Full Disk Encryption with ZFS using Proxmox installer

Its not unlocked yet. You need to unlock that pool too. I created a systemd service for that which unlocks the second pool. Keyfile used for encrypting the pool must be accessible (could be stored on the encrypted rpool that is already unlocked at the time the service triggers).

From my notes:

Create service to auto unlock keyfile encrypted ZFS pools after boot​

  • create service:nano /etc/systemd/system/zfs-load-key.service
    Add there:
    Code:
    [Unit]
    Description=Load encryption keys
    DefaultDependencies=no
    After=zfs-import.target
    Before=zfs-mount.service
    
    [Service]
    Type=oneshot
    RemainAfterExit=yes
    ExecStart=/usr/bin/zfs load-key -a
    StandardInput=tty-force
    
    [Install]
    WantedBy=zfs-mount.service
  • enable service:systemctl enable zfs-load-key.service
 
Last edited:
I am a bit confused. I already have this service created and apparently it is working for the 1st pool, and since my 2nd pool uses the same keyfile, shouldn't it also work with the 2nd ?
 
I would check: zfs list -o name,keystatus,mounted,encryption,keyformat,keylocation
You are right, the keyfile wasn't properly loaded:
Code:
NAME                      KEYSTATUS    MOUNTED  ENCRYPTION   KEYFORMAT   KEYLOCATION
rpool                     -            yes      off          none        none
rpool/ROOT                available    yes      aes-256-gcm  passphrase  prompt
rpool/ROOT/pve-1          available    yes      aes-256-gcm  passphrase  none
rpool/data                available    yes      aes-256-gcm  hex         file:///root/.keys/rpool_data.key
rpool_sn640               -            yes      off          none        none
rpool_sn640/data          unavailable  no       aes-256-gcm  hex         file:///root/.keys/rpool_data.key

The strange thing is, the key can be manually loaded with the command zfs load-key rpool_sn640/data, and everything will be fine; however, a service can only load key for the 1st dataset (rpool/data) and will fails to load key for the 2nd (rpool_sn640/data).

The service:
Code:
/etc/systemd/system/zfs-load-key@.service

[Unit]
Description=Load encryption keys for %I
DefaultDependencies=no
After=zfs-import.target
Before=zfs-mount.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/zfs load-key %I
StandardInput=tty-force

[Install]
WantedBy=zfs-mount.service

systemctl enable zfs-load-key@rpool-data.service zfs-load-key@rpool_sn640-data.service

Succeeded in loading key for rpool/data
Bash:
root@pve:~# systemctl status zfs-load-key@rpool-data.service
● zfs-load-key@rpool-data.service - Load encryption keys for rpool/data
     Loaded: loaded (/etc/systemd/system/zfs-load-key@.service; enabled; preset: enabled)
     Active: active (exited) since Wed 2024-02-21 10:58:58 HKT; 1h 8min ago
    Process: 1105 ExecStart=/usr/bin/zfs load-key -L file:///root/.keys/rpool_data.key rpool/data (code=exited, status=0/SUCCESS)
   Main PID: 1105 (code=exited, status=0/SUCCESS)
        CPU: 27ms

Feb 21 10:58:58 pve systemd[1]: Starting zfs-load-key@rpool-data.service - Load encryption keys for rpool/data...
Feb 21 10:58:58 pve systemd[1]: Finished zfs-load-key@rpool-data.service - Load encryption keys for rpool/data.

Failed to load key for rpool_sn640/data
Bash:
root@pve:~# systemctl status zfs-load-key@rpool_sn640-data.service
× zfs-load-key@rpool_sn640-data.service - Load encryption keys for rpool_sn640/data
     Loaded: loaded (/etc/systemd/system/zfs-load-key@.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Wed 2024-02-21 10:58:58 HKT; 1h 9min ago
    Process: 1106 ExecStart=/usr/bin/zfs load-key -L file:///root/.keys/rpool_data.key rpool_sn640/data (code=exited, status=1/FAI>
   Main PID: 1106 (code=exited, status=1/FAILURE)
        CPU: 3ms

Feb 21 10:58:58 pve systemd[1]: Starting zfs-load-key@rpool_sn640-data.service - Load encryption keys for rpool_sn640/data...
Feb 21 10:58:58 pve systemd[1]: zfs-load-key@rpool_sn640-data.service: Main process exited, code=exited, status=1/FAILURE
Feb 21 10:58:58 pve systemd[1]: zfs-load-key@rpool_sn640-data.service: Failed with result 'exit-code'.
Feb 21 10:58:58 pve systemd[1]: Failed to start zfs-load-key@rpool_sn640-data.service - Load encryption keys for rpool_sn640/data.
lines 1-11/11 (END)
 
Last edited:
The tutorial got very long (40 pages or soo_O because I explained a lot of ZFS basics). Then I stopped writing because I had other things to do and meanwhile I reinstalled my PVE servers and did the encryption a bit differently so some things would have to be updated. I still need to find some time to edit the xisting chapters of the tutorial and write the last few missing chapters. There were also some problems no one found a good solution but I still think are important. Like that it looks like there no option to have a mirrored swap without hardware raid and I would really like to cover an encrypted mirrored swap partition.
Did this ever get completed?