[Pkg-zfsonlinux-devel] Minor crypto patch
Turbo Fredriksson
turbo at bayour.com
Tue Dec 31 14:40:29 UTC 2013
I was just recently (a few days ago, yeyyyyy! :) able to boot on my ZFS root (i've had numerous
problems since I started with this in April, mostly with grub).
Then I started digging and noticed that I had not enabled encryption on that dataset,so I created a
new one and copied all the data. And while looking through the initramfs stuff, I noticed this:
zfs key -l -a
I know I put it there, but at the time, I wasn't thinking forward - "what's next" :).
This will most likely not work in the long run. I now have:
share/celia (current, unencrypted root fs)
share/celia.new (new, encrypted root fs)
share/home/turbo (my homedir, unencrypted)
share/home/turbo/Crypted (my own, personal crypted stuff)
[etc, etc]
Now, with the key line above, it will most likely fail - haven't tripled checked, but according to the
manpage it will fail because it tries to load ALL keys. Because the key to the Crypted dataset, is in the
turbo dataset which isn't available (mounted) at the time of the boot...
And, if there was a dataset like
share/celia.new/usr (encrypted)
share/celia.new/var (encrypted)
[etc]
the initial key line would still work, but something like this is better:
zfs key -l -r $ZFS_BOOTFS
this will load the key ONLY for the root fs (and it's descendants), nothing more... It would leave the
Crypted dataset alone and do that at mount time much later in the boot process.
I know the crypto stuff is only academic. We'll probably never provide it in Debian GNU/Linux - not any
time soon anyway - illumos/OpenZFS haven't even begun and the current crypto patch (which have some
serious issues - begin here if interested: https://github.com/zfsonlinux/zfs/issues/1848) have copyright
issues apparently.
But since you have accepted my other crypto stuff, and it's there, would you please add the following
minor patch as well?
I haven't yet triple checked that it actually works, but the previous one did, and according to the
man page for 'zfs key', this is correct syntax...
----- s n i p -----
zfs key-l | {-a | [-r] filesystem|volume}
Loads the encryption key for a dataset and any datasets that inherit the key. The key that is
provided with this command is not the actual key that is used to encrypt the dataset. It is a
wrapping key for the set of data encryption keys for the dataset.
-l
Loads the wrapping key to unlock the encrypted dataset and datasets that inherit the
key. This command loads the key based on what is defined by the dataset's keysource property.
During a pool import, a key load operation is performed when a dataset is mounted. During
boot, if the wrapping key is available and the keysource is not set to prompt, the key load
operation is performed.
-a
Apply to all datasets in all pools on the system.
-r
Apply the operation recursively to all datasets below the named file system or volume.
----- s n i p -----
--
Choose a job you love, and you will never have
to work a day in your life.
More information about the Pkg-zfsonlinux-devel
mailing list