On Mon, Oct 12 2020, Richard Laager wrote:
On 10/12/20 9:29 PM, John Goerzen wrote:
I have set up this system to use ZFS crypto rather than my more
conventional zfs-atop-LUKS.
Can you explain a little bit more about how you setup your
system?
This (root-on-ZFS with native encryption) already works for me
on Buster
(with ZFS from buster-backports) using the upstream HOWTO (that
I maintain):
https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.html
Hi Richard,
That HOWTO is fantastic and I wish that it would have turned up
when I did my search! I have pretty much done similar things with
my setup.
The main thing that occurs to me is I hadn't figured out the -O
encryption=on for the zpool create, so I have a top-level rpool
that is unencrypted, and under that rpool/crypt that is encrypted,
and everything on the system is under rpool/crypt.
/boot is not on ZFS.
# zfs list -o name,mountpoint
NAME MOUNTPOINT
rpool /rpool
rpool/crypt /rpool/crypt
rpool/crypt/debian-1 /
rpool/crypt/debian-1/home /home
and so forth.
I don't have a separate bpool due to /boot being ext2 so there's
not that issue for me. I made no modification to systemd unit
files, or the zfs-list.cache.
Thanks,
John
