2

I'm on a livecd with zfs. I want to import an encrypted pool which has a keyfile as "passphrase"

first I mount the usb dongle with keyfile

mkdir /tmpusb
mount /dev/disk/by-uuid/uuidofdongle... /tmpusb

then I import the pool

zpool import -l -d /dev/disk/by-partlabel/ROOTPOOL1 -d /dev/disk/by-partlabel/ROOTPOOL2 -o altroot=/mnt rpool
1 / 1 keys successfully loaded

works all! What is the problem?

And If I forgot the correct dir where to mount the dongle?

zfs give me the correct answer but the pool must be open first!

zfs get all rpool|grep -i kyloc
rpool  keylocation           file:///tmpusb/cifry  local

The question is: there is a way to get this property with pool closed?

elbarna
  • 12,695

1 Answers1

3

I've used ZFS over a decade now but have never used ZFS encryption, so while I know a lot about ZFS in general I'm certainly no expert on ZFS encryption.

AFAIK, you can't get the keylocation attribute of a dataset without the pool being imported (because it's an attribute of the dataset, not the pool - there may be a way to do it with the zdb ZFS debugging utility but if there is, I don't know it).

You can, however, override the attribute after the pool is imported but before you mount the dataset, and manually tell zfs where the key file is.

From reading the docs, I'm pretty sure that's what the -L option of zfs load-key is for. From man zfs-load-key:

zfs load-key [-nr] [-L keylocation] -a|filesystem

Load the key for filesystem, allowing it and all children that inherit the keylocation property to be accessed.

The key will be expected in the format specified by the keyformat and location specified by the keylocation property. Note that if the keylocation is set to prompt the terminal will interactively wait for the key to be entered.

Loading a key will not automatically mount the dataset. If that functionality is desired, zfs mount -l will ask for the key and mount the dataset (see zfs-mount(8)).

Once the key is loaded the keystatus property will become available.

-r Recursively loads the keys for the specified filesystem and all descendent encryption roots.

-a Loads the keys for all encryption roots in all imported pools.

-n Do a dry-run ("No-op") load-key. This will cause zfs to simply check that the provided key is correct. This command may be run even if the key is already loaded.

-L keylocation - Use keylocation instead of the keylocation property. This will not change the value of the property on the dataset. Note that if used with either -r or -a, keylocation may only be given as prompt.

So, try something like:

  1. mount the usb stick containing the key wherever you like
  2. import the pool without loading the key because you want to override the keylocation attribute with zfs load-key. Without the -l option, any encrypted datasets won't be mounted, which is what you want.
  3. load the key(s) for the dataset(s)
  4. mount the dataset(s).
zpool import rpool    # without the `-l` option!
zfs load-key -L /path/to/keyfile rpool
zfs mount rpool

BTW: keep in mind the distinction between the pool called rpool and the top-level dataset of that pool (also called rpool) - zpool sub-commands work with pools, zfs sub-commands work with datasets, zvols, snapshots, etc.

cas
  • 78,579