ZFS Encryption - Theft

I would like to protect my ZFS pool against theft.
I have therefore created an encrypted dataset.
The dataset was created with a passhprase.

Unfortunately, the dataset is not loaded at boot time.
So I would have to load the key and the dataset manually after each restart.

I want to prevent someone from importing the ZFS pool on another PC. Therefore I do not want to store the passphrase as plain text.

Does anyone know a method to automate this?
How can I safely store the passphrase under linux so that I could still read it in a script?

Greetings Int3g3r

PS: I use Debian.

Translated with DeepL.com (free version)

1 Like

This is not an easily solved problem; any sort of storage on the system which would hold the key is going to be accessible to anyone who gets access to the machine.

In other arenas (LUKS), it is possible to use a TPM to provide a decryption key in a way which cannot be extracted, thus if the storage device is separated from the computer containing that TPM it will be difficult to decrypt the data. This does not address all possible threat models, but it addresses some of them. A quick search found this page, but there are probably others: OpenZFS encryption and the TPM :: HowettNET

1 Like

I’ve seen talk about things like USB sticks on extensions and even raspberry pis serving up a secret from a closet or false ceiling. As long as you have a full environment with tools like curl you can get pretty creative.

1 Like

I have the same concern. I personally use encrypted root on all of my devices which I then manually unlock on reboot over SSH. You can implement this both with LUKS and “traditional” partitions or with OpenZFS and ZFSBootMenu. In the first case you can keep ZFS key on your LUKS encrypted root.

It’s not the most convenient, but I don’t reboot my machines often enough to think about automating this further.

1 Like

That’s exactly what I was thinking.
As long as the key is on the machine, it will be difficult to make the whole thing secure.

The optimal solution would therefore be an external source for the key.
Thanks for the answer.

Sorry, I am a little late to this discussion, but I want to share my thoughts on this.

I dont think that it is necessary to protect and encrypt the root filesystem. The root filesystem typically does not contain any user owned data but just files which are installed by the system. There is nothing to hide from a thief. More relevant is your personal data which is hopefully not on the root filesystem.

I only protect my personal data with encryption. That is /home and /data. These are separate datasets. I store the encrpytion key on a network drive. During boot I copy it from the network drive to a volatile directory, like /tmp, and mount the datasets after that.

With that approach, a thief must have access to the network drive to mount my personal data, but that is unlikely in my case.