unlocking ZFS?

Dunuin

Dunuin

Distinguished Member
Jun 30, 2020
14,793
4,630
258
Germany
Hi,

As far as I see there is no build in option to unlock ZFS pools at boot.

I found several way to unlock the pools using systemd scriptsbut I'm not sure If they would work as I think.

1.) There is systemd script that oneshots between "Before=zfs-mount.service" and "After=zfs-import.target" to load a key file. This is only usefull if the key is stored on a place already encrypted, which is in my case only the NAS. Is it possible to load the key file from a SMB/NFS share mounted to ProxmoxVE or are network shares mounted after "zfs-import.target" is run so the key files aren't ready at that point to unlock the key.

2.) I also found a script that doesn't load a key file to unlock the pool, but asks the user to input the passphrase. Is it possible to to just pause the initialization of linux until the correct passphrase is typed in? I could use the IPMI to VNC into the system to type in the password but that would be a bit annoying, because there is no shared clipboard so I would have to type it all in myself and short/easy passwords would be useless.

How do you unlock your pools?
 
there is also man zfs-mount-generator which supposedly handles encrypted pools.
 
I'm finally at the point where I encrypted my ZFS pools, EXT4 partitions and swap.

And I can manually unlock and mount them using IPMI, SSH and ProxmoxVE-Webinterface using this commands...
Code: 
# zfs mount -l -a
# cryptsetup luksOpen /dev/disk/by-id/myHDD-part2 luks_VMpoolHDD_ext
# cryptsetup luksOpen /dev/disk/by-id/mySDD-part4 luks_swap
# mount /dev/mapper/luks_VMpoolHDD_ext /mnt/luks_VMpoolHDD_ext
# swapon /dev/mapper/luks_swap
...which will ask me for the passphrases and mount the partitions/datasets afterwards.

I will try to write a bash script which will run each time someone logs in as root. Is there anything other I need to do to ensure ProxmoxVE works fine after unlocking? Any problems I need to solve afterwards because swap, ext4 partition for VZdumps and datasets containing VM images weren't avaible at boot and couldn't be automounted?
 
Dunuin said:
I will try to write a bash script which will run each time someone logs in as root. Is there anything other I need to do to ensure ProxmoxVE works fine after unlocking? Any problems I need to solve afterwards because swap, ext4 partition for VZdumps and datasets containing VM images weren't avaible at boot and couldn't be automounted?
Click to expand...

I use a similar method triggered by my monitoring tool which checks if the pool is there, if not logges in, mounts the pool and starts all VMs/Containers on the pool which should autoboot, because you will get errors if the VMs/Containers could not be started due to storage errors.
 
Meanwhile my Proxmox root is located at a LUKS encrypted mdmirrored ext4 drive I unlock via initramfs-dropbear at boot time so it would be possible to just store the zfs pool passphrases on that drive to auto unlock all zfs pools.

Can someone help me with that zfs-mount-generator? There is an example in the manual but I don't get how/where to store the passphrase for each dataset. Or is it only possible to use "raw" and not "passphrase" as encryption type?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom