The issue/contextI imported my encrypted zfs pool from TrueNAS SCALE and everything work well so far, except when I reboot I have to login and simply type:
My question for OMV
it is in the roadmap of OMV to include these options
- create an encrypted zfs pool via the WebUI
- doing the load-key automatically at boot
My HowTo for whom want encrypted zfs pool on their OMV
Be aware
- native encrypted zfs is not fully privacy full proof; if someone have physical access to your machine, he will potentially be able to list (ls -R /encrypted-zpool) the files but not reading the content of these files (cat /encrypted-zpool/file) on your zfs drive even if the key is unloaded.
- I switch (export/import) my encrypted zpool mirror from debian and ubuntu based system without issues, you just need to know which version of openZFS you are using, and it'salgorithms limitations/incompatibilities.
- mirror are the best; zraid with 3,4,5 disk will slow down your drive access time (I/O); if you want more security do 2 mirrors and replicate them.
- For most of the usage case; ZIL and SLOG are useless for home and SOHO (small office/home office); I mean most home/SOHO will be limited by their network anyway.
as root
1. create your key and store it somewhere it is accessible during the boot process.
2. use the drive ID (here an example:)
dataset_name=ssd
drive1=/dev/disk/by-id/ata-Samsung_SSD_860_PRO_256GB_S42VNF0K205921K
drive2=/dev/disk/by-id/ata-Samsung_SSD_860_PRO_256GB_S5GANE0N204528K
zpool create -f $dataset_name mirror $drive1 $drive2 -O encryption=aes-256-gcm -O keyformat=raw -O keylocation=file:///etc/zfs/zpool.key
3. create zfs-load-key service
cat << 'EOF' > /etc/systemd/system/zfs-load-key@.service
[Unit]
Description=Load ZFS keys
DefaultDependencies=no
Before=zfs-mount.service
After=zfs-import.target
Requires=zfs-import.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/zfs load-key %I
[Install]
WantedBy=zfs-mount.service
EOF
Alles anzeigen
4. enable the service for each encrypted ZFS pool created.*
*from time to time, escaping characters will be included in the $dataset_name variable; to resolve this...
systemctl status zfs-load-key [TAB] [TAB]
systemctl disable zfs-load-key@$dataset_name
systemctl enable zfs-load-key@ssd
systemctl daemon-reload
References
- create encrypted zfs pool: https://wiki.archlinux.org/title/ZFS#Native_encryption
- script zfs-load-key: https://github.com/openzfs/zfs…50#issuecomment-497500144
and now the bonus track for who may read until the end
You may have notice since you installed zfs; mdadm try to mount raid without success at every boot, at maybe I'm picky, but this was annoying me.
So I was able to speed up my boot by removing every file md* inside /usr/share/initramfs-tools/
and now no more time waiting for mdadm which randomly mount raid's
ps: I also took the time to remove every file which was pointed at btrfs, dm, lvm, ntfs, xfs without any issue