sd-zfs icon indicating copy to clipboard operation
sd-zfs copied to clipboard

Published 20 hours ago verified publisher icon dasJ

Implement decryption

Open ashfire908 opened this issue 7 years ago • 5 comments

Implemented the stubbed-out decryption methods using systemd-ask-password. Also made some tweaks to some error output as well as returning exit code 1 when mounting fails.

Currently it doesn't have any retry logic so if you enter the wrong password, it'll fail and you'll get dropped to the shell during boot. Also the code is probably horrible - I don't actually know C, but I managed to get this working over the weekend within my testing VM for ZFS stuff.

Side note: I had to hack this at one point to scan based on /dev/disk/by-partlabel instead of the default of by-id since my VM software (VMware Workstation) doesn't expose IDs for it's SCSI disks :slightly_frowning_face:. That might be useful to have in the future as a config parameter somewhere.

ashfire908 avatar Dec 11 '17 18:12 ashfire908

Thank you very much for your pull request. It looks good so far, and I would have probably never done it. Your C isn't that awful, I know my C which isn't that good as well. But learning by doing I guess ;) Other changes I'd like to see (but probably work for another PR, however I'd like to have them before creating a new relese), is retry when the password was incorrect and reading keyfiles. The only possible sources for key files are (IMO) raw (encrypted?) block devices and files inside the initrd. The keys being on a FS is probably a lot harder because we'd have to handle dependencies (what if the filesystem with the key is also an encrypted pool?)

dasJ avatar Dec 13 '17 21:12 dasJ

I agree with adding the additional features. I already wanted to add retry logic as a frequently typo my passwords, and the key file isn't a bad idea to add either, though that's a different flow. Also will take some thinking about if you want to allow external devices like a flash drive for the key source, but I've never used key files for system encryption, so I don't know how that flow normally goes. I do think that would be best addressed in a followup PR, to isolate the changes. When this PR gets far enough, we can just merge it into decryption branch and use that as a dev branch.

I'll be pushing some changes shortly to fix the first two comments.

ashfire908 avatar Dec 13 '17 21:12 ashfire908

As zfs 0.8.0 is coming up with native encryption, I'd like to help out to push this onward. @ashfire908 Are you still working on the changes mentioned above?

freswa avatar Apr 18 '19 21:04 freswa

@freswa No. I have stopped using ZFS (with or without native encryption) as I found it to be too much trouble, especially after my ZFS-based NAS box recently experienced file corruption + driver errors that corrupted the OS (and a couple non-critical files).

ashfire908 avatar May 27 '19 19:05 ashfire908

@dasJ I have been using this PR on my machine for a long time without any issues. Could you merge this PR, please?

ChristophSchmidpeter avatar May 05 '22 08:05 ChristophSchmidpeter