How do I automatically import a non-root encrypted ZFS pool on boot-up?
Clash Royale CLAN TAG#URR8PPP
up vote
6
down vote
favorite
I’m running an updated version of Arch Linux with the stock kernel, version 4.9.6, and ZoL version 0.7.0, and I want to import an encrypted non-root pool on boot. The pool is a raid 1 mirror.
The encrypted containers were made via:
cryptsetup -y -v luksFormat /dev/nvme0n1p3
and
cryptsetup -y -v luksFormat /dev/nvme1n1p3
I used the same passphrase for each.
I can manually open the containers and import the pool via:
cryptsetup open /dev/nvme0n1p3 enc0
cryptsetup open /dev/nvme1n1p3 enc1
zpool import -d /dev/mapper zeb
The cryptosetup commands prompt me for, and accept, my password.
My mkinitcpio file contains the systemd, zfs, and sd-encrypt hooks. It also contains the modules dm_mod, dm_crypt, aes_x86_64 and raid1. These are somewhat of a shot in the dark based on bit’s and pieces I’ve found online.
I’m using systemd-boot, but it seems like the key lies in getting the mkinitcpio configuration set up correctly. My boot partition is not encrypted.
Again, my only goal here is to automatically (with prompt for passphrase) import my encrypted ZFS pool on boot. I have no problem doing this with non-encrypted pools.
linux boot systemd encryption zfs
asked Feb 4 '17 at 6:12
airhuff
539321
add a comment |Â
up vote
6
down vote
favorite
I’m running an updated version of Arch Linux with the stock kernel, version 4.9.6, and ZoL version 0.7.0, and I want to import an encrypted non-root pool on boot. The pool is a raid 1 mirror.
The encrypted containers were made via:
cryptsetup -y -v luksFormat /dev/nvme0n1p3
and
cryptsetup -y -v luksFormat /dev/nvme1n1p3
I used the same passphrase for each.
I can manually open the containers and import the pool via:
cryptsetup open /dev/nvme0n1p3 enc0
cryptsetup open /dev/nvme1n1p3 enc1
zpool import -d /dev/mapper zeb
The cryptosetup commands prompt me for, and accept, my password.
My mkinitcpio file contains the systemd, zfs, and sd-encrypt hooks. It also contains the modules dm_mod, dm_crypt, aes_x86_64 and raid1. These are somewhat of a shot in the dark based on bit’s and pieces I’ve found online.
I’m using systemd-boot, but it seems like the key lies in getting the mkinitcpio configuration set up correctly. My boot partition is not encrypted.
Again, my only goal here is to automatically (with prompt for passphrase) import my encrypted ZFS pool on boot. I have no problem doing this with non-encrypted pools.
linux boot systemd encryption zfs
asked Feb 4 '17 at 6:12
airhuff
539321
add a comment |Â
up vote
6
down vote
favorite
up vote
6
down vote
favorite
I’m running an updated version of Arch Linux with the stock kernel, version 4.9.6, and ZoL version 0.7.0, and I want to import an encrypted non-root pool on boot. The pool is a raid 1 mirror.
The encrypted containers were made via:
cryptsetup -y -v luksFormat /dev/nvme0n1p3
and
cryptsetup -y -v luksFormat /dev/nvme1n1p3
I used the same passphrase for each.
I can manually open the containers and import the pool via:
cryptsetup open /dev/nvme0n1p3 enc0
cryptsetup open /dev/nvme1n1p3 enc1
zpool import -d /dev/mapper zeb
The cryptosetup commands prompt me for, and accept, my password.
My mkinitcpio file contains the systemd, zfs, and sd-encrypt hooks. It also contains the modules dm_mod, dm_crypt, aes_x86_64 and raid1. These are somewhat of a shot in the dark based on bit’s and pieces I’ve found online.
I’m using systemd-boot, but it seems like the key lies in getting the mkinitcpio configuration set up correctly. My boot partition is not encrypted.
Again, my only goal here is to automatically (with prompt for passphrase) import my encrypted ZFS pool on boot. I have no problem doing this with non-encrypted pools.
linux boot systemd encryption zfs
asked Feb 4 '17 at 6:12
airhuff
539321
I’m running an updated version of Arch Linux with the stock kernel, version 4.9.6, and ZoL version 0.7.0, and I want to import an encrypted non-root pool on boot. The pool is a raid 1 mirror.
The encrypted containers were made via:
cryptsetup -y -v luksFormat /dev/nvme0n1p3
and
cryptsetup -y -v luksFormat /dev/nvme1n1p3
I used the same passphrase for each.
I can manually open the containers and import the pool via:
cryptsetup open /dev/nvme0n1p3 enc0
cryptsetup open /dev/nvme1n1p3 enc1
zpool import -d /dev/mapper zeb
The cryptosetup commands prompt me for, and accept, my password.
My mkinitcpio file contains the systemd, zfs, and sd-encrypt hooks. It also contains the modules dm_mod, dm_crypt, aes_x86_64 and raid1. These are somewhat of a shot in the dark based on bit’s and pieces I’ve found online.
I’m using systemd-boot, but it seems like the key lies in getting the mkinitcpio configuration set up correctly. My boot partition is not encrypted.
