Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/zfs: import encrypted datasets by default for zfsUnstable #29426

Merged
merged 2 commits into from Sep 26, 2017
Merged

nixos/zfs: import encrypted datasets by default for zfsUnstable #29426

merged 2 commits into from Sep 26, 2017

Conversation

Mic92
Copy link
Member

@Mic92 Mic92 commented Sep 15, 2017

Motivation for this change

Already works like a charm but needs more documentation.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • Linux
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@mention-bot
Copy link

@Mic92, thanks for your PR! By analyzing the history of the files in this pull request, we identified @wizeman, @Baughn and @fpletz to be potential reviewers.

@Mic92
Copy link
Member Author

Mic92 commented Sep 15, 2017

For the mean-time, these are the commands, I used to get a bootable encrypted zfs:

zfs create -o encryption=aes-256-gcm -o keyformat=passphrase -o mountpoint=none zroot/root
zfs create -o mountpoint=legacy -o sync=disabled zroot/root/tmp
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=true zroot/root/home
zfs create -o mountpoint=legacy -o com.sun:auto-snapshot=true zroot/root/nixos
mount -t zfs zroot/root/nixos /mnt
mkdir /mnt/{home,tmp,boot}
mount /dev/sda1 /mnt/boot/
mount -t zfs zroot/root/home /mnt/home/
mount -t zfs zroot/root/tmp /mnt/tmp/
nixos-generate-config  --root /mnt
nixos-install

@Mic92
Copy link
Member Author

Mic92 commented Sep 15, 2017
edited

Also an article why you want fs-encryption over luks: https://sockpuppet.org/blog/2014/04/30/you-dont-want-xts/

@Mic92
Copy link
Member Author

Mic92 commented Sep 26, 2017

At least I added documentation here: https://nixos.wiki/wiki/NixOS_on_ZFS#Encrypted_ZFS

@Mic92 Mic92 merged commit c74418a into NixOS:master Sep 26, 2017
@Mic92 Mic92 deleted the zfsUnstable branch September 26, 2017 08:10
@CMCDragonkai
Copy link
Member

Does this mean at the moment, for my UEFI setup, I still need a separate EFI boot partition that contains everything needed to boot the encrypted ZFS? Is there any plans to integrate this into the NixOS configuration (as a module) before 18.03 is released.

@Mic92
Copy link
Member Author

Mic92 commented Jan 18, 2018
edited

Yes, there is no bootloader supporting zfs encryption to my knowledge, so an UEFI partition is required. No, I don't have any plans to backport this, because:

@davidblewett
Copy link

@Mic92 just an fyi: that upstream PR was merged February 2: openzfs/zfs#6864 (comment) .

@Mic92
Copy link
Member Author

Mic92 commented Mar 3, 2018

@davidblewett yes, we also put a migration guide on the wiki.

@jaykru
Copy link
Contributor

jaykru commented Jun 9, 2019

Are encrypted data sets supported now in 19.03? Trying to set this up on a fresh install and getting complaints from the zpool/zfs commands when I try setting the encryption option :(

@eri451
Copy link
Contributor

eri451 commented Sep 12, 2019
edited

As mentioned in the wiki zfs 0.8 aka zfsUnstable is required. How ever the installer comes with 0.7.13. You can update but the kernel module stays in that Version that does not feature encryption. Therefore the errors.

@Mic92
Copy link
Member Author

Mic92 commented Sep 12, 2019

@jaykru it will work with nixos unstable or if you build your own zfs installer with zfsUnstable enabled: https://github.com/Mic92/dotfiles/blob/1606c820b82353dbf06884cac5a127e1f92479a5/nixos/images/install-iso.nix#L16
https://github.com/Mic92/dotfiles/blob/master/nixos/images/zfs.nix#L2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
2.status: work-in-progress 9.needs: documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@Mic92 @mention-bot @CMCDragonkai @davidblewett @jaykru @eri451