ZoL supports native encryption since version 0.8.0
I'm sure it's coming from Ubuntu in a future release, but I wanted to encrypt /home now with Focal Fossa 20.04. There is the option to install on a full ZFS root, but it does not give the option to use encryption (yet).
I was able to create a new zfs volume for /home with encryption. The passphrase is from a prompt during boot of the system.
$ sudo passwd root
Log out and in on console as root.
# zfs create -o encryption=aes-256-gcm -o keyformat=passphrase -o mountpoint=/mnt rpool/home # rsync -avPSH /home/ /mnt/ # zfs destroy rpool/USERDATA/ian_pxg1jp -r # zfs umount rpool/home # zfs inherit mountpoint rpool/home # zfs mount -l rpool/home
Now that you have an encrypted ZFS volume mounted on /home, create and enable a systemd service file to prompt for the password at boot (only for Ubuntu 19.10, later releases have an updated generator method /lib/systemd/system-generators/zfs-mount-generator)
# editor /etc/systemd/system/[email protected]
[Unit] Description=Load %I encryption keys Before=systemd-user-sessions.service After=zfs-import.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/bin/bash -c 'until (systemd-ask-password "Encrypted ZFS password for %I: " --no-tty | zfs mount -l rpool/%I); do echo "Try again!"; done' [Install] WantedBy=zfs-mount.service
# systemctl enable zfskey-rpool@home