Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document remote unlock for Debian Buster Root on ZFS #46

Closed
khimaros opened this issue Aug 25, 2020 · 16 comments
Closed

Document remote unlock for Debian Buster Root on ZFS #46

khimaros opened this issue Aug 25, 2020 · 16 comments
Assignees
Labels
documentation Improvements or additions to documentation

Comments

@khimaros
Copy link

khimaros commented Aug 25, 2020

Debian Buster and later should support ZFS decrypt via dropbear-initramfs. This would be helpful to document in the Root on ZFS instructions, as remote unlock is particularly relevant for that use case.

Doc: https://github.com/openzfs/openzfs-docs/blob/master/docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.rst

I'm interested particularly in native ZFS encryption. There is already some documentation for doing this with LUKS keys.

@behlendorf behlendorf added the documentation Improvements or additions to documentation label Aug 25, 2020
@rlaager rlaager self-assigned this Aug 25, 2020
@rlaager
Copy link
Member

rlaager commented Aug 25, 2020

This only works with openzfs/zfs@1cc635a (and if you're trying to build it, the couple refactor commits from me before that) from openzfs/zfs#10027 and the follow-up openzfs/zfs@7fcf824 from openzfs/zfs#10307. These have not landed in a (non-rc) release yet. They are in 2.0.0-rc1 and will be in the final 2.0.0. If/when that lands in buster-backports, then this can be added to the instructions.

@tehnic-take3
Copy link

Hello,

for Debian Buster i use this "ugly" workaround.

Install and configure dropbear-initramfs.
After reboot log in your box with ssh and execute the following:

~ # ps

note PID1 of "plymouth ask-for-password --prompt Encrypted ZFS password for rpool"
note PID2 of "/sbin/zfs load-key rpool"

~ # echo "<passphrase>" >/proc/<PID2>/fd/0
~ # kill <PID1>

Best regards, Robert

@rlaager
Copy link
Member

rlaager commented Sep 30, 2020

@tehnic-take3 That's a nice hack! I'm not going to add that to a guide, but it's definitely clever. :)

@rlaager
Copy link
Member

rlaager commented Dec 27, 2020

Current status: OpenZFS 2.0.0 has been released, but is not yet packaged for Debian. So we are waiting for 2.0.0 to land in unstable, then migrate to testing, then (hopefully) be backported to buster-backports. At that time, I'll have to review and update the guide.

@khimaros
Copy link
Author

thank you for the update, i'm excited to see that this has been progressing!

@rlaager
Copy link
Member

rlaager commented Jan 8, 2021

Update: OpenZFS 2.0 was uploaded to Debian experimental.

@rlaager
Copy link
Member

rlaager commented Jan 11, 2021

Update OpenZFS 2.0 was uploaded to Debian unstable. Barring major problems, it should migrate to testing in a week. At that point, it will be eligible for backporting. I assume the maintainers will backport it, but that's not guaranteed, nor is there a particular timeline. If/when that happens, I plan to review/update the guide, and this is something that I should be able to address at the same time.

@n0rc
Copy link

n0rc commented Mar 23, 2021

ZFS 2.0 is in backports for some time now and is working flawlessly for me.

@anarcat
Copy link
Contributor

anarcat commented May 4, 2021

ZFS 2.0 is in backports for some time now and is working flawlessly for me.

that's great, but how do you actually do remote unlock in ZFS with this?

@n0rc
Copy link

n0rc commented May 4, 2021

that's great, but how do you actually do remote unlock in ZFS with this?

With zfsunlock from zfs-initramfs.

@anarcat
Copy link
Contributor

anarcat commented May 4, 2021

but concretely, what's the procedure? dropbear-initramfs depends on cryptsetup, so I assume that's not it?

@rlaager
Copy link
Member

rlaager commented Oct 19, 2021

I obviously haven't gotten to this, but it seems like I should include this when I eventually get to updating for Debian Bullseye.

@anarcat
Copy link
Contributor

anarcat commented Oct 19, 2021

too bad that systemd-cryptsetup doesn't support zfs. :)

@n0rc
Copy link

n0rc commented Oct 19, 2021

but concretely, what's the procedure? dropbear-initramfs depends on cryptsetup, so I assume that's not it?

zfs-initramfs installs a hook script that puts zfsunlock into your initramfs:

  1. apt install zfs-initramfs dropbear-initramfs
  2. Configure dropbear as you like
  3. update-initramfs -u

After you ssh into dropbear you will find zfsunlock available – run it, enter your password, and continue booting.

@anarcat
Copy link
Contributor

anarcat commented Oct 29, 2021

that works, thank you so much for the clarification! :)

@kayg04
Copy link

kayg04 commented Nov 17, 2023

Hello, sorry for asking this in the old post but can I make zfsunlock ask for password for multiple pools instead of one? I am talking about Debian Bookworm.

To answer my own question, it's still WIP: zfsonlinux/pkg-zfs#237

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation
Projects
None yet
Development

No branches or pull requests

7 participants