Again, my only goal here is to automatically (with prompt for passphrase) import my encrypted ZFS pool on boot. I have no problem doing this with non-encrypted pools.
linux boot systemd encryption zfs
linux boot systemd encryption zfs
asked Feb 4 '17 at 6:12
airhuff
539321
asked Feb 4 '17 at 6:12
airhuff
539321
asked Feb 4 '17 at 6:12
airhuff
539321
asked Feb 4 '17 at 6:12
airhuff
539321
asked Feb 4 '17 at 6:12
airhuff
539321
539321
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
2
down vote
I don't have 50 reputation to comment, so I'll post my questions here.
Your rootfs is not encrypted? So when you boot, you don't receive any cryptsetup prompts?
If you don't receive any passwords promts, I'd suggest you unpacking your initramfs and modify init file, and add the following lines, somewhere after mounting rootfs.
cryptsetup open /dev/nvme0n1p3 enc0 && cryptsetup open /dev/nvme1n1p3 enc1 && zpool import -d /dev/mapper zeb
Sometime ago I needed to add remote ssh unlock of LUKS-encrypted ROOTFS with ZFS on a remote server. I have no way but modify init file and add dropbear to it, launch it, and modify cryptsetup command to accept password from fifo. I made a bash script for that, so when I update initramfs, this bash script unpacks initramfs, put my changes, and packs it back.
But I am using gentoo and it's beautiful genkernel. Genkernel includes hooks for ZFS and cryptsetup, if you specify it. I don't know how it is in arch linux, maybe you have also an option to build kernel with genkernel/dracut, that way you can easily include cryptsetup and zfs hooks in initramfs, if it is not already included.
Anyway it is easily doable by modifying init file, try it and post your results here.
your initramfs maybe compressed using different methods, so find how to uncompress it in archlinux. On my side, I modified genkernel to generate it as cpio, and use cpio commands to unpack/pack back.
UPDATE:
You need to edit your mkinitcpio.conf and add 2 hooks
"encrypt zfs" before "filesystems" in HOOKS
next you need to define your luks devices, needed for unlocking in
/etc/crypttab.initramfs # (google crypttab)
This file will be included in next generation of initramfs, so now we are unlocking them at least.
Maybe ZFS will do autoimport on next reboot, but if not, do the following:
create file /usr/lib/initcpio/install/zfsmount
#!/bin/bash
build()
add_runscript
create file /usr/lib/initcpio/hooks/zfsmount
#!/usr/bin/ash
run_hook()
zpool import mypool
and in mkinitcpio.conf add "zfsmount" in HOOKS somewhere in the end, before or after "filesystems"
And, of course, regenerate your initramfs with mkinitcpio
Refs:
https://wiki.archlinux.org/index.php/Installing_Arch_Linux_on_ZFS
https://wiki.archlinux.org/index.php/mkinitcpio
answered Feb 15 '17 at 9:25
Ural
35616
Much thanks for your answer, and I upvoted to get you closer to 50 pts. You'll have to bear with me a bit on the boot process. I'm not sure what you mean by unpacking initramfs and modifying init file, but I can search a bit for that. Does Gentoo use systemd? Is the init file you are talking about part of sysVinit? You don't just mean modifying mkinitcpio.conf?
– airhuff
Feb 15 '17 at 17:58
Also, my ultimate goal is an encrypted root ZFS file system. I figured this would be a simpler question/step toward getting there. I previously posted a question like this except for root on ZFS and it got zero votes, one well-meaning but useless comment and not a single answer even though I did a 50 point bounty! Anyway, it seems like if I could figure out how to get the system to prompt for the encryption passphrase for even a non-root filesystem, I'd be most of the way there.
– airhuff
Feb 15 '17 at 18:20
Gentoo can use systemd, but I prefer default OpenRC. Systemd thinks it is more clever than user IMHO, and too complicated. Latest version of OpenRC have not less functionality. On my side, zfs on encrypted rootfs was easy part. Even I wrote a solution to unlock the rootfs by ssh, and this didn't took much time. Also I have all compiled with -march=native, which increases system overall speed. Maybe think about switching to Gentoo? :)) I have latest updated software, compiled for my own processor and it works perfectly.
– Ural
Feb 16 '17 at 6:19
For encrypted rootfs, have your read wiki.archlinux.org/index.php/Dm-crypt/… and bbs.archlinux.org/viewtopic.php?id=205122 ? For initramfs, I don't know how look systemd's init, but I do the following: gunzip < /boot/initramfs-genkernel-x86_64-$uname | cpio -i --make-directories Now I have initramfs stuff unpacked. I have file 'init', which is a shell script. that doing all stuff, like mounting /proc /sys and rootfs. You can modify it for your needs, and then pack the whole folder back and put to /boot.
– Ural
Feb 16 '17 at 6:21
I did that (unpack/pack back) for adding dropbear to it. Usually I can configure all in genkernel.conf (like yours mkinitcpio.conf), So AFTER generating initramfs, try to unpack it and see what it contain. In ubuntu there is easier way like adding a script to /etc/initramfs-tools/... and it packs it there when building initramfs
– Ural
Feb 16 '17 at 6:26
 |Â
show 5 more comments
up vote
0
down vote
I have the same question but under FreeBSD.
answered 3 mins ago
brunobhr
63
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
I don't have 50 reputation to comment, so I'll post my questions here.
