zfs-boottime-encryption icon indicating copy to clipboard operation
zfs-boottime-encryption copied to clipboard

Published 20 hours ago verified publisher icon chungy

Solved entering passphrase with prompt

Open faern opened this issue 6 years ago • 4 comments

Hi.

I have been experimenting with the same thing you do here. However, I want to avoid having the key be a file on disk if I can. I really want to enter a passphrase interactively on boot. What you write about as:

  1. With keyformat=passphrase and keylocation=prompt, a special boot service that prompts for the passphrase...

After some tinkering I managed to solve this with systemd + plymouth. Since it was something you experimented with I figured I should leave my solution here if you want it. The following works for me on a Fedora 30 machine with ZFS on Linux 0.8.1.

Create a systemd unit file at /usr/lib/systemd/system/zfs-load-key.service:

[Unit]
Description=Load ZFS encryption keys
DefaultDependencies=no
Before=systemd-user-sessions.service
Before=zfs-mount.service
After=zfs-import.target
After=plymouth-start.service systemd-vconsole-setup.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/plymouth ask-for-password --prompt 'Enter ZFS passphrase: ' --number-of-tries=3 --command 'zfs load-key <encrypted pool or dataset name>'

[Install]
WantedBy=zfs-mount.service

Enable the new service:

sudo systemctl enable zfs-load-key

Reboot and you are done.

faern avatar Jul 07 '19 19:07 faern

@faern, I think there is a simpler way to do passphrase encryption. You might find these threads helpful:

https://github.com/dynerose/Remote-unlock-native-ZFS/blob/bef71dc4df0e39d41d3a8e26bed5a86d28c7d44a/install.bash

https://linsomniac.gitlab.io/post/2020-04-09-ubuntu-2004-encrypted-zfs/

alexsmartens avatar May 18 '20 21:05 alexsmartens

Thank you so much for this, I finally got prompted for password during boot and get my zfs dataset decrypted properly.

Create a systemd unit file at /usr/lib/systemd/system/zfs-load-key.service:

One minor exception is that I placed this file in /etc/systemd/system instead, because it was not provided by operating system and/or vendor. I did a manual conversion to zfs after installation, however, so wonder whether Ubuntu places a file with such name in /usr/lib/systemd/system during install when zfs option is chosen.

AlexeyGusev avatar Dec 19 '20 16:12 AlexeyGusev

Yeah /etc/systemd/system is much better! I learned that was the more idiomatic path to use after posting this :)

faern avatar Dec 20 '20 06:12 faern

This is a pretty smart way to go about it, but I wonder if, like LUKS/cryptsetup, there is caching of some kind so you can use a single key or password to unlock all the datasets,

ghost avatar Feb 25 '22 03:02 ghost