[Pkg-zfsonlinux-devel] Support booting from encrypted root fs

Turbo Fredriksson turbo at bayour.com
Mon May 20 13:27:35 UTC 2013 

Basically:

   1. Make sure that all the crypto modules are included in the initrd
   2. Include the whole /boot/zfs directory to the initrd, not just the cache
   3. Make sure that all crypto modules are loaded before running:
   4. Run 'zfs key -l ZFS_BOOTFS' just before mounting filesystem(s)

Maybe we should triple check that the module isn't loaded first, but it
doesn't seem to hurt to just modprobe a module that's already loaded...


To make this work, the wrapper key must be in /boot/zfs at creation time.
At least to make everything 'automatic'.

It doesn't seem to be nessesary for grub to support this (although it is
in the latest version), as long as the wrapper key is included in the
initrd.

It should probably also work if keysource=passphrase,prompt but I haven't
double checked that. No reason why it shouldn't though...

I've just tried this on /, /usr, /home and /var on separate encrypted
ZFS. The /boot fs is a separate ext4 partition.


Next step is to make /boot encrypted as well.... And maybe have an option
for the key file to be on external storage (such as USB stick or what have
you). But this is the first step at least...

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
PLEASE NOTE, that my repo here includes the crypt stuff from zfsrouge, so
you might not want to pull the whole thing, just cherry-pick the relevant
commits!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


The following changes since commit 44e87cba201b5faf9ab25e1f90284efb13140169:

  zfs-initramfs depends on zfs-grub | zfs-grub-pc | zfs-grub-pc-bin. (2013-05-20 03:59:23 +0200)

are available in the git repository at:
  https://github.com/FransUrbo/debian-zfs master

Turbo Fredriksson (1):
      Support booting on crypted root by adding support to initramfs hook and script.

 debian/changelog                                   |    8 ++++-
 .../usr/share/initramfs-tools/hooks/zfs            |    8 +++--
 .../usr/share/initramfs-tools/scripts/zfs          |   39 +++++++++++++++++++-
 3 files changed, 50 insertions(+), 5 deletions(-)
-- 
Ehhhhm - The battle cry of the cronical masturbater.
- Charlie Harper

More information about the Pkg-zfsonlinux-devel mailing list