ZFS: Difference between revisions
imported>Walter Better integrate recently shared information |
imported>Sjau Adding section for unlocking additional encrypted pools/datasets at bootup |
||
Line 295: | Line 295: | ||
* In order to use DHCP in the initrd, network manager must not be enabled and <code>networking.useDHCP = true;</code> must be set. | * In order to use DHCP in the initrd, network manager must not be enabled and <code>networking.useDHCP = true;</code> must be set. | ||
* If your network card isn't started, you'll need to add the according kernel module to the initrd as well, e.g. <code>boot.initrd.kernelModules = [ "r8169" ];</code> | * If your network card isn't started, you'll need to add the according kernel module to the initrd as well, e.g. <code>boot.initrd.kernelModules = [ "r8169" ];</code> | ||
=== Import and unlock multiple encrypted pools/dataset at boot === | |||
If you have not only one encrypted pool/dataset but multiple ones and you want to import and unlock them at boot, so that they can be automounted using the hardware-configuration.nix, you could just amend the <code>boot.initrd.network.postCommands</code> option option. | |||
Unfortunately having an unlock key file stored in an encrypted zfs dataset cannot be used directly, so the pool must use <code>keyformat=password</code> and <code>keylocation=prompt</code>. | |||
The following example follows the remote unlocking with dropbear, but imports another pool also and prompts for unlocking (either when at the machine itself or when logging in remotely: | |||
<syntaxHighlight lang=nix> | |||
boot = { | |||
initrd.network = { | |||
enable = true; | |||
ssh = { | |||
enable = true; | |||
port = 2222; | |||
hostECDSAKey = /run/keys/initrd-ssh-key; | |||
authorizedKeys = [ "ssh-rsa AAAA..." ]; | |||
}; | |||
postCommands = '' | |||
zpool import tankXXX | |||
echo "zfs load-key -a; killall zfs" >> /root/.profile | |||
''; | |||
}; | |||
}; | |||
</syntaxHighlight> | |||
When you login by SSH into dropbear or at the machine itself, you will be prompted to supply the unlocking password for your zroot and tankXXX pools. | |||
== Encrypted Dataset Format Change == | == Encrypted Dataset Format Change == |