Bug#972132: [Pkg-zfsonlinux-devel] Bug#972132: zfs-initramfs: Fails to boot when / is on zfs encryption=on dataset
On Mon, Oct 12 2020, Richard Laager wrote: On 10/12/20 9:29 PM, John Goerzen wrote: I have set up this system to use ZFS crypto rather than my more conventional zfs-atop-LUKS. Can you explain a little bit more about how you setup your system? This (root-on-ZFS with native encryption) already works for me on Buster (with ZFS from buster-backports) using the upstream HOWTO (that I maintain): https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.html Hi Richard, That HOWTO is fantastic and I wish that it would have turned up when I did my search! I have pretty much done similar things with my setup. The main thing that occurs to me is I hadn't figured out the -O encryption=on for the zpool create, so I have a top-level rpool that is unencrypted, and under that rpool/crypt that is encrypted, and everything on the system is under rpool/crypt. /boot is not on ZFS. # zfs list -o name,mountpoint NAME MOUNTPOINT rpool/rpool rpool/crypt /rpool/crypt rpool/crypt/debian-1 / rpool/crypt/debian-1/home/home and so forth. I don't have a separate bpool due to /boot being ext2 so there's not that issue for me. I made no modification to systemd unit files, or the zfs-list.cache. Thanks, John
Bug#972132: zfs-initramfs: Fails to boot when / is on zfs encryption=on dataset
Package: zfs-initramfs Version: 0.8.4-2~bpo10+1 Severity: important Dear Maintainer, I have set up this system to use ZFS crypto rather than my more conventional zfs-atop-LUKS. I have a passphrase that needs a prompt. All that should be necessary here would be adding -l to zfs mount, or to zpool import. Without it, the system fails to boot. To workaround this, I have added a file in /etc/initramfs-tools/scripts/local-premount that basically does a zpool import, then a zpool load-key, which is enough to get the system going. -- System Information: Debian Release: 10.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.8.0-0.bpo.2-amd64 (SMP w/12 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages zfs-initramfs depends on: ii busybox 1:1.30.1-4 ii initramfs-tools 0.133+deb10u1 ii zfs-dkms [zfs-modules] 0.8.4-2~bpo10+1 ii zfsutils-linux 0.8.4-2~bpo10+1 zfs-initramfs recommends no packages. zfs-initramfs suggests no packages. -- no debconf information
Bug#972132: [Pkg-zfsonlinux-devel] Bug#972132: zfs-initramfs: Fails to boot when / is on zfs encryption=on dataset
On 10/12/20 9:29 PM, John Goerzen wrote: > I have set up this system to use ZFS crypto rather than my more conventional > zfs-atop-LUKS. Can you explain a little bit more about how you setup your system? This (root-on-ZFS with native encryption) already works for me on Buster (with ZFS from buster-backports) using the upstream HOWTO (that I maintain): https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.html -- Richard signature.asc Description: OpenPGP digital signature