Support zfs native encryption

[dasJ]

No description provided.

[dasJ]

This is not really supported yet. If anyone ever needs this, feel free to comment on this

[justrobd]

Since encryption support has been added since >= 7.01. Is it possible to add encryption support into sd-zfs?

[dasJ]

I see what I can do. I'm currently very busy with other projects, so I can't guarantee that I will add it soon. If anyone with C knowledge wants to help, I'm happy to help with the code and merge a PR

[grumpyKraut]

Hello, are there any news on this matter?

[dasJ]

There is a PR (#24), but I cannot really test it right now because my zfs on root broke (too much source code patching...)

[lovesegfault]

@dasJ I can help you finish the implementation and test it; what needs to be done?

[guyest]

I am also game to help on this as it personally relevant. I fully intend to have natively encrypted zfs on root one way or another and this is the best option of which I am aware.

[guyest]

In fact, this may not even need to be in the purview of sd-zfs... It may be as simple as changing a line in the zfs-import-scan.service file from:

ExecStart=/usr/bin/zpool import -aN -o cachefile=none

to:

ExecStart=/usr/bin/zpool import -aN -l -o cachefile=none

which includes the option to query all data sets contained in the pool to determine if an encryption key is needed. When this is performed in a booted environment, the terminal will block for passphrase or check the provided key location in order to decrypt the drive. I don't see why this would not also be the case when the pools are initially imported... I plan to try on a throwaway system at some point soon but if others have results please share them here.

[guyest]

OK, so it is not as simple as that because there still isn't a hook in to query the user for a password. It may work if the dataset were encrypted with a hardware token, but that is just a corner case. Basically, there needs to be a sd-zfs-encrypt equivalent of sd-encrypt.

[guyest]

This looks like a fantastic place to start:

https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook

The intended purpose of the zfsencryptssh hook above is to decrypt a natively encrypted zfs root remotely. This is a very specific use case unfortunately, but making it more general is easier than going from scratch. I will also be investigating if the archzfs set of tools already is compatible with systemd-boot in which case it may make sense to try to get the non-overlapping parts of this project merged into their tree.

[guyest]

Apparently, the standard zfs initramfs hook does this but in an inelegant way:

https://blog.seonwoolee.com/using-zfs-native-encryption-on-root/

So we should be able to support it with zfs load-key in the proper place in the sd-zfs hook, even if ultimately a new sd-zfs-encrypt hook is the more elegant solution.

[eoli3n]

+1

[xorl]

+1

[sotiris-bos]

https://github.com/gsauthof/dracut-sshd

https://manpath.be/f32/1/systemd-tty-ask-password-agent

Maybe the use of systemd-tty-ask-password-agent does what you need? @guygma

Edit: How it is done in dracut: https://github.com/openzfs/zfs/blob/master/contrib/dracut/90zfs/zfs-load-key.sh.in

[siavashs]

Any updates on this?

[ChristophSchmidpeter]

I have been using PR #24 mentioned by @dasJ for a long time now without any issues. Why not merge this PR?