Skip to content

Instantly share code, notes, and snippets.

@tjbenator

tjbenator/zfs-load-key@.service

Last active February 3, 2023 02:34
Show Gist options
  • Save tjbenator/8b562c48f95ac902c923130e86c86d47 to your computer and use it in GitHub Desktop.
Save tjbenator/8b562c48f95ac902c923130e86c86d47 to your computer and use it in GitHub Desktop.
Download ZIP
Mount encrypted ZFS home partition on boot.
Raw
zfs-load-key@.service
# https://wiki.archlinux.org/title/ZFS#Unlock/Mount_at_boot_time:_systemd
[Unit]
Description=Load %I encryption keys
Before=systemd-user-sessions.service zfs-mount.service
After=zfs-import.target
Requires=zfs-import.target
DefaultDependencies=no
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/bash -c 'until (systemd-ask-password "Encrypted ZFS password for %I" --no-tty | zfs load-key %I); do echo "Try again!"; done'
[Install]
WantedBy=zfs-mount.service
Raw
zfs_home_partition_on_boot.md

Create zpool

sudo zpool create -o ashift=12 -o feature@encryption=enabled -O encryption=aes-256-gcm -O keyformat=passphrase -O compression=lz4 zworkspace /dev/sdb
sudo zfs create zworkspace/home
sudo zfs create zworkspace/home/travis
sudo zfs create zworkspace/home/travis/Downloads
sudo zfs set quota=200G zworkspace/home/travis/Downloads

Move old home directory, set the mountpoint, and set permissions.

sudo mv home home-old
sudo zfs set mountpoint=/home zworkspace/home
sudo chown travis:travis /home/travis/

Create zfs-load-key Systemd Service

sudo nano /etc/systemd/system/zfs-load-key@.service

Enable and start it. It will ask for your passphrase after starting.

sudo systemctl enable zfs-load-key@zworkspace
sudo systemctl start zfs-load-key@zworkspace

Restart the machine or restart zfs-mount

sudo systemctl restart zfs-mount

On boot up it will ask for your ZFS Encryption Password

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment