====== ZFS on Linux Encryption ======
ZoL supports native encryption since version 0.8.0
I'm sure it's coming from Ubuntu in a future release, but I wanted to encrypt /home now with Focal Fossa 20.04. There is the option to install on a full ZFS root, but it does not give the option to use encryption (yet).
I was able to create a new zfs volume for /home with encryption. The passphrase is from a prompt during boot of the system.
Note: for this to work (to be able to unmount /home/$USER, you have to set a root password so you can log in directly as root without using sudo
$ sudo passwd root
Log out and in on console as root.
# zfs create -o encryption=aes-256-gcm -o keyformat=passphrase -o mountpoint=/mnt rpool/home
# rsync -avPSH /home/ /mnt/
# zfs destroy rpool/USERDATA/ian_pxg1jp -r
# zfs umount rpool/home
# zfs inherit mountpoint rpool/home
# zfs mount -l rpool/home
----
Now that you have an encrypted ZFS volume mounted on /home, create and enable a systemd service file to prompt for the password at boot (only for **Ubuntu 19.10**, later releases have an updated generator method ''/lib/systemd/system-generators/zfs-mount-generator'')
# editor /etc/systemd/system/zfskey-rpool@.service
[Unit]
Description=Load %I encryption keys
Before=systemd-user-sessions.service
After=zfs-import.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/bash -c 'until (systemd-ask-password "Encrypted ZFS password for %I: " --no-tty | zfs mount -l rpool/%I); do echo "Try again!"; done'
[Install]
WantedBy=zfs-mount.service
# systemctl enable zfskey-rpool@home