[TUTORIAL] Encrypted ZFS on root - Arch Linux

nwildner · September 3, 2025, 11:39am

Pretty straightforward, a tutorial on how to setup ZFS with encrypted pool on Arch Linux, and some extra goodies like auto-snapshots and ZBM, and also, motivations why using ZFS instead of other in-kernel filesystem.

Installing Arch Linux on encrypted ZFS and ZFSBootMenu

Halfwalker · September 4, 2025, 7:24pm

You mention

If you are a laptop user, disable hibernate(suspend to disk) entirely. Waking your laptop, importing your zfs pool and after that bringing data that is hibernate from swap back to your disk will likely break your zfs pool

I’ve had hibernate with root-on-zfs working for a while now on my Lenovo X1 Extreme for quite a while now. Two differences though …

Not the whole pool is encrypted, just datasets within the pool (root, home)
Ubuntu, not Arch

Uses zfsbootmenu for booting, which unlocks (zfs native encryption or luks) first, then boots the root-on-zfs setup. Additional datasets within the pool may or may not be zfs-encrypted - I always encrypt the home dirs for example.

What sort of issues were you seeing ? For me it just seems to work - the ram image is pulled out of the swap partition, plopped into ram, and it literally just picks up where it left off.

nwildner · September 4, 2025, 7:51pm

Hi Halfwalker.

I’m not seeing any problems right now, but if you follow the link I’ve referenced, there is a risk on suspending to disk an encrypted pool. Depending on how the pool import and data from hibernate are imported, can damage you pool really badly. It is documented on that GitHub discussion about making ZFS to work nicer with suspend to disk.

I might give it a try, but first I need to repartition my swap which is currently only 4GB, and it is using that random key encryption method I have described on my blogpost.

Besides that, are you able to unlock luks volumes with zfsbootmenu, or you need to delegate that task to another component? Do you use an exposed /boot layout or mount it directly on your ESP?

Halfwalker · September 4, 2025, 8:29pm

Hrm - that must be from an external mounter or something. In my case it’s literally the whole ram contents being restored from swap in one go. No import or anything, it’s all already imported when the ram is restored.

I have’t been using the laptop for a while - stuck on work (non root-on-zfs grr) laptop. My setup system is here

The only partitions are

ESP - has the /boot/efi contents. rEFInd boots from here, as does zfsbootmenu
Swap - only needed for hibernate
ZFS - holds zfs pool with potentially encrypted (root, home) datasets within

The main system kernel is only booted from within the ZFS pool. The only things bootable directly from disk are rEFInd, zfsbootmenu, memtest86+.

Unlocking LUKs with zfsbootmenu works fine, even with the swap partition encrypted. I use an early-stage script in zfsbootmenu to scan for luks-encrypted ZFS partitions - see the section here

github.com/Halfwalker/ZFS-root

ZFS-root.sh

master


      
             umount /tmp/memtest86/mnt
          
          # Syslinux entry for memtest86+
          cat > /boot/efi/snippets/05_memtest86 << EOF
          LABEL Memtest86+
          KERNEL /EFI/tools/memtest86/memtest86.syslinux
          
          EOF
          
          
          #
          # Set up LUKS unlocking
          #
          if [ "${DISCENC}" = "LUKS" ] ; then
              for DISK in $(seq 0 $(( ${#zfsdisks[@]} - 1))) ; do
                  echo "root_crypt${DISK} UUID=$(blkid -s UUID -o value /dev/disk/by-id/${zfsdisks[${DISK}]}-part${PARTITION_DATA}) /etc/zfs/zroot.rawkey discard,keyfile-timeout=10s" >> /etc/crypttab
                  if [ ${HIBERNATE} = "y" ] ; then
                      echo "swap_crypt${DISK} UUID=$(blkid -s UUID -o value /dev/disk/by-id/${zfsdisks[${DISK}]}-part${PARTITION_SWAP}) /etc/zfs/zroot.rawkey discard,keyfile-timeout=10s" >> /etc/crypttab
                  fi
              done

The boot process is described in the README.md

grahamperrin · September 15, 2025, 5:42pm

Nit:

ZFS on root

– should be root on ZFS.