Solved Encrypted root on ZFS with TPM support?

Hi,

It seems I have an opportunity to switch a laptop to freebsd. I like ZFS and would be interested in making the most out of it. I also need to keep my hard drive encrypted in case the laptop gets stolen.

I heard about using ZFS's native encryption for this kind of scenario. Does it support using the TPM + a PIN code in addition to a good old passphrase / recovery key?

If not, what would be my options?
 
ZFS does not support using TPM in any way within ZFS itself, right now (that I'm aware of).

If your SSD/NVMe is self-encrypting, you CAN use the BIOS/TPM/Self-encrypting features to encrypt it normally for fully encrypted-at-rest storage, and use ZFS on top of that with ZFS native encryption as a second level of encryption if desired, but unnecessary (perhaps). Self-encrypting drives have notoroious issues with encryption bugs, and ZFS encryption seems fine, but hasn't been well audited and there are some bugs in ZFS encryption possibly/probably related to send/receive only (no known issues stand-alone).

I use ZFS native encryption and don't bother with changing the key for any self-encrypting drives i'm using.

EDIT;
Oh, an you can always use GELI encryption below ZFS (or LUKS on linux) for full-disc at-rest encryption as well. The FreeBSD installed will do this when encrypting the boot pool if encryption is chosen as an option during installation. This, also, is independent of TPM.
 
Independent as in does not support?

I don't think my drive is self-encrypting and I would rather avoid using that anyway.
 
I have been experimenting using OpenZFS native encryption and raw keys for datasets stored on a removable (non-bootable) USB flash drive that is only present at boot time.

I have configured a FreeBSD system to automatically mount the flash drive when FreeBSD boots (this is documented somewhere in the handbook).
My USB flashdrive is formatted Fat32 and has a partition label 'ZFSKEYS'.
The flash drive is mounted at /media and is accessible as /media/ZFSKEYS

I create raw keys for the datasets and store them on the flash drive. I also copy them to another flash drive and a CDR.
The use of raw keys is described here https://www.zfshandbook.com/docs/security/encryption/
An example raw key location would be file:///media/ZFSKEYS/webhost2.key this will decrypt the dataset for the webhost2 jail.

I have not tried native encryption on my zroot pool, only on additional pools for my test jails. I haven't written anything up yet but it worked well enough for me to see that it was worth continuing experimenting with later. I can use a different key file for each dataset as long as the correct raw key is present on the flash drive and the name matches what ZFS stores as a dataset property when the dataset is created.

My concerns are mostly about what my jails do when the jail host is rebooted without the USB flash drive present. That's really just script work inside each jail to check that the required file systems are available or not and to either continue or fail accordingly.
 
Back
Top