[Pkg-zfsonlinux-devel] Support booting from encrypted root fs

Carlos Alberto Lopez Perez clopez at igalia.com
Tue May 21 18:11:33 UTC 2013 

On 20/05/13 15:27, Turbo Fredriksson wrote:
> Basically:
> 
>    1. Make sure that all the crypto modules are included in the initrd
>    2. Include the whole /boot/zfs directory to the initrd, not just the cache
>    3. Make sure that all crypto modules are loaded before running:
>    4. Run 'zfs key -l ZFS_BOOTFS' just before mounting filesystem(s)
> 
> Maybe we should triple check that the module isn't loaded first, but it
> doesn't seem to hurt to just modprobe a module that's already loaded...
> 
> 
> To make this work, the wrapper key must be in /boot/zfs at creation time.
> At least to make everything 'automatic'.
> 
> It doesn't seem to be nessesary for grub to support this (although it is
> in the latest version), as long as the wrapper key is included in the
> initrd.
> 
> It should probably also work if keysource=passphrase,prompt but I haven't
> double checked that. No reason why it shouldn't though...
> 
> I've just tried this on /, /usr, /home and /var on separate encrypted
> ZFS. The /boot fs is a separate ext4 partition.
> 
> 
> Next step is to make /boot encrypted as well.... And maybe have an option
> for the key file to be on external storage (such as USB stick or what have
> you). But this is the first step at least...
> 
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> PLEASE NOTE, that my repo here includes the crypt stuff from zfsrouge, so
> you might not want to pull the whole thing, just cherry-pick the relevant
> commits!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> 

Correct me if i'm wrong, but my understanding is that this crypto
support feature is yet unofficial [1]. I don't want to merge new
features that are not blessed by upstream stable releases. Specially
ones that could break compatibility between zfs versions.

Our aim is stability before anything else.

Hope you understand.


Also the case for zfs-crypto I believe is very well solved on Linux by
running ZFS on top of dm-crypt.

Regards!
--------


[1] https://github.com/zfsonlinux/zfs/issues/494

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-zfsonlinux-devel/attachments/20130521/19a66584/attachment.pgp>

More information about the Pkg-zfsonlinux-devel mailing list