ZFSBootMenu -- encrypted root on remote Debian server?

Good afternoon!

I’m trying to set up zfsbootmenu on a remote debian server with an encrypted ZFS root. The instructions I’ve found all seem to pertain to one or the other (remote/ssh or encrypted root) but not both, and I’m having trouble figuring out the changes I need to make.

Specifically, the step involving dropbear – the official documentation suggests putting the keys in /etc/dropbear, but as /etc is encrypted at boot time, anything in there would be inaccessible. Not sure how to get around this.

Has anyone done this, who can offer some advice? Is there a HOWTO someone can point me to? Note I have no physical access to this machine – it’s in another country. I have to do everything via the rescue shell.

Thanks in advance!

1 Like

I’m not sure it is possible at all. The normal remote boot-unlock scenario is to have at least the boot partition (with the initrd) unencrypted so that it can start up to a point where a key is required to unlock the root device. Since the initrd is unencrypted, it can start without any key (and potentially startup a drop bear ssh server allowing you to remote login and manually unlock root). Since this is headless/remote, ZBM itself cannot ask for interactive password entry to unlock ZFS - so I think you’re going to be stuck. Even Grub (which does support encrypted boot) requires interactive input to unlock boot - so it’s a no go on a headless device (without a USB like unencrypted device where the key could be stored).

I’m not too familiar with the innards of ZBM but I assume that without some unencrypted partition (or at least a way to get a key like via a USB drive) it would not be possible to fully boot remotely.

Hopefully others can add their thoughts here.

Did a quick read of Remote Access to ZFSBootMenu — ZFSBootMenu 2.3.0 documentation

and it looks like you CAN build ZBM with drop bear embedded in it.

So I guess you CAN after all boot fully remote (but it does require building a custom ZBM image which doesn’t seem to be too hard based on the docs).

I stand (happily) corrected.

I got this working a while ago:

1 Like

Also: custom zbm/dropbear build to use later version of ZFS in ZBM: