Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add init script to automatic load keys #11659

Closed
ogelpre opened this issue Feb 27, 2021 · 3 comments
Closed

Add init script to automatic load keys #11659

ogelpre opened this issue Feb 27, 2021 · 3 comments
Labels
Type: Feature Feature request or new feature

Comments

@ogelpre
Copy link
Contributor

ogelpre commented Feb 27, 2021

Motivation

I am using ZFS with encryption on a storage server. The root pool is decrypted during boot in dracut. With dracut-crypt-ssh decryption of root pool is possible from remote.

OpenZFS datastores have to be decrypted afterwards manually.

Describe the feature would like to see added to OpenZFS

A init script for OpenZFS which loads keys from URI saved in keylocation property.

How will this feature improve OpenZFS?

This adds a similar functionality to OpenZFS like /etc/crypttab for encrypted block devices on Linux.
@ogelpre ogelpre added the Type: Feature Feature request or new feature label Feb 27, 2021
ogelpre pushed a commit to ogelpre/zfs that referenced this issue Feb 27, 2021
Add init script to load keys
85d6233 
Add new init scripts which allow automatic loading of keys if keylocation
proerty is set to a URI.

Signed-off-by: Benedikt Neuffer <[email protected]>
Closes openzfs#11659
ogelpre pushed a commit to ogelpre/zfs that referenced this issue Feb 27, 2021
Add init script to load keys
2851ded 
Add new init scripts which allow automatic loading of keys if
keylocation proerty is set to a URI.

Signed-off-by: Benedikt Neuffer <[email protected]>
Closes openzfs#11659
@ogelpre ogelpre mentioned this issue Feb 27, 2021
Merged
13 tasks
ogelpre pushed a commit to ogelpre/zfs that referenced this issue Feb 27, 2021
Add init script to load keys
f42af6a 
Add new init scripts which allow automatic loading of keys if
keylocation proerty is set to a URI.

Signed-off-by: Benedikt Neuffer <[email protected]>
Closes openzfs#11659
ogelpre pushed a commit to ogelpre/zfs that referenced this issue Feb 27, 2021
Add init script to load keys
0ca5bb7 
Add new init scripts which allow automatic loading of keys if
keylocation proerty is set to a URI.

Signed-off-by: Benedikt Neuffer <[email protected]>
Closes openzfs#11659
ogelpre pushed a commit to ogelpre/zfs that referenced this issue Feb 27, 2021
Add init script to load keys
94e8919 
Add new init scripts which allow automatic loading of keys if
keylocation proerty is set to a URI.

Signed-off-by: Benedikt Neuffer <[email protected]>
Closes openzfs#11659
ogelpre pushed a commit to ogelpre/zfs that referenced this issue May 25, 2021
@ogelpre
Add init script to load keys
825ce27 
Add new init scripts which allow automatic loading of keys if
keylocation proerty is set to a URI.

Signed-off-by: Benedikt Neuffer <[email protected]>
Closes openzfs#11659
ogelpre pushed a commit to ogelpre/zfs that referenced this issue May 25, 2021
@ogelpre
Add init script to load keys
16e38b6 
Add new init scripts which allow automatic loading of keys if
keylocation proerty is set to a URI.

Signed-off-by: Benedikt Neuffer <[email protected]>
Closes openzfs#11659
ogelpre pushed a commit to ogelpre/zfs that referenced this issue May 25, 2021
@ogelpre
Add init script to load keys
996c2d4 
Add new init scripts which allow automatic loading of keys if
keylocation proerty is set to a URI.

Signed-off-by: Benedikt Neuffer <[email protected]>
Closes openzfs#11659
ogelpre pushed a commit to ogelpre/zfs that referenced this issue May 25, 2021
@ogelpre
Add init script to load keys
e819e4d 
Add new init scripts which allow automatic loading of keys if
keylocation proerty is set to a URI.

Signed-off-by: Benedikt Neuffer <[email protected]>
Closes openzfs#11659
ogelpre pushed a commit to ogelpre/zfs that referenced this issue May 25, 2021
@ogelpre
Add init script to load keys
11d8a94 
Add new init scripts which allow automatic loading of keys if
keylocation proerty is set to a URI.

Signed-off-by: Benedikt Neuffer <[email protected]>
Closes openzfs#11659
ogelpre pushed a commit to ogelpre/zfs that referenced this issue May 25, 2021
@ogelpre
Add init script to load keys
c7d8b54 
Add new init scripts which allow automatic loading of keys if
keylocation proerty is set to a URI.

Signed-off-by: Benedikt Neuffer <[email protected]>
Closes openzfs#11659
ogelpre pushed a commit to ogelpre/zfs that referenced this issue May 28, 2021
@ogelpre
Add init script to load keys
9e6653a 
Add new init scripts which allow automatic loading of keys if
keylocation proerty is set to a URI.

