ZFS: Difference between revisions

Line 303:

and will be part of <code>18.03</code>. In older versions it is also possible to use full disk encryption by creating zfs top of cryptsetup.

In the unstable channel at the moment it is necessary to set <code>boot.zfs.enableUnstable = true;</code> to get zfs version based on master branch as zfsStable does not yet have this feature.

Assuming that a zpool named <code>zroot</code> has been already created as described.

Line 317:

$ zpool create -o ashift=12 -o altroot="/mnt" -O encryption=aes-256-gcm -O keyformat=passphrase zroot /dev/sdxy

</syntaxHighlight>

All child datasets will inherit the encryption.

Line 337:

Line 336:

$ nixos-generate-config --root /mnt

</syntaxHighlight>

To unlock the zfs dataset at root also the <code>boot.zfs.requestEncryptionCredentials</code> option must be set to <code>true</code>. Note that at the moment one can only use passphrases (<code>keylocation=prompt</code>) for pools that are mounted as the root fs. Data pools are mounted by a background systemd service and need a key (<code>keylocation=file://</code>). A key file could be for example put on a root filesystem if it is encrypted.

If the key is not on the root filesystem, you will also need to set <code>zfs-import-poolname.serviceConfig.RequiresMountsFor=/path/to/key</code>, where <code>poolname</code> is the name of the data pool. This makes sure that systemd will mount the filesystem for <code>/path/to/key</code> first before importing the zfs pool.

=== Unlock encrypted zfs via ssh on boot ===

@@ Line 303: / Line 303: @@
 and will be part of <code>18.03</code>. In older versions it is also possible to use full disk encryption by creating zfs top of cryptsetup.
 In the unstable channel at the moment it is necessary to set <code>boot.zfs.enableUnstable = true;</code> to get zfs version based on master branch as zfsStable does not yet have this feature.
 Assuming that a zpool named <code>zroot</code> has been already created as described.
@@ Line 317: / Line 317: @@
 $ zpool create -o ashift=12 -o altroot="/mnt" -O encryption=aes-256-gcm -O keyformat=passphrase zroot /dev/sdxy
 </syntaxHighlight>
 All child datasets will inherit the encryption.
@@ Line 337: / Line 336: @@
 $ nixos-generate-config  --root /mnt
 </syntaxHighlight>
+To unlock the zfs dataset at root also the <code>boot.zfs.requestEncryptionCredentials</code> option must be set to <code>true</code>. Note that at the moment one can only use passphrases (<code>keylocation=prompt</code>) for pools that are mounted as the root fs. Data pools are mounted by a background systemd service and need a key (<code>keylocation=file://</code>). A key file could be for example put on a root filesystem if it is encrypted.
+If the key is not on the root filesystem, you will also need to set <code>zfs-import-poolname.serviceConfig.RequiresMountsFor=/path/to/key</code>, where <code>poolname</code> is the name of the data pool. This makes sure that systemd will mount the filesystem for <code>/path/to/key</code> first before importing the zfs pool.
 === Unlock encrypted zfs via ssh on boot ===