6

I have compiled ZFS 0.8.1 for my server, and it is running fine. I am also able to create encrypted filesystems like mypool/myencfs.

However, mypool is also a filesystem, and it seems that I cannot enable encyption on it:

zfs set encryption=on mypool
cannot set property for 'mypool': 'encryption' is readonly

The pool is to be decrypted with a keyfile from another encrypted drive, so I would like to put the inheritable properties as high as possible, an also not risk unencypted data when I accidentally copy something to mypool/

mcandril
  • 285
  • 3
  • 13
  • Why would you accidentally copy into the ZFS filesystem root? – ewwhite Jun 22 '19 at 13:57
  • Simple answer: That does not matter. It COULD happen. One of the reasons for encryption is that the harddrive is safely disposable. If I cannot guarantee that no unencrypted data was written, I cannot do that (though I know that stuff like fs names are not encrypted and further measures should e taken anyway). – mcandril Jun 22 '19 at 14:21
  • Another answer: Because I wanted to copy something to /mypool/myencfs, but mypool/myencfs wasn't actually mounted. I had this situation multiple times now during testing. – mcandril Jun 22 '19 at 14:22
  • [Make your mountpoints immutable](https://serverfault.com/a/570271/13325). – ewwhite Jun 23 '19 at 01:32
  • Good idea! Will definitely do that. I still don't see a reason why I should leave unencrypted bits on a drive that is supposed to be encrypted. – mcandril Jun 23 '19 at 06:42

1 Answers1

6

While I didn't find anything on that matter directly on the net (everyone seems to create only encypted subfilesystems), I got the idea to find out how to set any properties during pool creation. It is the -O (upper case) option.

This works

zpool create -o ashift=12 -o feature@encryption=enabled \
             -O encryption=on -O keylocation=file:///root/keys/hdd256.key \
             -O keyformat=raw \
             mypool /dev/disk/by-id/mydisk

For completeness, since there still seems to be little on the matter on the net, here is also how I set up systemd to automount the drive:

/etc/systemd/system/zfs-load-key@.service

[Unit]
Description=Import key for ZFS pool
Documentation=man:zfs(8)
DefaultDependencies=no
After=systemd-udev-settle.service
After=zfs-import.target
After=systemd-remount-fs.service
Before=zfs-mount.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/zfs load-key -r %i

[Install]
WantedBy=zfs.target

systemctl enable zfs-load-key@mypool

mcandril
  • 285
  • 3
  • 13