ZFS Problem with property keylocation=http://_address_ when creating an encrypted dataset

V

viren

Hello,
I have to create an encrypted dataset, my configuration is as follows:
freebsd-version -ukr
Code: 
13.1-RELEASE-p3
13.1-RELEASE-p3
13.1-RELEASE-p5

zfs version
Code: 
zfs-2.1.4-FreeBSD_g52bad4f23
zfs-kmod-2.1.4-FreeBSD_g52bad4f23

and I would like the key to be on a remote server, for this and according with the documentation zfsprops()

you could use the property keylocation=http://_address_ but when I try to create it with the command:

zfs create -o encryption=aes-256-gcm -o keylocation=http://_address_ -o keyformat=raw zroot/test

It gives the following error:
Code: 
cannot create 'zroot/test': No keylocation=http:// back-end

Is there something I'm doing wrong?

Thank you very much
 
viren said:
Code: 
zfs-2.1.4-FreeBSD_g52bad4f23 
zfs-kmod-2.1.4-FreeBSD_g52bad4f23
Click to expand...
Those are the development versions of ZFS. You don't need them, a stable release version of ZFS is included with the base.
 
Thanks for your reply,
I have installed a FreeBSD 13.1 from the official repositories, specifically, FreeBSD-13.1-RELEASE-amd64-memstick.img, and I have run all the above commands and it gives me exactly the same zfs versions and the same errors:
Code: 
cannot create 'zroot/test': No keylocation=http:// back-end.

I should change something to have the keylocation property enabled and be able to use keylocation=http://_address_. ?

Thanks
 
Various commits do suggest it's been implemented: https://github.com/openzfs/zfs/issues/9947#
I'm not sure if that landed in the version of OpenZFS that's included with 13.1. But it is mentioned in the man pages (if it's not implemented it shouldn't be in the man page either). I know ZFS native encryption works with the 'regular' keys (I'm using it on a 13.1 system), never tried to use a remote key though.

Getting the same error on a fairly recent 13-STABLE:
Code: 
root@molly:~ # zfs create -o encryption=aes-256-gcm -o keylocation=http://_ipaddress_ -o keyformat=raw fbsd1/DATA/encryption-test
cannot create 'fbsd1/DATA/encryption-test': No keylocation=http:// back-end.
root@molly:~ # uname -a
FreeBSD molly.dicelan.home 13.1-STABLE FreeBSD 13.1-STABLE #65 stable/13-n253288-a3c07a933d5c: Sat Dec 17 16:33:20 CET 2022     root@molly.dicelan.home:/usr/obj/usr/src/amd64.amd64/sys/MOLLY amd64
 
try
edit /sys/modules/zfs/zfs_config.h
search for libfetch, you should find a #if 0 block
enable it
goto

/usr/src/cddl/lib/libzfs and rebuild it
Code: 
# export LD_LIBRARY_PATH=/usr/obj/usr/src/amd64.amd64/cddl/lib/libzfs/
# zfs create -o encryption=aes-256-gcm -o keylocation=http://_address_ -o keyformat=raw zroot/test
cannot create 'zroot/test': Couldn't GET http://_address_: No address record
 
So it has been implemented, it's just not enabled by default.
 
viren said:
[...] you could use the property keylocation=http://_address_ but when I try to create it with the command:
zfs create -o encryption=aes-256-gcm -o keylocation=http://_address_ -o keyformat=raw zroot/test
It gives the following error:
Code: 
cannot create 'zroot/test': No keylocation=http:// back-end
Click to expand...
Just checking, did you type it exactly like this:
Rich (BB code): 
zfs create -o encryption=aes-256-gcm -o keylocation=http://_address_ -o keyformat=raw zroot/test
 
It doesn't matter what you use, it's going to complain about the http backend not being enabled. I assumed _address_ was a placeholder for an actual IP address, as you commonly do on public forums.
Code: 
root@molly:/usr/local/etc/poudriere.d # zfs create -o encryption=aes-256-gcm -o keylocation=http://192.168.10.191 -o keyformat=raw fbsd1/DATA/encryption-test
cannot create 'fbsd1/DATA/encryption-test': No keylocation=http:// back-end.
 
Thank you very much for the answers, but I have compiled with the modifications that you comment me but it still gives the same error.:(

This is my new config:

freebsd-version -ukr
Code: 
14.0-CURRENT
14.0-CURRENT
14.0-CURRENT

zfs version
Code: 
zfs-2.1.99-FreeBSD_g59493b63c
zfs-kmod-2.1.99-FreeBSD_g59493b63c

Check the command:
zfs create -o encryption=aes-256-gcm -o keylocation=http://_address_ -o keyformat=raw zroot/test

And this the result:
Code: 
cannot create 'zroot/test': No keylocation=http:// back-end.
 
Looks like you upgraded to -CURRENT too, accidentally? Did you use git(1) to check out a source tree? You may have checked out main, it's the releng/13.1 branch you need for 13.1-RELEASE. Shouldn't matter in this case though, the feature is disabled/enabled the same way.
 
You must log in or register to reply here.
Back
Top