ZFS: Difference between revisions

← Older editNewer edit →
VisualWikitext
imported>Mic92
enableUnstable is also a thing on earlier releases
imported>CptMikky
update config from dropbear ssh to openssh + mention hostkeyPath format
Line 416: Line 416:
=== Unlock encrypted zfs via ssh on boot ===
=== Unlock encrypted zfs via ssh on boot ===


In case you want unlock a machine remotely (after an update), having a dropbear ssh service in initrd for the password prompt is handy:
In case you want unlock a machine remotely (after an update), having an ssh service in initrd for the password prompt is handy:


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
Line 429: Line 429:
     ssh = {
     ssh = {
         enable = true;
         enable = true;
         # To prevent ssh from freaking out because a different host key is used,
         # To prevent ssh clients from freaking out because a different host key is used,
         # a different port for dropbear is useful (assuming the same host has also a normal sshd running)
         # a different port for ssh is useful (assuming the same host has also a regular sshd running)
         port = 2222;  
         port = 2222;  
         # dropbear uses key format different from openssh; can be generated by using:
         # hostKeys paths must be unquoted strings, otherwise you'll run into issues with boot.initrd.secrets
         # $ nix-shell -p dropbear --command "dropbearkey -t ecdsa -f /tmp/initrd-ssh-key"
        # the keys are copied to initrd from the path specified; multiple keys can be set
         hostECDSAKey = /run/keys/initrd-ssh-key;
        # you can generate any number of host keys using  
         # `ssh-keygen -t ed25519 -N "" -f /path/to/ssh_host_ed25519_key`
         hostKeys = [ /path/to/ssh_host_rsa_key ];
         # public ssh key used for login
         # public ssh key used for login
         authorizedKeys = [ "ssh-rsa AAAA..." ];
         authorizedKeys = [ "ssh-rsa AAAA..." ];
Line 455: Line 457:
Unfortunately having an unlock key file stored in an encrypted zfs dataset cannot be used directly, so the pool must use <code>keyformat=passphrase</code> and <code>keylocation=prompt</code>.
Unfortunately having an unlock key file stored in an encrypted zfs dataset cannot be used directly, so the pool must use <code>keyformat=passphrase</code> and <code>keylocation=prompt</code>.


The following example follows the remote unlocking with dropbear, but imports another pool also and prompts for unlocking (either when at the machine itself or when logging in remotely:
The following example follows the remote unlocking with OpenSSH, but imports another pool also and prompts for unlocking (either when at the machine itself or when logging in remotely:


<syntaxhighlight lang="nix">
<syntaxhighlight lang="nix">
Line 464: Line 466:
         enable = true;
         enable = true;
         port = 2222;  
         port = 2222;  
         hostECDSAKey = /run/keys/initrd-ssh-key;
         hostKeys = [ /path/to/ssh_host_rsa_key ];
         authorizedKeys = [ "ssh-rsa AAAA..." ];
         authorizedKeys = [ "ssh-rsa AAAA..." ];
     };
     };
Line 475: Line 477:
</syntaxHighlight>
</syntaxHighlight>


When you login by SSH into dropbear or when you have physical access to the machine itself, you will be prompted to supply the unlocking password for your zroot and tankXXX pools.
When you login by SSH into the box or when you have physical access to the machine itself, you will be prompted to supply the unlocking password for your zroot and tankXXX pools.


== ZFS Trim Support for SSDs ==
== ZFS Trim Support for SSDs ==
Retrieved from "https://wiki.nixos.org/wiki/ZFS"