Encrypted ZFS dataset fails to mount: Permission denied

2

I'm on NixOS and try to encrypt a hard drive partition (potentially more in the future) using ZFS. I tried to stick to this guide, so I added

boot.zfs = {
  enableUnstable = true;
  requestEncryptionCredentials = true;
};
boot.supportedFilesystems = [ "zfs" ];

to my configuration.nix, and created the pool and dataset zroot and zroot/genc with mountpoint=legacy acltype=posixacl xattr=sa. I encrypted the pool with

$ sudo zfs create -o acltype=posixacl -o xattr=sa -o encryption=aes-256-gcm -o keyformat=passphrase -o mountpoint=none zroot/genc

I was asked for a passphrase, and then I did

$ sudo zfs set mountpoint=legacy zroot/genc
$ sudo mount -t zfs zroot/genc /home/gecku/genc
$ sudo chown gecku:users ~/genc
$ touch ~/genc/hello
$ sudo nixos-generate-config

This all worked fine (I could create the file ~/genc/hello). However, after nixos-rebuild switch, I was dropped into an emergency shell and couldn't do anything. I reverted to a previous version of NixOS, and removed the zfs entries from /etc/nixos/hardware-configuration.nix so that the system wouldn't try to import the ZFS pools (because apparently it failed at that). With this new configuration, I did

$ sudo zfs import zroot
$ sudo mount -t zfs zroot/genc ~/genc
> filesystem 'zroot/genc' can not be mounted: Permission denied

I did not get to a point where I was asked for my passphrase. zroot/genc has the attributes canmount=on keylocation=prompt.

So, how can I fix this? How can I mount the encrypted dataset?

Gecku

Posted 2019-03-22T13:43:45.920

Reputation: 23

Answers

0

This guide summarizes the mount process well. In short, you should probably use zfs mount instead of mount -t zfs because it will know to load / ask for encryption keys. To do this at boot time you can also use the -l flag to zpool import (although you’ll need some way to supply your boot script with the password).

Dan

Posted 2019-03-22T13:43:45.920

Reputation: 918

This works! I also looked up the documentation for NixOS options again, and found this -- it looks like encrypted ZFS datasets which are not required for boot cannot be loaded when keylocation=prompt. So I can either (1) put the key in a file, (2) try to edit the boot process manually or (3) format basically my entire hard drive to ZFS.

– Gecku – 2019-03-23T10:00:40.603

In addition, NixOS users can set fileSystems."/home/gecku/genc".neededForBoot = true; to force NixOS to ask for a passphrase for the ZFS partition during the boot process. Might be a bit hacky, but works. – Gecku – 2019-03-23T20:43:56.900

Asked: 2019-03-22T13:43:45.920

Viewed: 485 times

Active: 2019-03-23T02:20:33.550