to immediately create a new recovery key by clicking the “Add recovery key” button. This way, if the passphrase is forgotten, the associated recovery key can be used instead.
Download Key: click this icon to download a backup copy of the GELI encryption key. The encryption key is saved to the client system, not on the FreeNAS® system. You will be prompted to input the password used to access the FreeNAS® administrative GUI before the selecting the directory in which to store the key. Since the GELI encryption key is separate from the FreeNAS® configuration database,
it is highly recommended to make a backup of the key. If the key is every lost or destroyed and there is no backup key, the data on the disks is inaccessible.
Encryption Re-key: generates a new GELI encryption key. Typically this is only performed when the administrator suspects that the current key may be compromised. This action also removes the current passphrase.
Add recovery key: generates a new recovery key. This screen will prompt you to input the password used to access the FreeNAS® administrative GUI and then to select the directory in which to save the key. Note that the recovery key is saved to the client system, not on the FreeNAS® system. This recovery key can be used if the passphrase is forgotten.
Always immediately add a recovery key whenever the passphrase is changed.
Remove recover key: Typically this is only performed when the administrator suspects that the current recovery key may be compromised.
Immediately create a new passphrase and recovery key.
Note
the passphrase, recovery key, and encryption key need to be protected. Do not reveal the passphrase to others. On the system containing the downloaded keys, take care that that system and its backups are protected. Anyone who has the keys has the ability to re-import the disks should they be discarded or stolen.