Experimenting with Ubuntu’s “new” (relatively so) ZFS installation option is all very well, but encryption is not optional for a laptop that is taken around the place.
Whether I should have spent more time poking around the installer to find the option is a possibility, but post-install enabling encryption isn’t so difficult.
The first step is to create an encrypted filesystem – encryption only works on newly created filesystems and cannot be turned on later :-
zfs create -o encryption=on \ -o keyformat=passphrase \ rpool/USERDATA/ehome
You will be asked for the passphrase as it is created. Forgetting this is extremely inadvisable!
One created, reboot to check that :-
- You get prompted for the passphrase (as of Ubuntu 20.04 you do).
- That the encrypted filesystem gets mounted automatically (likewise).
At this point you should be able to create the filesystems for the relevant home directories :-
zfs create rpool/USERDATA/ehome/root
cd /root
rsync -arv . /ehome/root
cd /
zfs set mountpoint=/root rpool/USERDATA/ehome/root
(An error will result as there is something already there but it does the important bit)
zfs set mountpoint=none rpool/USERDATA/root_xyzzy
(A similar error)
Repeat this for each user on the system, and reboot. See if you can login and your files are present.
This leaves the old unencrypted home directories around (which can be removed with zfs destroy -r rpool/USERDATA/root_xyzzy). It is possible that this re-arrangement of how home directories work will break some of Ubuntu’s features – such as scheduled snapshots of home directories (which is why the destroy command needs the “-r” flag before).
But it’s getting there.