ZFS Encryption - Theft

I would like to protect my ZFS pool against theft.
I have therefore created an encrypted dataset.
The dataset was created with a passhprase.

Unfortunately, the dataset is not loaded at boot time.
So I would have to load the key and the dataset manually after each restart.

I want to prevent someone from importing the ZFS pool on another PC. Therefore I do not want to store the passphrase as plain text.

Does anyone know a method to automate this?
How can I safely store the passphrase under linux so that I could still read it in a script?

Greetings Int3g3r

PS: I use Debian.

Translated with DeepL.com (free version)

This is not an easily solved problem; any sort of storage on the system which would hold the key is going to be accessible to anyone who gets access to the machine.

In other arenas (LUKS), it is possible to use a TPM to provide a decryption key in a way which cannot be extracted, thus if the storage device is separated from the computer containing that TPM it will be difficult to decrypt the data. This does not address all possible threat models, but it addresses some of them. A quick search found this page, but there are probably others: OpenZFS encryption and the TPM :: HowettNET

1 Like

I’ve seen talk about things like USB sticks on extensions and even raspberry pis serving up a secret from a closet or false ceiling. As long as you have a full environment with tools like curl you can get pretty creative.

I have the same concern. I personally use encrypted root on all of my devices which I then manually unlock on reboot over SSH. You can implement this both with LUKS and “traditional” partitions or with OpenZFS and ZFSBootMenu. In the first case you can keep ZFS key on your LUKS encrypted root.

It’s not the most convenient, but I don’t reboot my machines often enough to think about automating this further.

That’s exactly what I was thinking.
As long as the key is on the machine, it will be difficult to make the whole thing secure.

The optimal solution would therefore be an external source for the key.
Thanks for the answer.