Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ZFS Pool unlocking #1

Open
nomisma-qt opened this issue Aug 5, 2022 · 1 comment
Open

ZFS Pool unlocking #1

nomisma-qt opened this issue Aug 5, 2022 · 1 comment

Comments

@nomisma-qt
Copy link

nomisma-qt commented Aug 5, 2022
edited
Loading

Hello, i was reading your comments about using gpg encrypted keyfile to unlock a ZFS root pool at openzfs https://github.com/openzfs/zfs/issues/12426

I'm not a coder, but just wanted to note, that i've successfully unlocked a ZFS using keys stored in plaintext on a USB drive, just by adding that USB drive mount point to fstab, and including the initramfs option. then using -O keylocation=file:///[mountpoint] when creating the pool.

So at some point i'm planning to test having the ZFS key on a LUKS encrypted USB drive, and using GPG keys for the LUKS unmounting, plus adding the initramfs option to /etc/crypttab, which then pulls it into initramfs.

The only issue i can think of is getting it to unlock and mount the LUKS volume before attempting to unlock the ZFS pool.
(EDIT, this happens in the right order by defalt in my plaintext test, so should not be an issue.)

But this approach would not require any custom scripts as far as i can see. So i just thought i'd mention this if you are interested to test. Regards, Mike
@Jauchi
Copy link
Owner

Jauchi commented Aug 7, 2022

Hello there!
Thanks for reaching out! I don't use gentoo on my main machine anymore, but I should still have it installed in a virtual machine somewhere, to test.

First off, sounds very promising!
If I understood you correctly, your boot process would look like this:

  • USB device that contains a GPG encrypted LUKS keyfile and a plain boot partition
  • GPG keyfile gets decrypted in RAM, unlocks and mounts a second partition (LUKS) on disk
  • Second partition gets mounted and contains keyfile for ZFS
  • initrd will attempt to mount ZFS next, which will succeed, since the keyfile now exists on disk

I think that might work, if you ignore all of the headaches with partitions not mounting instantly - this is already accounted for so far in genkernel, IIRC.
Also, another thing to consider testing is the dropbear mounting script.
There is really a lot going on in initrd and it's really difficult to test properly, that's why I didn't want my code to be used upstream without someone else to implement it properly - it's very likely to break something critical.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nomisma-qt @Jauchi