Encrypted ZFS dataset - How to auto-mount on system start up?

[axrusar]

Hello guys.
I have a small home server and i created a ZFS dataset with encryption on where i intend to store my important and private data.
Every time the system reboots, i have to manually type the passphrase for the encrypted dataset with the following command:
zfs mount -l -a


I am pretty new to ZFS, using this for the first time. So far so good but i can't find any info on how to automate this process..
all the manuals i found so far refer to standard ZFS datasets but no encryption mentioned anywhere..
I live in an area with very heavy thunderstorms during the summer months and the power goes off every now and then.
I will be traveling and i need the server to be available with all the data in case it reboots due to a power failure.

Running on Debian 11 kernel 5.15.35-3

Thank you for any tips!!

 

[winnielinnie]

Debian User Forums - Index page

 

[sretalla]

Every time the system reboots, i have to manually type the passphrase for the encrypted dataset with the following command

That's how passphrase encryption works (although you can also use the GUI for that too... maybe you're only running debian and not TrueNAS SCALE... which opens the question, "what are you doing asking for help here?").

all the manuals i found so far refer to standard ZFS datasets but no encryption mentioned anywhere..

You can't have been looking very hard... https://www.truenas.com/docs/scale/scaleuireference/storage/pools/encryptionscale/

I live in an area with very heavy thunderstorms during the summer months and the power goes off every now and then.

Buy a UPS if you don't want to lose your data.

I will be traveling and i need the server to be available with all the data in case it reboots due to a power failure.

UPS and consider what it is that you expect "encryption" is doing for you.

If you encrypt a ZFS dataset, the data is protected when not unlocked (using either the key or a passphrase), but as soon as you provide the passphrase/key, the data is accessible in just the same way as a non-encrypted dataset...

Are you wanting to protect against server theft? (then you can't use any automated method to input the passphrase, or there's no point to the encryption).

Are you wanting to protect against single or multiple disk theft (but not the system disk)? (then maybe encryption will help in that case, but as you can see, it's a pretty feeble case, since it's unlikely somebody bothers to steal one disk, but not the rest... including the system disk, see comment on previous point)

If you want to not be worried about your private information being leaked when you dispose of a disk (and you'd rather not do physical destruction), then maybe ZFS encryption is for you.

That's it. There are no more magic protections that encryption bestows on your data. It's encrypted at rest, meaning you can safely dispose of a disk, but beyond that, all your data is in the clear once the server mounts it with the passphrase/key.

The only additional protection you really get is not entering the passphrase until you want the data to be available (and then unmounting it when not needed).

 

[axrusar]

Sorry guys i am not allowed to answer here.

 

[Samuel Tai]

@axrusar, the mods are deleting your replies because they're rude and insulting. @sretalla is trying to inform you that key-based encrypted datasets will auto-mount, but passphrase datasets won't (because they require typing in a passphrase). He's trying to understand your use case, and your rationale for using encryption.

 

[axrusar]

The first reply was UNWELCOMING and RUDE.. it is the equivalent of "here is a link and you can GTFO" without giving a chance about why i am posting here,
the following reply the same, a bunch of assumptions and uninformed answers... if you stop deleting my comments i can answer these guys.

 

[Samuel Tai]

No, you never indicated you're running TrueNAS Scale (which is built on Debian), and which this forum supports. You stated you're running vanilla Debian 11, which this forum doesn't support. @winnielinnie reasonably redirected you to the proper forum based on the second scenario, since a homebrew ZFS installation on Debian 11 isn't running the TrueNAS Scale middleware by definition, and pools and such aren't laid out in standard locations we expect. I concede his terse reply could be construed as unwelcoming and rude, but that's because we're all volunteers here, supporting other forum members as a courtesy. The volume of questions is quite large, and we are guilty sometimes of answering as quickly as possible. For that impression, and for the forum, I apologize.

We can possibly answer general questions about ZFS, but your system is well outside the scope of this forum.

 

[Samuel Tai]

As for your original question on automating input of your passphrase, this isn't recommended, because you'll be storing your passphrase in clear text.

1. Create /etc/rc.local via touch /etc/rc.local, and make it executable via chmod +x /etc/rc.local.
2. Use your favorite text editor to open /etc/rc.local, and give it the contents:
   
   #!/bin/sh
   zfs mount -l -a < /etc/passphrase
3. Use your favorite editor to create /etc/passphrase, and enter your passphrase on one line. Hit return to create a blank second line, and save the file. Give it permissions of readable by root only: chown root:root /etc/passphrase; chmod 600 /etc/passphrase.

 

[axrusar]

As for your original question on automating input of your passphrase, this isn't recommended, because you'll be storing your passphrase in clear text.

1. Create /etc/rc.local via touch /etc/rc.local, and make it executable via chmod +x /etc/rc.local.
2. Use your favorite text editor to open /etc/rc.local, and give it the contents:
   
   #!/bin/sh
   zfs mount -l -a < /etc/passphrase
3. Use your favorite editor to create /etc/passphrase, and enter your passphrase on one line. Hit return to create a blank second line, and save the file. Give it permissions of readable by root only: chown root:root /etc/passphrase; chmod 600 /etc/passphrase.

