{"id":5744,"date":"2020-04-26T14:59:32","date_gmt":"2020-04-26T14:59:32","guid":{"rendered":"https:\/\/really.zonky.org\/?p=5744"},"modified":"2020-04-26T15:54:44","modified_gmt":"2020-04-26T15:54:44","slug":"ubuntu-zfs-encryption","status":"publish","type":"post","link":"https:\/\/really.zonky.org\/?p=5744","title":{"rendered":"Ubuntu ZFS: Encryption"},"content":{"rendered":"\n

Experimenting with Ubuntu’s “new” (relatively so) ZFS installation option is all very well, but encryption is not optional for a laptop that is taken around the place. <\/p>\n\n\n\n

Whether I should have spent more time poking around the installer to find the option is a possibility, but post-install enabling encryption isn’t so difficult.<\/p>\n\n\n\n

The first step is to create an encrypted filesystem – encryption only works on newly created filesystems and cannot be turned on later :-<\/p>\n\n\n\n

zfs create -o encryption=on \\\n  -o keyformat=passphrase \\\n  rpool\/USERDATA\/ehome<\/pre>\n\n\n\n
You will be asked for the passphrase as it is created. Forgetting this is extremely inadvisable! <\/p>\n\n\n\n
One created, reboot to check that :-<\/p>\n\n\n\n
  1. You get prompted for the passphrase (as of Ubuntu 20.04 you do).<\/li>
  2. That the encrypted filesystem gets mounted automatically (likewise).<\/li><\/ol>\n\n\n\n
    At this point you should be able to create the filesystems for the relevant home directories :-<\/p>\n\n\n\n
    zfs create rpool\/USERDATA\/ehome\/root\ncd \/root\nrsync -arv . \/ehome\/root\ncd \/\nzfs set mountpoint=\/root rpool\/USERDATA\/ehome\/root\n(An error will result as there is something already there but it does the important bit)\nzfs set mountpoint=none rpool\/USERDATA\/root_xyzzy\n(A similar error)<\/code><\/pre>\n\n\n\n
    Repeat this for each user on the system, and reboot. See if you can login and your files are present.<\/p>\n\n\n\n
    This leaves the old unencrypted home directories around (which can be removed with zfs destroy -r rpool\/USERDATA\/root_xyzzy<\/em>). It is possible that this re-arrangement of how home directories work will break some of Ubuntu’s features – such as scheduled snapshots of home directories (which is why the destroy command needs the “-r” flag before). <\/p>\n\n\n\n
    But it’s getting there.<\/p>\n\n\n","protected":false},"excerpt":{"rendered":"
    Experimenting with Ubuntu’s “new” (relatively so) ZFS installation option is all very well, but encryption is not optional for a laptop that is taken around the place. Whether I should have spent more time poking around the installer to find the option is a possibility, but post-install enabling encryption isn’t so difficult. The first step […]<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_share_on_mastodon":"0"},"categories":[4,209],"tags":[553,43,61,88],"class_list":["post-5744","post","type-post","status-publish","format-standard","hentry","category-it","category-linux-it","tag-encryption","tag-linux","tag-ubuntu","tag-zfs","category-4-id","category-209-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"share_on_mastodon":{"url":"","error":""},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p1f2KI-1uE","_links":{"self":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/5744","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5744"}],"version-history":[{"count":3,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/5744\/revisions"}],"predecessor-version":[{"id":5747,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/5744\/revisions\/5747"}],"wp:attachment":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5744"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5744"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5744"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}