shavee icon indicating copy to clipboard operation
shavee copied to clipboard

Published 20 hours ago verified publisher icon ashuio

Unlock ZFS Datasets with Shavee during boot

Open marcaddeo opened this issue 3 years ago • 8 comments

I'm using Shavee to unlock a ZFS dataset as part of my boot process, and thought I'd share how I'm doing it:

/etc/systemd/system/[email protected]

[Unit]
Description=Unlock ZFS Dataset %I with Shavee
DefaultDependencies=no
Before=systemd-user-sessions.service
Before=zfs-mount.service
After=zfs-import.target
After=systemd-vconsole-setup.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/sh -c 'set -eu;keystatus="$$(/sbin/zfs get -H -o value keystatus "%I")";[ "$$keystatus" = "unavailable" ] || exit 0;count=0;while [ $$count -lt 3 ];do  systemd-ask-password --id="zfs:%I"    "Enter passphrase for %I"|    shavee -y -s 1 -z "%I" && exit 0;  count=$$((count + 1));done;exit 1'
ExecStop=/bin/sh -c 'set -eu;keystatus="$$(/sbin/zfs get -H -o value keystatus "%I")";[ "$$keystatus" = "available" ] || exit 0;/sbin/zfs unload-key "%I"'

[Install]
WantedBy=zfs-mount.service

I'm using Slot 1 for HMAC challenges on my Yubikey, so you may need to alter the Shavee command if you're using a different slot

Then just enable the service for your encrypted pool, e.g. to unlock zroot/data you'd do systemctl enable zfs-shavee-unlock@zroot-data

marcaddeo avatar Sep 21 '21 15:09 marcaddeo

This is great. I suggest to update the README and add this method as a separate section.

BTW, is there a way to also pass the shavee arguments (like -y -s 1 in this case) during systemctl enable command? That would make it possible to write a single systemd service for all the supported combinations.

kiavash-at-work avatar Sep 21 '21 17:09 kiavash-at-work

There's no easy way to do that as far as I know. You can pass an "instance" to a systemd service with the @ convention. It will convert hyphens to slashes. So you'd have to figure out a way to encode the Shavee options, a separator, and the dataset name.

marcaddeo avatar Sep 21 '21 17:09 marcaddeo

https://unix.stackexchange.com/questions/323914/dynamic-variables-in-systemd-service-unit-files

marcaddeo avatar Sep 21 '21 17:09 marcaddeo

I think we can try using configuration files with systemd services.

ashuio avatar Sep 22 '21 09:09 ashuio

To implement config files in addition to arguments, there is clap_conf however it is very thin on the documentation.

kiavash-at-work avatar Sep 24 '21 20:09 kiavash-at-work

Config files seem like a good idea!

marcaddeo avatar Sep 27 '21 15:09 marcaddeo

This task is gated by clap_conf to support Clap 3.

kiavash-at-work avatar Feb 17 '22 18:02 kiavash-at-work

As I mentioned in #20,

... it seems that clap_conf is not updated for clap 3.0. Looking for a replacement, marioortizmanero/structconf feels to be a good candidate for this task.

kiavash-at-work avatar Jul 07 '22 22:07 kiavash-at-work