ZFS pool and encryption

[Gyari]

Yes, this was a cosmetic regression introduced in the initial PVE 6.3 release, where "cosmetic" means the storage was still created correctly. A fix is available in all package repositories since quite some time, please upgrade your packages.

Sounds good. You can use zfs get mounted,mountpoint <dataset> to see if and where the dataset is mounted. What does cat /etc/pve/storage.cfg show? If there are duplicate entries left over from the "failed" attempts, it's best to remove those.

Thanks for the answer!

I was so concentrated to make a working encrypted zfs raid10 dataset, I've completly forget to upgrade my repositories .

I've checked them, seems everything good:

root@pvetest:~# zfs get mounted,mountpoint VMs/encrypted_data NAME PROPERTY VALUE SOURCE VMs/encrypted_data mounted yes - VMs/encrypted_data mountpoint /VMs/encrypted_data default


root@pvetest:~# cat /etc/pve/storage.cfg dir: local path /var/lib/vz content iso,vztmpl,backup zfspool: local-zfs pool rpool/data content images,rootdir sparse 1 zfspool: encrypted_zfs pool VMs/encrypted_data mountpoint /VMs/encrypted_data


I wiil start it over again, this time with upgrading proxmox first, and will come back with my results (bad or good)!

 

[fiona]

I wiil start it over again, this time with upgrading proxmox first, and will come back with my results (bad or good)!

I'm confused, why would you start over? Is there some other problem?

 

[Gyari]

I'm confused, why would you start over? Is there some other problem?

No other problems. Just a bit of OCD to make an install without any error . It's just a virtualized environment anyway, at least I'm practicing for a live installation.

 

[JOduMonT]

Sorry if it has been already answer with a similar answer but yes it is possible to load-key and mount automatically an encrypted zfs pool at boot

you need to add a key file to your pool, like you would with LUKS, then you create a service to load the key

cat << 'EOF' > /etc/systemd/system/zfs-load-key@.service
[Unit]
Description=Load ZFS keys
DefaultDependencies=no
Before=zfs-mount.service
After=zfs-import.target
Requires=zfs-import.target


[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/zfs load-key %I


[Install]
WantedBy=zfs-mount.service
EOF

 

[Dunuin]

Sorry if it has been already answer with a similar answer but yes it is possible to load-key and mount automatically an encrypted zfs pool at boot

you need to add a key file to your pool, like you would with LUKS, then you create a service to load the key

cat << 'EOF' > /etc/systemd/system/zfs-load-key@.service
[Unit]
Description=Load ZFS keys
DefaultDependencies=no
Before=zfs-mount.service
After=zfs-import.target
Requires=zfs-import.target


[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/zfs load-key %I


[Install]
WantedBy=zfs-mount.service
EOF

Thanks, was looking for a "zfs-load-key" example back then but wasn't able to find one.

So I wrote this bash script to to unlock datasets that are encrypted using a passphrase:

#!/bin/bash

DATASETS=( "YourPool/encryptedDataset_1" "YourPool/encryptedDataset_2")
PWDFILES=( "/path/to/fileWithPassphrase_1.pwd" "/path/to/fileWithPassphrase_2.pwd")

unlockDataset () {
    local dataset=$1
    local pwdfile=$2
    # check if dataset exists
    type=$(zfs get -H -o value type ${dataset})
    if [ "$type" == "filesystem" ]; then
        # check if dataset isn't already unlocked
        keystatus=$(zfs get -H -o value keystatus ${dataset})
        if [ "$keystatus" == "unavailable" ]; then
            zfs load-key ${dataset} < ${pwdfile}
            # check if dataset is now unlocked
            keystatus=$(zfs get -H -o value keystatus ${dataset})
            if [ "$keystatus" != "available" ]; then
                echo "Error: Unlocking dataset '${dataset}' failed"
                return 1
            fi
        else
            echo "Info: Dataset already unlocked"
            return 0
        fi
    else
        echo "Error: No valid dataset found"
        return 1
    fi
}

unlockAll () {
    local noerror=0
    # check if number of datasets and pwdfiles are equal
    if [ ${#DATASETS[@]} -eq ${#PWDFILES[@]} ]; then
        # loop though each dataset pwdfile pair
        for (( i=0; i<${#DATASETS[@]}; i++ )); do
            unlockDataset "${DATASETS[$i]}" "${PWDFILES[$i]}"
            if [ $? -ne 0 ]; then
                noerror=1
                break
            fi
        done
    else
        echo "Error: Wrong number of datasets/pwdfiles"
        noerror=1
    fi
    # mount all datasets
    if [ $noerror -eq 0 ]; then
        zfs mount -a
    fi
    return $noerror
}

unlockAll

And then I created a systemd script "/etc/systemd/system/pve_post_start.service" so my unlock script will be started after PVE has been finished starting:

[Unit]
Description=PVE ZFS Unlocking
After=pve-guests.service

[Service]
Type=oneshot
ExecStart=/bin/bash /path/to/unlockScript.bash
User=root

[Install]
WantedBy=multi-user.target

 

[oscaro]

Hi all. First post here. I wrote a little script and systemd service to automatically mount an encrypted zfs dataset.

I tried using crontab -e to schedule my script to run at each reboot, but I never got it to work in a couple different iterations. But the systemd service actually works great.

Script:

#!/usr/bin/bash
zfs mount -l {{pool/dataset}} < {{path_to_password}}

Service:

[Unit]
Description=Proxmox ZFS Unlock script
Before=zfs-mount.service
After=zfs-import.target

[Service]
Type=oneshot
ExecStart=/bin/bash /root/zfs_unlock_bash_script.sh
User=root

[Install]
WantedBy=multi-user.target