I’m trying to set up zfsbootmenu on a remote debian server with an encrypted ZFS root. The instructions I’ve found all seem to pertain to one or the other (remote/ssh or encrypted root) but not both, and I’m having trouble figuring out the changes I need to make.
Specifically, the step involving dropbear – the official documentation suggests putting the keys in /etc/dropbear, but as /etc is encrypted at boot time, anything in there would be inaccessible. Not sure how to get around this.
Has anyone done this, who can offer some advice? Is there a HOWTO someone can point me to? Note I have no physical access to this machine – it’s in another country. I have to do everything via the rescue shell.
I’m not sure it is possible at all. The normal remote boot-unlock scenario is to have at least the boot partition (with the initrd) unencrypted so that it can start up to a point where a key is required to unlock the root device. Since the initrd is unencrypted, it can start without any key (and potentially startup a drop bear ssh server allowing you to remote login and manually unlock root). Since this is headless/remote, ZBM itself cannot ask for interactive password entry to unlock ZFS - so I think you’re going to be stuck. Even Grub (which does support encrypted boot) requires interactive input to unlock boot - so it’s a no go on a headless device (without a USB like unencrypted device where the key could be stored).
I’m not too familiar with the innards of ZBM but I assume that without some unencrypted partition (or at least a way to get a key like via a USB drive) it would not be possible to fully boot remotely.