Here it is how I understand it: In the nvram are two keys, bootes password and the secstore key. The secstore key is used to decrypt the keyfs keyfile used by the auth server in /adm/keys. For initial setup, I use the following procedure:
- Kill the existing NVRAM by overwriting it: echo bla > /dev/sdC0/nvram
- Truncate the /adm/keys file, if that is corrupted: >/adm/keys
- reboot and fill in all necessary keys (this should also work when using auth/wrkey)
- kill keyfs. The keyfs running will corrupt the /adm/keys file again. I am not sure why this happens, maybe it works with the wrong key?
- auth/changeuser bootes and others
- fshalt the machine! I have experienced /adm/keys corruption because the filesystem wasn't consistent
This seems like an ugly hack to me. I would donate beer to the person that fixes this. I know others would too...