Document remote unlock for Debian Buster Root on ZFS

[khimaros]

Debian Buster and later should support ZFS decrypt via dropbear-initramfs. This would be helpful to document in the Root on ZFS instructions, as remote unlock is particularly relevant for that use case.

Doc: https://github.com/openzfs/openzfs-docs/blob/master/docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.rst

I'm interested particularly in native ZFS encryption. There is already some documentation for doing this with LUKS keys.

[rlaager]

This only works with openzfs/zfs@1cc635a (and if you're trying to build it, the couple refactor commits from me before that) from openzfs/zfs#10027 and the follow-up openzfs/zfs@7fcf824 from openzfs/zfs#10307. These have not landed in a (non-rc) release yet. They are in 2.0.0-rc1 and will be in the final 2.0.0. If/when that lands in buster-backports, then this can be added to the instructions.

[tehnic-take3]

Hello,

for Debian Buster i use this "ugly" workaround.

Install and configure dropbear-initramfs.
After reboot log in your box with ssh and execute the following:

~ # ps

note PID1 of "plymouth ask-for-password --prompt Encrypted ZFS password for rpool"
note PID2 of "/sbin/zfs load-key rpool"

~ # echo "<passphrase>" >/proc/<PID2>/fd/0
~ # kill <PID1>

Best regards, Robert

[rlaager]

@tehnic-take3 That's a nice hack! I'm not going to add that to a guide, but it's definitely clever. :)

[rlaager]

Current status: OpenZFS 2.0.0 has been released, but is not yet packaged for Debian. So we are waiting for 2.0.0 to land in unstable, then migrate to testing, then (hopefully) be backported to buster-backports. At that time, I'll have to review and update the guide.

[khimaros]

thank you for the update, i'm excited to see that this has been progressing!

[rlaager]

Update: OpenZFS 2.0 was uploaded to Debian experimental.

[rlaager]

Update OpenZFS 2.0 was uploaded to Debian unstable. Barring major problems, it should migrate to testing in a week. At that point, it will be eligible for backporting. I assume the maintainers will backport it, but that's not guaranteed, nor is there a particular timeline. If/when that happens, I plan to review/update the guide, and this is something that I should be able to address at the same time.

[n0rc]

ZFS 2.0 is in backports for some time now and is working flawlessly for me.

[anarcat]

ZFS 2.0 is in backports for some time now and is working flawlessly for me.

that's great, but how do you actually do remote unlock in ZFS with this?

[n0rc]

that's great, but how do you actually do remote unlock in ZFS with this?

With zfsunlock from zfs-initramfs.

[anarcat]

but concretely, what's the procedure? dropbear-initramfs depends on cryptsetup, so I assume that's not it?

[rlaager]

I obviously haven't gotten to this, but it seems like I should include this when I eventually get to updating for Debian Bullseye.

[anarcat]

too bad that systemd-cryptsetup doesn't support zfs. :)

[n0rc]

but concretely, what's the procedure? dropbear-initramfs depends on cryptsetup, so I assume that's not it?

zfs-initramfs installs a hook script that puts zfsunlock into your initramfs:

1. apt install zfs-initramfs dropbear-initramfs
2. Configure dropbear as you like
3. update-initramfs -u

After you ssh into dropbear you will find zfsunlock available – run it, enter your password, and continue booting.

[anarcat]

that works, thank you so much for the clarification! :)

[kayg04]

Hello, sorry for asking this in the old post but can I make zfsunlock ask for password for multiple pools instead of one? I am talking about Debian Bookworm.

To answer my own question, it's still WIP: zfsonlinux/pkg-zfs#237