Solved ZFS Dataset encryption with key file - problem

monaco87

New Member


Messages: 9

Looking to move off Solaris where I currently have per dataset encrypted ZFS file systems using a key file. I've set up a Virtualbox FreeBSD 13.0 system to have a play, setup is a follows:

ada0 - zfs boot disk and root
ada1 & ada2 - mirrored zpool called testpool

I set up an encrypted dataset as follows : zfs create -o encryption=aes-256-ccm -o keyformat=raw -o keylocation=file:///root/qwerty.key testpool/encr1 (qwerty.key being a 32 byte file)

I can now create test files in the new dataset encr1, just like a normal ZFS filesystem.

However after a reboot the new dataset is not mounted, when I try to mount it I get "encryption key not loaded" even though the original keyfile is still where it was created.

Any ideas anyone?
 

T-Daemon

Daemon

Reaction score: 876
Messages: 1,750

However after a reboot the new dataset is not mounted, ...
Currently there is no auto-load keys from key files (required for mounting) mechanism of native encrypted ZFS datasets on 13.0-RELEASE, but it's available on 13.0-STABLE (and CURRENT)

To make it available on 13.0-RELEASE one can simply copy over the rc-script. In your case, assuming the VirtualBox VM has a internet connection:
Code:
# cd /etc/rc.d/
# fetch https://termbin.com/mffay -o zfskeys
# chmod 555 zfskeys
# sysrc zfskeys_enable=YES
# shutdown -r now
Check out https://termbin.com/mffay .

when I try to mount it I get "encryption key not loaded"
The message indicates you haven't loaded the key. See zfs-load-key(8) or zfs-mount(8), i.e.: zfs mount -l testpool/encr1, zfs umount -u testpool/encr1.

Also the zfskeys script works nicely. Tested in a VB VM, same disk setup as you have: boot/root stripe, keyfile under /root, 2 disk mirror, testpool dataset creation same options.
 
OP
M

monaco87

New Member


Messages: 9

Thanks very much for all that information, tested that out and all works exactly as you say. I'm just getting used to the nuanced differences between Sun ZFS (sorry I can't call it Oracle !) and OpenZFS. My main reason for moving from Solaris is lack of any support unless you pay, this sort of response confirms my choice as the right one.

Again, many thanks !
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 12,294
Messages: 38,811

FreeBSD has had ZFS for quite some time but 13.0-RELEASE is the first release that switched to OpenZFS. So there may still be a few kinks to work out (like the key issue you ran into). 13-STABLE (development version of the next release for 13) has imported OpenZFS 2.1 some time ago. Unless there's another OpenZFS release coming in the mean time you can expect 13.1-RELEASE to have OpenZFS 2.1. The key issue is, as T-Daemon mentioned, fixed in 13-STABLE, which means it will be included in 13.1-RELEASE too. 13.1-RELEASE will probably come out around April 2022.

 
Top