Installing Linux to a Natively Encrypted ZFS Pool

As previously mentioned, ZFS is an advanced file system that supports many features such as checksumming of the data (not just metadata), compression, efficient snapshots and clones, and encryption, among other features. Encryption isn't in a stable release yet (the latest stable release version is 0.7.12), though it is available in the release candidates for 0.8.0. I'm adventurous and use the latest git version.

Because it has not yet been integrated into the stable release, there is not much information available on how to install Linux onto a natively encrypted ZFS pool (I say natively encrypted, because it has been possible to use ZFS on top of a LUKS encrypted partition). For general information on ZFS native encryption, Tom Caputi, the main developer for this feature, gave a presentation in 2017 with an overview of how to use ZFS encryption. However, he does not go over the extra steps required when installing Linux to a ZFS encrypted pool.

Assumptions I will be making for this post

  • I use Arch Linux, and this guide will be written with Arch Linux in mind. However, the steps should be similar for other Linux distributions.
  • You are already familiar with how to install Linux on an unencrypted ZFS dataset
  • You have familiarized yourself with Tom Caputi's slides mentioned earlier.
  • You are using EFI boot.
  • You are using GRUB, though the steps will be similar for a different bootloader.
    • If your bootloader can decrypt a ZFS encrypted partition, then you can skip the part with setting up /boot differently, though to the best of my knowledge, because ZFS encryption is so new, there is no such bootloader.

If you want the tl;dr: Don't have /boot on a ZFS encrypted dataset, make sure your initramfs image uses zfs load-key, and you might not see the prompt for your password during the bootup sequence.

Encryption is an Immutable Property of a ZFS Dataset

Encryption can only be set upon ZFS dataset creation. This was done to simplify not only the lives of the developers, but of the users as well. Keeping track of which parts of the dataset are encrypted vs unencrypted was a burden that the ZFS developers didn't want to impose on users.

So make sure that you use -o encryption=on (and -o keyformat={passphrase,hex,raw} -o keylocation={file path,prompt}) when creating your dataset.

Your /boot Cannot Be Encrypted by ZFS

GRUB cannot read a ZFS encrypted partition, and GRUB (as with any other bootloader) needs to load the kernel and initramfs image from /boot. Again, if your bootloader can read ZFS encrypted partitions, then you can use ZFS encryption on /boot.

I have /boot on a separate unencrypted ext4 partition, and use this partition for my entry in GRUB.

From my discussion on Reddit with jkool702, it should be possible to encrypt /boot with LUKS.

It should also be possible to have /boot on an unencrypted ZFS dataset. I've previously installed Linux to an unencrypted ZFS dataset with /boot in the ZFS dataset. When installing Linux to an encrypted ZFS dataset, you'd need to create a nested ZFS dataset just for /boot, and turn encryption off for /boot. Encryption is inherited by default, but it is possible to have encrypted datasets with unencrypted child datasets.

Your initramfs Image Needs to Have a zfs load-key Operation

In Arch Linux, the command mkinitcpio -p linux generates the initramfs image, and the hooks for making the initramfs image are found in /usr/lib/initcpio/hooks. The zfs hook in this directory needs to use the zfs load-key command in order for you to be able to decrypt your ZFS dataset during the boot up sequence.

If you do not find zfs load-key in the zfs hook (it's there by default in Arch Linux, but it may not be in your Linux distribution), then you'll need to create a hook using something from the initramfs scripts provided by ZFS.

You Might Not See the zfs load-key Prompt

I did all of the above steps, but my computer still wouldn't boot. It said it loaded the kernel and initramfs image, but nothing else displayed on my screen.

What I realized is that even though my computer is asking for the encryption key for / via zfs load-key, it doesn't actually display that on my screen. There's no blinking cursor, but if I wait about five to eight seconds after the initramfs image has been loaded, type my password, and hit enter, then my computer finishes the bootup sequence.

This may be a quirk of GRUB or Arch Linux. If this happens to you, definitely try typing your password into the void.

Overall, setting up Linux on an encrypted ZFS root is not difficult, once you know that /boot cannot reside on a ZFS encrypted dataset and you might not see the zfs load-key prompt during the bootup sequence.

Installing Linux to a Natively Encrypted ZFS Pool
Share this

Subscribe to Seonwoo's Musings