ZFS zfs not asking password for mount of encrypted dataset

Alain De Vos

Alain De Vos

Code: 
zfs create -o encryption=aes-256-ccm -o keyformat=passphrase -o keylocation=prompt ZT/encrypted2
A passphrase was asked for the creation. But not for the mount.
 
No, the mount does not require the passphrase. You can only mount after the load-key:

zfs load-key pool/dataset asks for passphrase
zfs mount pool/dataset now you can see your data
 
I see, so the creation loaded the key automaticly.
After unload you get,
cannot mount 'ZT/encrypted2': encryption key not loaded.
I also see a reboot unloads the key.
 
Alain De Vos said:
I also see a reboot unloads the key.
Click to expand...
It's possible, if desired, to decrypt and mount those encrypted datasets during boot, instead of after boot, by modifying /etc/rc.d/zfs. Passphrases are then asked during boot.
Code: 
# add -l option (see zfs-mount(8) )

...
zfs_start_main()
{
    zfs mount -val
...
 
For a mobile hard disk drive on USB, with a non-encrypted root dataset and an encrypted dataset Transcend/VirtualBox, I have two commands.

The first can be used if the disk is not connected at boot time, or if I have exported the pool (typically to sleep the computer):

zpool import Transcend ; zpool status Transcend && zfs load-key Transcend/VirtualBox && zfs mount Transcend/VirtualBox ; mount | grep Transcend

The second can be used after an auto import at boot time:

zfs load-key Transcend/VirtualBox && zfs mount Transcend/VirtualBox ; mount | grep Transcend && zpool status -v Transcend

I always pay attention to output from zpool status because USB in FreeBSD can be troublesome. The first command helped me to quickly tell whether errors occurred moments after import; if there were errors then I'd not attempt to load the key for the encrypted dataset. Eventually I learnt which ports to trust.


Looking ahead: ⚙ D30015 Add zfskeys script to /etc/rc.d for auto-loading zfs keys
 
You must log in or register to reply here.
Back
Top