Signed-off-by: Benedikt Neuffer <[email protected]>
Closes openzfs#11659
@Jauchi Jauchi mentioned this issue Jul 23, 2021
Open
ogelpre pushed a commit to ogelpre/zfs that referenced this issue Nov 3, 2021
@ogelpre
Add init script to load keys
1f370aa 
Add new init scripts which allow automatic loading of keys if
keylocation proerty is set to a URI.

Signed-off-by: Benedikt Neuffer <[email protected]>
Closes openzfs#11659
@crocket
Copy link

crocket commented Nov 29, 2021
edited
Loading

One problem with key files is that a ZFS dataset can't contain multiple keys. If you lose key files, your encrypted zfs dataset is lost.

key files can also be stolen by hackers. If you memorize one passphrase, multiple zfs datasets can be unlocked with one passphrase during boot.

/usr/lib/dracut/modules.d/99local/module-setup.sh

#!/bin/sh

check() {
  return 0
}

depends() {
  echo zfs
  return 0
}

install() {
  inst_hook pre-mount 80 "${moddir}/zfs-load-key-all.sh"
}

/usr/lib/dracut/modules.d/99local/zfs-load-key-all.sh

modprobe zfs
zpool import -N -a
echo 3 > /proc/sys/kernel/printk

while true; do
  stty -echo
  read -p "Passphrase for datasets: " PASS
  stty echo
  echo "$PASS" | zfs load-key encryption-root1 || continue
  echo "$PASS" | zfs load-key encryption-root2 || continue
  break
done

echo 3 > /proc/sys/kernel/printk makes kernel print only error messages. Otherwise, kernel prints verbose messages over passphrase prompt.

The scripts are dirty because I didn't have time for cleanness.

@ogelpre
Copy link
Contributor Author

ogelpre commented Nov 29, 2021

One problem with key files is that a ZFS dataset can't contain multiple keys. If you lose key files, your encrypted zfs dataset is lost.

That is no argument, because as soon as the system is up and running and attacker has also access to the already loaded keys and mounted filesystems.

Please stop hijacking this feature request. You don't have to use this feature and can use other solutions.

@crocket
Copy link

crocket commented Nov 30, 2021

Anyway, it is good to have /etc/init.d/zfs-load-key

ogelpre pushed a commit to ogelpre/zfs that referenced this issue Nov 30, 2021
@ogelpre
Add init script to load keys
7350d3b 
Add new init scripts which allow automatic loading of keys if
keylocation proerty is set to a URI.

Signed-off-by: Benedikt Neuffer <[email protected]>
Closes openzfs#11659
ogelpre pushed a commit to ogelpre/zfs that referenced this issue Nov 30, 2021
@ogelpre
Add init script to load keys
79efa3d 
Add new init scripts which allow automatic loading of keys if
keylocation proerty is set to a URI.

Signed-off-by: Benedikt Neuffer <[email protected]>
Closes openzfs#11659
gentoo-bot pushed a commit to gentoo/gentoo that referenced this issue Dec 17, 2021
@gyakovlev
sys-fs/zfs: mention zfs-load-key openrc service in 9999
bd60046 
openzfs/zfs@f04b976
^ this commit added zfs-load-key service
let's notify users that they may want to add it.

openzfs/zfs#11659
openzfs/zfs#11662
Signed-off-by: Georgy Yakovlev <[email protected]>
tonyhutter pushed a commit to tonyhutter/zfs that referenced this issue Feb 10, 2022
@ogelpre @tonyhutter
Add init script to load keys
d76917b 
Add new init scripts which allow automatic loading of keys if
keylocation property is set to a URI.

Reviewed-by: Ahelenia Ziemiańska <[email protected]>
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: Benedikt Neuffer <[email protected]>
Closes openzfs#11659
Closes openzfs#11662
nicman23 pushed a commit to nicman23/zfs that referenced this issue Aug 22, 2022
@ogelpre @nicman23
Add init script to load keys
e8ffd1c 
Add new init scripts which allow automatic loading of keys if
keylocation property is set to a URI.

Reviewed-by: Ahelenia Ziemiańska <[email protected]>
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: Benedikt Neuffer <[email protected]>
Closes openzfs#11659
Closes openzfs#11662
nicman23 pushed a commit to nicman23/zfs that referenced this issue Aug 22, 2022
@ogelpre @nicman23
Add init script to load keys
b97b8bf 
Add new init scripts which allow automatic loading of keys if
keylocation property is set to a URI.

Reviewed-by: Ahelenia Ziemiańska <[email protected]>
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: Benedikt Neuffer <[email protected]>
Closes openzfs#11659
Closes openzfs#11662
gentoo-repo-qa-bot pushed a commit to gentoo-mirror/linux-be that referenced this issue Jul 2, 2023
@gyakovlev
sys-fs/zfs: mention zfs-load-key openrc service in 9999
eab76f4 
openzfs/zfs@f04b976
^ this commit added zfs-load-key service
let's notify users that they may want to add it.

openzfs/zfs#11659
openzfs/zfs#11662
Signed-off-by: Georgy Yakovlev <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Feature Feature request or new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@crocket @ogelpre