Okay I've been able to get this to work: the problem is that dracut doesn't install anything from /etc/crypttab unless it's run in --host- only mode, but if it is, then it generally fails to install anything cryptography related (under an Ubuntu ZFS-on-root native encryption setup).
It's worth noting no combination of rd.auto rd.luks=1 would seem to detect the keystore partition, but adding: ``` #/etc/dracut.conf.d/00-crypttab.conf install_items+=" /etc/crypttab " ``` to my dracut.conf file *did* get the encrypted partition to mount. However since dracut has no idea what it should do with that. It's possible to use an undocumented feature here to fix this explicitly in the simple config: ``` #/etc/dracut.conf.d/01-keystore-rpool-mnt.conf fstab_lines+=" /dev/mapper/keystore-rpool /run/keystore/rpool auto " ``` (note yes this is a malformed line - dracut appends '0 0 2' to whatever you put here for the last element) So the problem seems to be that zfs-dracut needs to explicitly handle the Ubuntu keystore convention, since I can't see how dracut would figure it out otherwise - i.e detecting a keystore should trigger a decrypt operation (or better, force the relevant crypttab line to be included so tpm2-device etc. options can be used) and then the scripts need to execute the mount point. I've tested this setup as letting you login with a password, but it has another problem: since the ZFS scripts don't know they're waiting for their own decryption (they're doing udevsettle) then after about 15-20 seconds dracut crashes to the recovery shell from the password prompt. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2070066 Title: dracut does not support booting from an encrypted ZFS volume To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dracut/+bug/2070066/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
