Like everyone, I want to automate as much as I can. Including automated spin up of encrypted pools. Sometimes I have a power outage that lasts longer than my battery backups allow. My servers shut down, and then boot back up, after power is restored. I have native encrypted pools that I would also like to come back up automatically. Using TrueNAS, they do come up automatically, but that’s because the keys are loaded locally on the machine, and wouldn’t prevent anything should the whole server be stolen.
So here is my question/topic for discussion. What solutions has people come up with for this type of issue?
In the thread someone mentioned an NFS share from another computer hidden in there home, and the OP, put a USB stick on the other side of a USB keystone jack, inside the wall. Both really neat ideas.
It mounts without requesting a passphrase. For years I have manually typed in the passphrase as this machine is only booted for backups, but this method is more convenient and the key is protected on another machine on an encrypted drive.
Loading all of the keys described by my datasets’ keylocation property.
I don’t love this approach, because the key file is sitting on the system. (Owned by root and chown 600, but still…)
I’m in a homelab setup and I lose power a handful of times per year. I have a small UPS, but sometimes it’s not enough and everything shuts down. If this happens when I’m away for vacation, I need the machine to boot and not be waiting for keys.
If I don’t rely on a key file and instead use a passphrase that ZFS prompts for… I run into an issue where at boot, the machine is waiting for me to input that passphrase! I’m not physically present to do so, and I cannot SSH into the machine because it’s not gotten deep enough into the boot as it’s stuck waiting on key passphrases! Darn.
In my case, I’m going to someday build my own PiKVM so that I can access my main machine when I’m away from home, the power goes out, and I need to get into my home network and quickly type in a passphrase to reboot the machine. This way I won’t have to let the passphrase sit on a file on that same machine.
What I am doing for my remote servers is using zfsbootmenu as my bootloader, with dropbear SSH server embedded in it so I can remote in and enter my passphrase over SSH, no KVM needed - and much more responsive than a KVM too.