encrypted ZFS - How can I autounlock with a keyfile?

Started by kalpana, Nov 06, 2023, 03:37 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

kalpana

Nov 06, 2023, 03:37 AM
Hi,

I have an 21.10 installation with ZFS and Disk Encryption. I want to disable the encryption for a while (just remote access).
On my previous machiens (arch with btrfs) I just add the keyfile to luks and to the boot cmdline and I'm fine. This is obviously not possible with ZFS.

Did anyone now, how to achive that?
What I already try:

  • create keyfile: dd if=/dev/urandom of=/boot/boot.key bs=1024 count=4
  • add it to zd0: cryptsetup luksAddKey /dev/zd0 /boot/boot.key
  • use blkid to get UUID of ZD0 (0b3f3e27-8270-4030-b4d5-6ad337dfb57d)
  • add it to /etc/crypttab: keystore-rpool UUID="0b3f3e27-8270-4030-b4d5-6ad337dfb57d" /boot/boot.key luks,discard,initramfs
  • re-generate initramfs: update-initramfs -u -k all


If I extract the initram, I find /cryptroot/crypttab and /cryptroot/keyfiles/keystor-rpool.key in it.
The initramf-crypttab looks like: keystore-rpool UUID="0b3f3e27-8270-4030-b4d5-6ad337dfb57d" /cryptroot/keyfiles/keystor-rpool.key luks,discard

But if I reboot, I still get asked for the Password for device 0b3f3e27-8270-4030-b4d5-6ad337dfb57d. I entered 3 times a wrong one to get into the initram-shell and take a look.
/cryptroot/keyfiles/keystor-rpool.key still exist, but the crypttab is an other. It contains now: keystore-rpool /dev/zvol/rpool/keystore none luks,discard

What did I wrong/forget?

Thanks
Print
Go Up Pages1
User actions