[Pkg-zfsonlinux-devel] Minor crypto patch

Turbo Fredriksson turbo at bayour.com
Tue Dec 31 14:40:29 UTC 2013 

I was just recently (a few days ago, yeyyyyy! :) able to boot on my ZFS root (i've had numerous
problems since I started with this in April, mostly with grub).


Then I started digging and noticed that I had not enabled encryption on that dataset,so I created a
new one and copied all the data. And while looking through the initramfs stuff, I noticed this:

	zfs key -l -a

I know I put it there, but at the time, I wasn't thinking forward - "what's next" :).

This will most likely not work in the long run. I now have:

	share/celia			(current, unencrypted root fs)
	share/celia.new			(new, encrypted root fs)
	share/home/turbo		(my homedir, unencrypted)
	share/home/turbo/Crypted	(my own, personal crypted stuff)
	[etc, etc]

Now, with the key line above, it will most likely fail - haven't tripled checked, but according to the
manpage it will fail because it tries to load ALL keys. Because the key to the Crypted dataset, is in the
turbo dataset which isn't available (mounted) at the time of the boot...

And, if there was a dataset like

	share/celia.new/usr		(encrypted)
	share/celia.new/var		(encrypted)
	[etc]

the initial key line would still work, but something like this is better:

	zfs key -l -r $ZFS_BOOTFS

this will load the key ONLY for the root fs (and it's descendants), nothing more... It would leave the
Crypted dataset alone and do that at mount time much later in the boot process.


I know the crypto stuff is only academic. We'll probably never provide it in Debian GNU/Linux - not any
time soon anyway - illumos/OpenZFS haven't even begun and the current crypto patch (which have some
serious issues - begin here if interested: https://github.com/zfsonlinux/zfs/issues/1848) have copyright
issues apparently.

But since you have accepted my other crypto stuff, and it's there, would you please add the following
minor patch as well?


I haven't yet triple checked that it actually works, but the previous one did, and according to the
man page for 'zfs key', this is correct syntax...


----- s n i p -----
       zfs key-l | {-a | [-r] filesystem|volume}

           Loads the encryption key for a dataset and any datasets that inherit the key. The key that is
           provided with this command is not the actual  key that is used to encrypt the dataset. It is a
           wrapping key for the set of data encryption keys for the dataset.

           -l

               Loads  the  wrapping  key  to  unlock  the encrypted dataset and datasets that inherit the 
               key. This command loads the key based on what is defined by the dataset's keysource property.

               During a pool import, a key load operation is performed when a dataset is mounted. During
               boot, if the wrapping key is  available  and  the keysource is not set to prompt, the key load
               operation is performed.

           -a

               Apply to all datasets in all pools on the system.

           -r

               Apply the operation recursively to all datasets below the named file system or volume.
----- s n i p -----

--
Choose a job you love, and you will never have
to work a day in your life.

More information about the Pkg-zfsonlinux-devel mailing list