To automate the decryption of the ZFS pool on reboot, you can store the encryption key securely and configure ZFS to unlock the pool automatically. This can be achieved in several ways, but the most common method involves storing the key in a file (in a secure location) so it can be loaded automatically during boot.
Here’s how you can set up automatic decryption:
First, generate and store the encryption key in a file. If you used keyformat=passphrase, you'll need to create and store the passphrase in a secure location. If you're using a keyfile (keyformat=raw), follow these steps:
1- Create the keyfile (replace /etc/zfs/backup_pool.key with your desired file location):
sudo dd if=/dev/urandom of=/etc/zfs/backup_pool.key bs=32 count=1 sudo chmod 600 /etc/zfs/backup_pool.key
2- Set the key location to the keyfile:
sudo zfs set keylocation=file:/etc/zfs/backup_pool.key backup_pool
ZFS can load the key automatically at boot if it knows where to find the key. To set this up: Set up a systemd service to automatically load the ZFS key and mount the pool on boot.
1- Create a systemd service for key loading:
Create a service to load the key at boot by creating a new file in the /etc/systemd/system/ directory, for example, zfs-load-backup-key.service.
sudo vim /etc/systemd/system/zfs-load-backup-key.service
2- Add the following content to the service file:
[Unit] Description=Load ZFS encryption key for backup_pool DefaultDependencies=no After=zfs-import-cache.service [Service] Type=oneshot ExecStart=/usr/sbin/zfs load-key backup_pool RemainAfterExit=true [Install] WantedBy=multi-user.target
This service ensures that ZFS loads the key for the pool before mounting it.
3- Enable the systemd service to run at boot:
sudo systemctl enable zfs-load-backup-key.service
Ensure that ZFS automatically imports and mounts the pool at boot. If you haven’t already done so, enable the following systemd services:
sudo systemctl enable zfs-import-cache sudo systemctl enable zfs-mount sudo systemctl enable zfs.target
- Reboot the system to ensure that everything works automatically:
sudo reboot
-After rebooting, check that the pool is mounted:
zfs list
The pool should be automatically decrypted and mounted at /backup (or wherever you specified the mount point).
- Storing the Key: The encryption key is stored in /etc/zfs/backup_pool.key by default in this example. Ensure the file is secure by using permissions (chmod 600), and consider placing it in a directory only accessible by root.
- Alternative Key Management: If you want additional security, you could use a hardware security module (HSM) or encrypted external key storage for storing keys. However, this is more complex and requires specialized hardware or configuration.