User Tools

Site Tools


zfs-encryption

ZFS on Linux Encryption

ZoL supports native encryption since version 0.8.0

I'm sure it's coming from Ubuntu in a future release, but I wanted to encrypt /home now with Focal Fossa 20.04. There is the option to install on a full ZFS root, but it does not give the option to use encryption (yet).

I was able to create a new zfs volume for /home with encryption. The passphrase is from a prompt during boot of the system.

Note: for this to work (to be able to unmount /home/$USER, you have to set a root password so you can log in directly as root without using sudo
$ sudo passwd root

Log out and in on console as root.

# zfs create -o encryption=aes-256-gcm -o keyformat=passphrase -o mountpoint=/mnt rpool/home

# rsync -avPSH /home/ /mnt/

# zfs destroy rpool/USERDATA/ian_pxg1jp -r

# zfs umount rpool/home

# zfs inherit mountpoint rpool/home

# zfs mount -l rpool/home

Now that you have an encrypted ZFS volume mounted on /home, create and enable a systemd service file to prompt for the password at boot (only for Ubuntu 19.10, later releases have an updated generator method /lib/systemd/system-generators/zfs-mount-generator)

# editor /etc/systemd/system/[email protected]
[Unit]
Description=Load %I encryption keys
Before=systemd-user-sessions.service
After=zfs-import.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/bash -c 'until (systemd-ask-password "Encrypted ZFS password for %I: " --no-tty | zfs mount -l rpool/%I); do echo "Try again!"; done'

[Install]
WantedBy=zfs-mount.service
# systemctl enable zfskey-rpool@home
zfs-encryption.txt · Last modified: 2020/04/08 11:56 by ian

free spam filter