sd-zfs icon indicating copy to clipboard operation
sd-zfs copied to clipboard

Published 20 hours ago verified publisher icon dasJ

Support zfs native encryption

Open dasJ opened this issue 9 years ago • 16 comments

dasJ avatar Oct 29 '16 19:10 dasJ

This is not really supported yet. If anyone ever needs this, feel free to comment on this

dasJ avatar Nov 01 '16 22:11 dasJ

Since encryption support has been added since >= 7.01. Is it possible to add encryption support into sd-zfs?

justrobd avatar Aug 23 '17 13:08 justrobd

I see what I can do. I'm currently very busy with other projects, so I can't guarantee that I will add it soon. If anyone with C knowledge wants to help, I'm happy to help with the code and merge a PR

dasJ avatar Aug 23 '17 15:08 dasJ

Hello, are there any news on this matter?

grumpyKraut avatar May 16 '18 09:05 grumpyKraut

There is a PR (#24), but I cannot really test it right now because my zfs on root broke (too much source code patching...)

dasJ avatar May 25 '18 23:05 dasJ

@dasJ I can help you finish the implementation and test it; what needs to be done?

lovesegfault avatar Jul 26 '18 06:07 lovesegfault

I am also game to help on this as it personally relevant. I fully intend to have natively encrypted zfs on root one way or another and this is the best option of which I am aware.

guyest avatar Jun 14 '19 21:06 guyest

In fact, this may not even need to be in the purview of sd-zfs... It may be as simple as changing a line in the zfs-import-scan.service file from:

ExecStart=/usr/bin/zpool import -aN -o cachefile=none

to:

ExecStart=/usr/bin/zpool import -aN -l -o cachefile=none

which includes the option to query all data sets contained in the pool to determine if an encryption key is needed. When this is performed in a booted environment, the terminal will block for passphrase or check the provided key location in order to decrypt the drive. I don't see why this would not also be the case when the pools are initially imported... I plan to try on a throwaway system at some point soon but if others have results please share them here.

guyest avatar Jun 27 '19 17:06 guyest

OK, so it is not as simple as that because there still isn't a hook in to query the user for a password. It may work if the dataset were encrypted with a hardware token, but that is just a corner case. Basically, there needs to be a sd-zfs-encrypt equivalent of sd-encrypt.

guyest avatar Jul 08 '19 11:07 guyest

This looks like a fantastic place to start:

https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook

The intended purpose of the zfsencryptssh hook above is to decrypt a natively encrypted zfs root remotely. This is a very specific use case unfortunately, but making it more general is easier than going from scratch. I will also be investigating if the archzfs set of tools already is compatible with systemd-boot in which case it may make sense to try to get the non-overlapping parts of this project merged into their tree.

guyest avatar Jul 08 '19 13:07 guyest

Apparently, the standard zfs initramfs hook does this but in an inelegant way:

https://blog.seonwoolee.com/using-zfs-native-encryption-on-root/

So we should be able to support it with zfs load-key in the proper place in the sd-zfs hook, even if ultimately a new sd-zfs-encrypt hook is the more elegant solution.

guyest avatar Aug 04 '19 11:08 guyest

+1

eoli3n avatar Apr 30 '20 21:04 eoli3n

+1

xorl avatar Jul 15 '20 20:07 xorl

https://github.com/gsauthof/dracut-sshd

https://manpath.be/f32/1/systemd-tty-ask-password-agent

Maybe the use of systemd-tty-ask-password-agent does what you need? @guygma

Edit: How it is done in dracut: https://github.com/openzfs/zfs/blob/master/contrib/dracut/90zfs/zfs-load-key.sh.in

sotiris-bos avatar Nov 26 '20 15:11 sotiris-bos

Any updates on this?

siavashs avatar Apr 08 '22 16:04 siavashs

I have been using PR #24 mentioned by @dasJ for a long time now without any issues. Why not merge this PR?

ChristophSchmidpeter avatar May 05 '22 08:05 ChristophSchmidpeter