openzfs
Support TFTP as a keylocation
Describe the feature you would like to see added to OpenZFS
It would be good if keylocation could use TFTP (or any protocol offered by curl).
How will this feature improve OpenZFS?
It would increase options for key storage.
Additional context
If zfs already uses curl (or libcurl) for http/https keys then it ought to be a simple extension to allow the URL passed to curl to be anything that curl will accept. Currently attempting to use tftp results in an error becuase, I guess, zfs performs validity checking on the given url
# zfs set keylocation=tftp://192.168.123.45/keys/myhost-mypool-enc-dataset.key mypool/enc
cannot set property for 'mypool/enc': invalid keylocation
(I didn't expect it to work because it isn't documented; I just tried it hoping that it would.)
You could make it even more general and allow keylocation to execute a script (keylocation=/path/to/script.sh). The script would write the key to stdout, which would be read by zfs. This would allow all manners of authentication. I haven't thought though the security implications of this though.
Such kind of facility can also be interesting for approaches like:
- https://github.com/latchset/clevis/issues/218
- https://github.com/latchset/clevis/pull/467
You could make it even more general and allow
keylocationto execute a script (keylocation=/path/to/script.sh). The script would write the key to stdout, which would be read by zfs. This would allow all manners of authentication. I haven't thought though the security implications of this though.
That would also allow people to use FIDO2/pkcs#11 hardware crypto tokens such as the Yubikey.
