A script that auto unlocks your encrypted ZFS datasets on boot. With general instructions to setup ZFS encryption using keyfiles.
I created this so if someone stole my server they would also need the USB with the keyfiles to access the encrypted datasets. To accomplish this I save the keyfiles to the usb and I hide the USB elsewhere, well outside of the case. I'm not going to get too specific on how I did that, as obfuscation is part of the security here, but you can get quite creative.
Some ideas:
A USB extension that is hidden
A USB extension that goes to a locked cabinet
You can also serve the keyfiles over networked methods, if your motherboard and system allow for that. If you don't have to unlock the datasets until after os boot, then you can store the files pretty much anywhere, auch as networked. Personally, I prefer the physical device.
Whatever you decide, make sure you have appropriate permissions set for these keyfiles. They should be protected and treated just like SSH keys. AND keep a backup!
- Generate the Keyfile (modify save path and filename to suit, I'd save in a folder with same chmod)
dd if=/dev/urandom of=/zfs_keyfiles/zfs_keyfilename bs=32 count=1
chmod 0400 /zfs_keyfiles/zfs_keyfilename
chown root:root /zfs_keyfiles/zfs_keyfilename
- Create a ZFS Dataset that uses the keyfile you just made. Note the file location (you can set other -o options like compession at this point as well)
zfs create -o encryption=on -o keylocation=file:///zfs_keyfiles/zfs_keyfilename -o keyformat=raw poolname/datasetname
- Generic Load keys and Mount Command
zfs load-key poolname/datasetname
zfs mount poolname/datasetname
This depends heavily on your system.
NOTES: Make sure to give a unique name to script.service and script.sh
- Save Your Script in a Suitable Location like /opt
- make sure the script is excecutable:
chmod +x /opt/script.sh
- Reference Your Script in the Service File: (name appropriately & match script location)
nano /etc/systemd/system/script.service
add this to the service file:
[Unit]
Description=My custom startup script
[Service]
ExecStart=/opt/script.sh
[Install]
WantedBy=multi-user.target
- Check if added as service:
systemctl status script.service
- Reboot. Script should now run on boot. You can confirm by running another:
systemctl status script.service
- Install User Scripts Plugin
- Create New Script and copy/paste ZFS_crypto_unlock.sh
- Set to "At Startup of Array"
This also depends on your system.
- Install Unassigned Devices Plugin
- Expand settings for specific USB
- Configure to automount in the Settings menu
If you move the keyfile, you need to update the dataset with the new location.
- Unload Key
zfs unload-key poolname/datasetname
- Change Key Location
zfs change-key -o keylocation=file:///new/path/to/keyfile poolname/datasetname
- Load Key
zfs load-key poolname/datasetname
- Verify Change if so desired
zfs get all poolname/datasetname | grep keylocation