| View previous topic :: View next topic |
| Author |
Message |
crocket
Guru
Joined: 29 Apr 2017
Posts: 558
|
 Posted: Wed Nov 24, 2021 4:57 am Post subject: [SOLVED] How to unlock encrypted zfs datasets during boot? |
 |
|
I want to open multiple encrypted zfs datasets during boot by entering a password once.
Even root partition is an encrypted zfs dataset.
Different datasets belong to different zfs pools but have the same passphrase. Thus, they need to be opened separately by something.
Last edited by crocket on Mon Nov 29, 2021 1:57 am; edited 1 time in total |
|
| Back to top |
|
 |
mrbassie
l33t
Joined: 31 May 2013
Posts: 772
Location: over here
|
| Posted: Wed Nov 24, 2021 4:09 pm Post subject: |
|
|
| I guess you could use zfs-change-key to switch to using keyfiles instead (I think you can switch between key types ...?), set the keylocation to be /whatever so that only / is decrypted with a passphrase and script loading the keyfiles. |
|
| Back to top |
|
|
crocket
Guru
Joined: 29 Apr 2017
Posts: 558
|
| Posted: Mon Nov 29, 2021 1:56 am Post subject: |
|
|
| mrbassie wrote: | | I guess you could use zfs-change-key to switch to using keyfiles instead (I think you can switch between key types ...?), set the keylocation to be /whatever so that only / is decrypted with a passphrase and script loading the keyfiles. |
The problem is that a zfs dataset can contain only one key. If I lose the key file accidentally, I cannot ever recover the encrypted dataset again.
LUKS supports multiple keys. One of them can be a passphrase. Another can be a keyfile.
Also, a keyfile can be stolen by hackers. I can memorize one passphrase.
I figured out a dirty way to unlock multiple encrypted zfs datasets with one passphrase during boot.
Last edited by crocket on Mon Nov 29, 2021 2:08 am; edited 1 time in total |
|
| Back to top |
|
|
crocket
Guru
Joined: 29 Apr 2017
Posts: 558
|
| Posted: Mon Nov 29, 2021 2:01 am Post subject: |
|
|
I found a dirty way to unlock encrypted zfs datasets with one passphrase during boot.
/usr/lib/dracut/modules.d/99local/module-setup.sh
| Code: | #!/bin/sh
check() {
return 0
}
depends() {
echo zfs
return 0
}
install() {
inst_hook pre-mount 80 "${moddir}/zfs-load-key-all.sh"
} |
/usr/lib/dracut/modules.d/99local/zfs-load-key-all.sh
| Code: | modprobe zfs
zpool import -N -a
echo 3 > /proc/sys/kernel/printk
while true; do
stty -echo
read -p "Passphrase for datasets: " PASS
stty echo
echo "$PASS" | zfs load-key encryption-root1 || continue
echo "$PASS" | zfs load-key encryption-root2 || continue
break
done |
Execute
| Code: | | dracut --kver $(uname -r) --force |
Somehow, `modprobe zfs` and `zpool import -N -a` are necessary.
`echo 3 > /proc/sys/kernel/printk` makes kernel print only error messages. Otherwise, kernel prints verbose messages over passphrase prompt.
The scripts are dirty because I didn't have time for cleanness. I can clean them up later. |
|
| Back to top |
|
|
|
Networking & Security
