====== ZFS on Linux Encryption ======

ZoL supports native encryption since version 0.8.0

I'm sure it's coming from Ubuntu in a future release, but I wanted to encrypt /home now with Focal Fossa 20.04. There is the option to install on a full ZFS root, but it does not give the option to use encryption (yet).

I was able to create a new zfs volume for /home with encryption.  The passphrase is from a prompt during boot of the system.

<note important>Note: for this to work (to be able to unmount /home/$USER, you have to set a root password so you can log in directly as root without using sudo</note>

<code>
$ sudo passwd root
</code>

Log out and in on console as root.

<code>
# zfs create -o encryption=aes-256-gcm -o keyformat=passphrase -o mountpoint=/mnt rpool/home

# rsync -avPSH /home/ /mnt/

# zfs destroy rpool/USERDATA/ian_pxg1jp -r

# zfs umount rpool/home

# zfs inherit mountpoint rpool/home

# zfs mount -l rpool/home
</code>


----


Now that you have an encrypted ZFS volume mounted on /home, create and enable a systemd service file to prompt for the password at boot (only for **Ubuntu 19.10**, later releases have an updated generator method ''/lib/systemd/system-generators/zfs-mount-generator'')

<code>
# editor /etc/systemd/system/zfskey-rpool@.service
</code>

<code>
[Unit]
Description=Load %I encryption keys
Before=systemd-user-sessions.service
After=zfs-import.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/bash -c 'until (systemd-ask-password "Encrypted ZFS password for %I: " --no-tty | zfs mount -l rpool/%I); do echo "Try again!"; done'

[Install]
WantedBy=zfs-mount.service
</code>

<code>
# systemctl enable zfskey-rpool@home
</code>