Full Disk Encryption with ZFS using Proxmox installer

Its not unlocked yet. You need to unlock that pool too. I created a systemd service for that which unlocks the second pool. Keyfile used for encrypting the pool must be accessible (could be stored on the encrypted rpool that is already unlocked at the time the service triggers).

From my notes:

Create service to auto unlock keyfile encrypted ZFS pools after boot​

  • create service:nano /etc/systemd/system/zfs-load-key.service
    Add there:
    Code: 
    [Unit]
Description=Load encryption keys
DefaultDependencies=no
After=zfs-import.target
Before=zfs-mount.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/zfs load-key -a
StandardInput=tty-force

[Install]
WantedBy=zfs-mount.service
  • enable service:systemctl enable zfs-load-key.service
 
Last edited:
I am a bit confused. I already have this service created and apparently it is working for the 1st pool, and since my 2nd pool uses the same keyfile, shouldn't it also work with the 2nd ?
 
Dunuin said:
I would check: zfs list -o name,keystatus,mounted,encryption,keyformat,keylocation
Click to expand...
You are right, the keyfile wasn't properly loaded:
Code: 
NAME                      KEYSTATUS    MOUNTED  ENCRYPTION   KEYFORMAT   KEYLOCATION
rpool                     -            yes      off          none        none
rpool/ROOT                available    yes      aes-256-gcm  passphrase  prompt
rpool/ROOT/pve-1          available    yes      aes-256-gcm  passphrase  none
rpool/data                available    yes      aes-256-gcm  hex         file:///root/.keys/rpool_data.key
rpool_sn640               -            yes      off          none        none
rpool_sn640/data          unavailable  no       aes-256-gcm  hex         file:///root/.keys/rpool_data.key

The strange thing is, the key can be manually loaded with the command zfs load-key rpool_sn640/data, and everything will be fine; however, a service can only load key for the 1st dataset (rpool/data) and will fails to load key for the 2nd (rpool_sn640/data).

The service:
Code: 
/etc/systemd/system/zfs-load-key@.service

[Unit]
Description=Load encryption keys for %I
DefaultDependencies=no
After=zfs-import.target
Before=zfs-mount.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/zfs load-key %I
StandardInput=tty-force

[Install]
WantedBy=zfs-mount.service

systemctl enable zfs-load-key@rpool-data.service zfs-load-key@rpool_sn640-data.service

Succeeded in loading key for rpool/data
Bash: 
root@pve:~# systemctl status zfs-load-key@rpool-data.service
● zfs-load-key@rpool-data.service - Load encryption keys for rpool/data
     Loaded: loaded (/etc/systemd/system/zfs-load-key@.service; enabled; preset: enabled)
     Active: active (exited) since Wed 2024-02-21 10:58:58 HKT; 1h 8min ago
    Process: 1105 ExecStart=/usr/bin/zfs load-key -L file:///root/.keys/rpool_data.key rpool/data (code=exited, status=0/SUCCESS)
   Main PID: 1105 (code=exited, status=0/SUCCESS)
        CPU: 27ms

Feb 21 10:58:58 pve systemd[1]: Starting zfs-load-key@rpool-data.service - Load encryption keys for rpool/data...
Feb 21 10:58:58 pve systemd[1]: Finished zfs-load-key@rpool-data.service - Load encryption keys for rpool/data.

Failed to load key for rpool_sn640/data
Bash: 
root@pve:~# systemctl status zfs-load-key@rpool_sn640-data.service
× zfs-load-key@rpool_sn640-data.service - Load encryption keys for rpool_sn640/data
     Loaded: loaded (/etc/systemd/system/zfs-load-key@.service; enabled; preset: enabled)
     Active: failed (Result: exit-code) since Wed 2024-02-21 10:58:58 HKT; 1h 9min ago
    Process: 1106 ExecStart=/usr/bin/zfs load-key -L file:///root/.keys/rpool_data.key rpool_sn640/data (code=exited, status=1/FAI>
   Main PID: 1106 (code=exited, status=1/FAILURE)
        CPU: 3ms

Feb 21 10:58:58 pve systemd[1]: Starting zfs-load-key@rpool_sn640-data.service - Load encryption keys for rpool_sn640/data...
Feb 21 10:58:58 pve systemd[1]: zfs-load-key@rpool_sn640-data.service: Main process exited, code=exited, status=1/FAILURE
Feb 21 10:58:58 pve systemd[1]: zfs-load-key@rpool_sn640-data.service: Failed with result 'exit-code'.
Feb 21 10:58:58 pve systemd[1]: Failed to start zfs-load-key@rpool_sn640-data.service - Load encryption keys for rpool_sn640/data.
lines 1-11/11 (END)
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom