Encrypted zfs pool doesn't auto decrypt and mount, can do it manually

MinishMan

New Member
Jul 13, 2023
4
0
1
I've been getting started with Proxmox in the last few weeks. Love the software and the learning experience. Thank you!

Background
I've basically got it setup nicely now using ZFS encryption. Followed this amazing guide: https://forum.proxmox.com/threads/full-disk-encryption-with-zfs-using-proxmox-installer.127512/
I have one pool - rpool - on a small SSD.
I unlock the 'root' dataset at boot time over SSH using dropbear.
Then I have a systemd service that runs ExecStart=/usr/bin/zfs load-key -a to unlock my encrypted 'vault' dataset with my containers and VMs.
All works great.

Problem
I have a pool - 'naspool' - that's my NAS storage. That has a dataset naspool/nas that's encrypted with a keyfile.
This pool isn't auto unlocked by the service, but is unlocked and mounted instantly when I manually run /usr/bin/zfs load-key -a from the console myself.
Can anyone tell me why it isn't getting auto unlocked and mounted?

My idea
Is it because I don't have it referenced anywhere in my /etc/pve/storage.cfg file?
I haven't done that because I'm not using it for container or image storage and I'm afraid I'll do something bad to the filesystem if I put it in there.
Or is that irrelevant and this is something else?
 
While searching for the same/a similar problem, I found this thread and it's still unanswered?
My root is on ext4 on a M.2 SSD, the virtual machines are on a pool consisting of two mirrors with an encrypted zfs.
The encryption key saved on the root as I am not worried about loss of the whole server but want be able to change the mirrored ssd (like to replace or send in for repair).
I thought creating an encrypted zfs with a key on a reachable filesystem should load the key and mount the filesystem automatically.

But instead while restarting, I end up with an unavailable zfs and the machines are not getting started.
While running zfs load-key -a the file system is mounted/getting available.

Do I have to write a systemd file for loading the key?

Regards, Urs
 
While searching for the same/a similar problem, I found this thread and it's still unanswered?
My root is on ext4 on a M.2 SSD, the virtual machines are on a pool consisting of two mirrors with an encrypted zfs.
The encryption key saved on the root as I am not worried about loss of the whole server but want be able to change the mirrored ssd (like to replace or send in for repair).
I thought creating an encrypted zfs with a key on a reachable filesystem should load the key and mount the filesystem automatically.

But instead while restarting, I end up with an unavailable zfs and the machines are not getting started.
While running zfs load-key -a the file system is mounted/getting available.

Do I have to write a systemd file for loading the key?

Regards, Urs

While I do not myself use ZFS encryption for various reasons (e.g. [1]), it would be interesting to see the boot log journalctl -b > current.log and the service file.

[1] https://bugzilla.proxmox.com/show_bug.cgi?id=2350
 
Last edited:
The journal is very noisy, if I could filter out I'd post parts.

Code:
cat ./usr/lib/systemd/system/zfs-mount.service
[Unit]
Description=Mount ZFS filesystems
Documentation=man:zfs(8)
DefaultDependencies=no
After=systemd-udev-settle.service
After=zfs-import.target
After=systemd-remount-fs.service
Before=local-fs.target
ConditionPathIsDirectory=/sys/module/zfs

[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=-/etc/default/zfs
ExecStart=/sbin/zfs mount -a

[Install]
WantedBy=zfs.target

Code:
cat ./etc/systemd/system/zfs.target.wants/zfs-mount.service
[Unit]
Description=Mount ZFS filesystems
Documentation=man:zfs(8)
DefaultDependencies=no
After=systemd-udev-settle.service
After=zfs-import.target
After=systemd-remount-fs.service
Before=local-fs.target
ConditionPathIsDirectory=/sys/module/zfs

[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=-/etc/default/zfs
ExecStart=/sbin/zfs mount -a

[Install]
WantedBy=zfs.target

The file /etc/default/zfs does look quite standard.
Contains also a :
# Run `zfs load-key` during system start?
ZFS_LOAD_KEY='yes'
 
Code:
cat ./usr/lib/systemd/system/zfs-mount.service
[Unit]
Description=Mount ZFS filesystems
Documentation=man:zfs(8)
DefaultDependencies=no
After=systemd-udev-settle.service
After=zfs-import.target
After=systemd-remount-fs.service
Before=local-fs.target
ConditionPathIsDirectory=/sys/module/zfs

[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=-/etc/default/zfs
ExecStart=/sbin/zfs mount -a

[Install]
WantedBy=zfs.target

Oh, so I thought you had followed (to an applicable extend) the same guide as the OP, I suppose this one:
https://forum.proxmox.com/threads/f...s-using-proxmox-installer.127512/#post-557808

@Dunuin has a zfs-load-key.service there, so I suppose you did not create that yourself yet?

The file /etc/default/zfs does look quite standard.
Contains also a :
# Run `zfs load-key` during system start?
ZFS_LOAD_KEY='yes'

I have not tested this, but educated guess - this is completely ignored because ... systemd.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!