Skip to content

Instantly share code, notes, and snippets.

@branchmispredictor

branchmispredictor/encrypted-zfs-root-key-on-usb-using-arch.md

Last active January 5, 2024 15:42
Show Gist options
  • Save branchmispredictor/779ace1349d5da503e1364a5e60d1d83 to your computer and use it in GitHub Desktop.
Save branchmispredictor/779ace1349d5da503e1364a5e60d1d83 to your computer and use it in GitHub Desktop.
Download ZIP
Encrypted ZFS Root Key on USB using Arch
Raw
encrypted-zfs-root-key-on-usb-using-arch.md

Encrypted ZFS Root Key on USB using Arch

This is an initcpio hook that loads your root pool zfs password from a usb stick, as an alternative to modifying the zfs initcpio hook as mentioned in https://wiki.archlinux.org/title/Install_Arch_Linux_on_ZFS#Loading_password_from_USB-Stick.

This hook can also be used in ZFSBootMenu, meaning the same code and same usb can unlock your root pool in ZFSBootMenu and Linux itself. This solution does not store your key in initramfs.

Generate the Password + Write to the USB

Generate your zfs password and put it on a usb drive using DD, see the first two steps: https://wiki.archlinux.org/title/Install_Arch_Linux_on_ZFS#Loading_password_from_USB-Stick.

Create The Initcpio Hook

Create /etc/initcpio/hooks/rpoolusb and edit usb and pool (and if necessary the size/location of your password on the usb in the dd command):

#!/bin/ash

run_hook() {
        echo "[rpoolusb]"
        usb="/dev/disk/by-id/usb-Kingston_DataTraveler_3.0-0:0"
        pool="rpool"

        mkdir /zfs-key-files
        mount -t tmpfs key_store /zfs-key-files
        if [ -e "$usb" ]; then
                echo "Loading key"
                dd if="$usb" of="/zfs-key-files/$pool" bs=32 count=1
        else
                echo "Could not find usb!"
                sleep 5s
        fi
}

run_cleanuphook() {
        echo "[rpoolusb]"
}

Create /etc/initcpio/install/rpoolusb:

#!/bin/bash

build() {
    map add_binary \
        udevadm

    map add_file \
        /lib/udev/rules.d/60-zvol.rules \
        /lib/udev/rules.d/69-vdev.rules \
        /lib/udev/rules.d/90-zfs.rules \
        /lib/libgcc_s.so.1


    add_runscript
}

help() {
    cat<<HELPEOF
This hook allows you to load a zfs key from usb.

HELPEOF
}

Set the Keylocation for Your ZFS Pool

sudo zfs set -u keylocation=file:///zfs-key-files/rpool rpool

Install the Hook for linux

Add the hook to your mkinitcpio config at /etc/mkinitcpio.conf, example:

HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block rpoolusb zfs filesystems)

Regenerate initcpio: sudo mkinitcpio -P

Install the Hook for ZFSBootMenu

Ensure you are using ZFSBootMenu with InitCPIO: true following https://wiki.archlinux.org/title/Install_Arch_Linux_on_ZFS#Generate_a_ZFSBootMenu_image.

You may have to add the following to /etc/zfsbootmenu/config.yaml:

Global:
...
  InitCPIOHookDirs:
    - /etc/zfsbootmenu/initcpio
    - /etc/initcpio
    - /usr/lib/initcpio

Add the rpoolusb hook to /etc/zfsbootmenu/mkinitcpio.conf, example:

HOOKS=(base udev autodetect modconf block filesystems keyboard rpoolusb zfsbootmenu)

Regenerate your zfsbootmenu with sudo generate-zbm

References

  1. gist.github.com/Soulsuke/arch_on_zfs.txt
  2. Arch Wiki: Install Arch Linux on ZFS
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment