ZFS: Difference between revisions
imported>Mic92 modprobe is no longer necessary |
imported>Mic92 encrypted zfs |
||
Line 191: | Line 191: | ||
nixos-install | nixos-install | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== Encrypted ZFS == | |||
Native encryption is only available in the <code>zfsUnstable</code> package of NixOS, which was added in [https://github.com/NixOS/nixpkgs/pull/29426 PR-29426] | |||
and will be part of <code>18.03</code>. In older versions it is also possible to use full disk encryption by creating zfs top of cryptsetup. | |||
Assuming that a zpool named <code>zroot</code> has been already created as described. | |||
Encrypted datasets can be added on top as follow: | |||
<syntaxHighlight lang=console> | |||
$ zfs create -o encryption=aes-256-gcm -o keyformat=passphrase -o mountpoint=none zroot/root | |||
</syntaxHighlight> | |||
All child datasets will inherit the encryption. | |||
Note that using grub to boot directly from zfs with encryption enabled might not work at the moment, | |||
so a separate boot partition is required. | |||
A full encrypted nixos installation on an UEFI system could look like this: | |||
<syntaxHighlight lang=console> | |||
$ zfs create -o mountpoint=legacy -o sync=disabled zroot/root/tmp | |||
$ zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=true zroot/root/home | |||
$ zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=true zroot/root/nixos | |||
$ mount -t zfs zroot/root/nixos /mnt | |||
$ mkdir /mnt/{home,tmp,boot} | |||
$ # assuming that /dev/sda1 is the boot partition | |||
$ mkfs.vfat /dev/sda1 | |||
$ mount /dev/sda1 /mnt/boot/ | |||
$ mount -t zfs zroot/root/home /mnt/home/ | |||
$ mount -t zfs zroot/root/tmp /mnt/tmp/ | |||
$ nixos-generate-config --root /mnt | |||
</syntaxHighlight> | |||
== Need more info? == | == Need more info? == |