-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use clevis for ZFS native encryption passphrase #218
Comments
How far did you go into adapting this for the initramfs environment? |
I got quite far, I think. Even so far as to spread the clevis data over multiple zfs user properties in case it is to large (there's an 8k limit per property value). And manually unlocking worked just fine IIRC. I still had some trouble with the boot hook tough, but I guess I could give it a go again. |
@vogelfreiheit I started to work on this again on #373, help and/or feedback is welcome 🙂 |
Had anybody contact with github.com/shatteredsilicon/zfs-clevis/ already? |
Introduction
I would like to use clevis to decrypt my ZFS root partition on several machines.
Using 2 VMs, I tried to test if this is at all possible, and I think I've come pretty far, but I still keep getting the password prompt. I have some ideas on how to approach this further, but I could use some help figuring out where to look next.
Any help is greatly appreciated 😇
(Summary at the bottom)
Given how far I've come, it doesn't strike me as a lot of work to add "out-of-the-box" ZFS support to clevis. If I can get it to work, I might work on a PR for that myself 🙂
Use case
I have a use case in mind with two PC's (a desktop and a raspberry-pi, the pi will use LUKS) which will be mutual
tang
servers (i.e. they can both be rebooted remotely, just not at the same time), and a laptop that uses either tang server when it's on the same network, and a passphrase when it's not.What I did so far
Setup
I created a CentOS 8.2 VM with a root partition on natively encrypted ZFS (using
dracut
andsystemd-boot
) and cloned it twice to make 2 machines:tang
The server hosting the keys, ip:192.168.122.18
clevis
The server asking for decryption keys, ip:92.168.122.242
For the ZFS pool layout I used this guide by OpenZFS, which I adapted for CentOS.
For the bootloader (
systemd-boot
) I used this page on the ArchWiki.And for
zfs-mount-generator
I used this page on the ArchWiki.Install tang
I followed the guide by RedHat to install and setup tang.
Install clevis
Setting clevis properties on ZFS dataset
I'm not how its stored when using LUKS, but I am assuming the necessary value (
jwe
) doesn't need to be encrypted (otherwise you would still need to enter keys manually).Encrypting the pasword
Verify that we're using the correct password.
I'm using the IP, since I'm not sure if something like /etc/hosts is available in the initramfs where clevis will be run.
Store the JWE as a ZFS property
I'm using ZFS's User Properties[1] to save this value:
Check if it's correctly stored:
Test clevis for decryption
Updating initramfs
Add dracut config
Add extra config for dracut
Add network settings to bootloader
Update systemd zfs-load-key-rpool
N.B.: I'm not sure if editing this service this is the correct approach, since the boot process keeps asking me to enter the password by hand. The
systemd-cat echo
commands also do not appear. I think this file (the original) is auto-generated by systemd/dracut somehow, and I need a way to hook into that.Run
systemctl edit zfs-load-key-rpool.service
, and enter the following:This does have the hardcoded pool name ("rpool") set, but that was already the case.
In more readable form:
Inspect the old value next to the new overridden value:
Install dracut modules
Update Initramfs
Test it
The password prompt still appears, it seems like there is still something missing.
Summary
This is what I know after testing with 2 VM's
What works:
Having access to JWE at boot time
By making the JWE value available at boot time in ZFS metadata:
zfs list -o name,latchset.clevis:jwe rpool
Network connection at boot
This is done by adding the
kernel_cmdline
value (in/etc/dracut.conf.d/20-network.conf
to the bootloader'soptions
.It now responds to pings while waiting for the ZFS passphrase.
Manually booting
By adding
rd.break=pre-mount
to the bootloader'soptions
I am able to boot manually using clevis instead of typing the passphrase myself.What not yet works:
I still need to find a way to make sure clevis is actually used within the initramfs, i.e. have it run
zfs list -H -o latchset.clevis:jwe rpool | clevis decrypt | zfs load-key rpool
Possible solutions
Order of dracut modules being loaded
I don't think it matters, as long as both
clevis
,zfs
and the network connection are loaded beforezfs load-key rpool
is being run.Missing parameters/configuration
There might be something needed to tell dracut to run:
instead of:
This might be dracut configuration (i.e. in
/etc/dracut.conf.d/
) or an extra kernel parameter (i.e.options
in/boot/loader/entries/centos.conf
).zfs-mount-generator
It might be possible that
zfs-mount-generator
is making this harder than it needs to be. Maybe usingzfs-mount.service
will help?References
[1]: (see:
man zfs | less +"/^ User Properties"
or the Oracle Documentation on User Properties which is the same as on Linux) to save these values.The text was updated successfully, but these errors were encountered: