16.05.2020 16:51, Thomas Zander via freebsd-stable wrote:
> Hi,
>
> can the following be done these days?
> - Encrypted ZFS root pool on RAID-Z
> - Supply the key for the encrypted root pool during boot via USB thumb
drive
> - No keyboard is attached to the machine
> - No /boot on the thumb drive, just the key
> - I don't mind if /boot is encrypted or not (the use case is not to
> protect against nation state attackers)
> - Bonus points if I can use bectl
>
> Every single posting regarding this topic I can find always comes down to
either
> a) One needs /boot on the thumb drive, or
> b) One uses a keyboard and supplies a passphrase instead of a keyfile.
Note that root pool does not need to be original boot pool.
It is possible to share your disks between two different ZFS pools:
small first unencrypted boot pool that boots normally and starts plain shell
script
that reads the key from any storage you prefer to decrypt and attach
second encrypted pool. Then set vfs.root.mountfrom to second pool with kenv(1)
and use re-rooting (reboot -r) to re-start booting from now-available encrypted
pool.
This is how to share disks with GEOM_RAID:
1. Cut first N megabytes of each disk to form N-way mirror using
"Promise" on-disk volume label format:
graid label -S ${N}M Promise r0 RAID1 /dev/da0 /dev/da1 /dev/da2 ...
This gives you /dev/raid/r0 device, use it to create unencrypted non-redundant
ZFS boot pool,
as GEOM_RAID provides (mirrored) redundancy.
2. Allocate tail of each drive to set of SINGLE graid volumes:
graid label Promise r1 SINGLE /dev/da0
graid label Promise r2 SINGLE /dev/da1
graid label Promise r3 SINGLE /dev/da2
...
This gives you devices /dev/raid/r1, /dev/raid/r2 etc. Use them as vdevs to
create your encrypted RAID-Z.