Thank you. that is a more appropriate/friendly answer..
Now for clarification.. (For you, i don't care the other 2 members)
I setup a ProxMox server. It runs Debian.
Why do i ask here? Simple, since this is a big community using ZFS with Truenas, i took my chance hoping for someone with some knowledge to find a solution for my problem. I am also a very active forum member helping hundreds if not thousands of other members with their questions, even if they come from other platforms, be it Debian, Arch, Redhat or whatever comes.. you can't rely on a single specific forum online when you can not find an answer, we are all community here and enjoy helping each other.
Besides that, i could not find any line in the Forum Rules where it reads "this is a TrueNAS and ONLY a TrueNAS forum".

Thanks again for the rc.local idea, but yes, it totally defeats the purpose of encryption having a plain text file on the machine that can be easily read booting any live environment.
I wasted a week setting things up in ProxMox only to hit this wall, and in their forums no one has any idea on how to get around this.
I will be trying TrueNAS Scale now, i already know the option for encryption in the dataset is readily available in the GUI wizard and it lets you download the encryption keys.
Good luck

 

[Samuel Tai]

Besides that, i could not find any line in the Forum Rules where it reads "this is a TrueNAS and ONLY a TrueNAS forum".

@JoshDW19's statement right at the beginning of the Rules doesn't qualify?

The TrueNAS Community is a friendly place to discuss open source software, technology, and products from iXsystems.

Anyway, good luck with exploring Scale.

 

[axrusar]

@JoshDW19's statement right at the beginning of the Rules doesn't qualify?


Anyway, good luck with exploring Scale.

If my non native English skills do not fail, i can perfectly make sense of JoshDW19's statement:

The TrueNAS Community is a friendly place to discuss open source software, technology, and products from iXsystems.

This in my dictionary qualifies as "i did not break any rules asking a question based on Debian (an open source solution actually used in TrueNAS.

Thanks for the friendly wishes..

 

[Samuel Tai]

Ah, I didn't realize you're not a native English speaker. It's supposed to be parsed (open source software, technology, and products) from iXsystems. This is a quirk of American English corporate-speak.

 

[axrusar]

Sure...

 

[winnielinnie]

Apologies for my post, not making any excuses, but I will share something.

Believe it or not, I had opened a text editor and was in the middle of writing up a lengthy post to guide you in using encryption with ZFS, based on your use-case (similar in vein to @sretalla's post), but more centered around using the GUI.

But then after re-reading your original post, and noticing the following, something "clicked" in me:

Every time the system reboots, i have to manually type the passphrase for the encrypted dataset with the following command:
zfs mount -l -a

Running on Debian 11 kernel 5.15.35-3

It didn't dawn on me until later that you're not using TrueNAS.

TrueNAS is an appliance and is very GUI-centric (in fact, it's advised to avoid using the shell as much as possible, if not outright.)

To try to creatively troubleshoot a solution for generic ZFS usage on Linux goes way beyond the scope of these forums. I'm not arguing that it's not possible, nor am I saying "shame on you". However, it can be draining (and I was already feeling "burnt out" for other reasons), as it can lead down a rabbit hole. Users who are already in your boat (Debian users that install ZFS) can better navigate and troubleshoot with you.

Why do i ask here? Simple, since this is a big community using ZFS with Truenas, i took my chance hoping for someone with some knowledge to find a solution for my problem.

I'm not saying it's "wrong" to ask for help from us here in the TrueNAS forums, but you have to understand there is some degree of unfairness to the above reasoning.

While you might not share the same mentality as others in the various Linux forums, users of Manjaro, for example, will be viciously attacked for troubleshooting their issues in the Arch Linux forum, even though "Manjaro is based on Arch Linux". Ironically, Manjaro and Arch Linux are more similar to each other (from a troubleshooting perspective), than TrueNAS is with a random Linux distro using ZFS. It would be the equivalent of a TrueNAS user troubleshooting SMB file-sharing issues in the Synology forums because they believe that the Synology community is more experienced with file-sharing over a local network. (Imagine how the Synology community would react when they find out such requests are from a TrueNAS user.)


Unlike a Linux distro using ZFS:

• TrueNAS will erase any system configuration done in the shell/command-line upon every reboot.
• TrueNAS is an appliance.
• TrueNAS is heavily GUI-based (and even designed to use only the GUI).
• TrueNAS follows different ZFS layouts and defaults.
• TrueNAS has its own unique tools.

I hope this puts more things into perspective. Again, I apologize. I was burnt out and was in the middle of writing a helpful post until I realized you weren't using TrueNAS and my efforts would likely be for nothing.

 

[sretalla]

The reason for my question about posting here was that it seemed to be in the wrong section for an "off topic" post... since we do have a section for that... maybe the mods can correct it.

Seems to me a fair amount of technical/professional advice has been given on the topic raised both before and after your complaints... I don't think anyone here is trying to be rude or unwelcoming.

The provided help is certainly worth more than what you pay for it.