Your rootfs is not encrypted? So when you boot, you don't receive any cryptsetup prompts?
If you don't receive any passwords promts, I'd suggest you unpacking your initramfs and modify init file, and add the following lines, somewhere after mounting rootfs.
cryptsetup open /dev/nvme0n1p3 enc0 && cryptsetup open /dev/nvme1n1p3 enc1 && zpool import -d /dev/mapper zeb
Sometime ago I needed to add remote ssh unlock of LUKS-encrypted ROOTFS with ZFS on a remote server. I have no way but modify init file and add dropbear to it, launch it, and modify cryptsetup command to accept password from fifo. I made a bash script for that, so when I update initramfs, this bash script unpacks initramfs, put my changes, and packs it back.
But I am using gentoo and it's beautiful genkernel. Genkernel includes hooks for ZFS and cryptsetup, if you specify it. I don't know how it is in arch linux, maybe you have also an option to build kernel with genkernel/dracut, that way you can easily include cryptsetup and zfs hooks in initramfs, if it is not already included.
Anyway it is easily doable by modifying init file, try it and post your results here.
your initramfs maybe compressed using different methods, so find how to uncompress it in archlinux. On my side, I modified genkernel to generate it as cpio, and use cpio commands to unpack/pack back.
UPDATE:
You need to edit your mkinitcpio.conf and add 2 hooks
"encrypt zfs" before "filesystems" in HOOKS
next you need to define your luks devices, needed for unlocking in
/etc/crypttab.initramfs # (google crypttab)
This file will be included in next generation of initramfs, so now we are unlocking them at least.
Maybe ZFS will do autoimport on next reboot, but if not, do the following:
create file /usr/lib/initcpio/install/zfsmount
#!/bin/bash
build()
add_runscript
create file /usr/lib/initcpio/hooks/zfsmount
#!/usr/bin/ash
run_hook()
zpool import mypool
and in mkinitcpio.conf add "zfsmount" in HOOKS somewhere in the end, before or after "filesystems"
And, of course, regenerate your initramfs with mkinitcpio
Refs:
https://wiki.archlinux.org/index.php/Installing_Arch_Linux_on_ZFS
https://wiki.archlinux.org/index.php/mkinitcpio
answered Feb 15 '17 at 9:25
Ural
35616
Much thanks for your answer, and I upvoted to get you closer to 50 pts. You'll have to bear with me a bit on the boot process. I'm not sure what you mean by unpacking initramfs and modifying init file, but I can search a bit for that. Does Gentoo use systemd? Is the init file you are talking about part of sysVinit? You don't just mean modifying mkinitcpio.conf?
– airhuff
Feb 15 '17 at 17:58
Also, my ultimate goal is an encrypted root ZFS file system. I figured this would be a simpler question/step toward getting there. I previously posted a question like this except for root on ZFS and it got zero votes, one well-meaning but useless comment and not a single answer even though I did a 50 point bounty! Anyway, it seems like if I could figure out how to get the system to prompt for the encryption passphrase for even a non-root filesystem, I'd be most of the way there.
– airhuff
Feb 15 '17 at 18:20
Gentoo can use systemd, but I prefer default OpenRC. Systemd thinks it is more clever than user IMHO, and too complicated. Latest version of OpenRC have not less functionality. On my side, zfs on encrypted rootfs was easy part. Even I wrote a solution to unlock the rootfs by ssh, and this didn't took much time. Also I have all compiled with -march=native, which increases system overall speed. Maybe think about switching to Gentoo? :)) I have latest updated software, compiled for my own processor and it works perfectly.
– Ural
Feb 16 '17 at 6:19
For encrypted rootfs, have your read wiki.archlinux.org/index.php/Dm-crypt/… and bbs.archlinux.org/viewtopic.php?id=205122 ? For initramfs, I don't know how look systemd's init, but I do the following: gunzip < /boot/initramfs-genkernel-x86_64-$uname | cpio -i --make-directories Now I have initramfs stuff unpacked. I have file 'init', which is a shell script. that doing all stuff, like mounting /proc /sys and rootfs. You can modify it for your needs, and then pack the whole folder back and put to /boot.
– Ural
Feb 16 '17 at 6:21
I did that (unpack/pack back) for adding dropbear to it. Usually I can configure all in genkernel.conf (like yours mkinitcpio.conf), So AFTER generating initramfs, try to unpack it and see what it contain. In ubuntu there is easier way like adding a script to /etc/initramfs-tools/... and it packs it there when building initramfs
– Ural
Feb 16 '17 at 6:26
 |Â
show 5 more comments
up vote
2
down vote
I don't have 50 reputation to comment, so I'll post my questions here.
Your rootfs is not encrypted? So when you boot, you don't receive any cryptsetup prompts?
If you don't receive any passwords promts, I'd suggest you unpacking your initramfs and modify init file, and add the following lines, somewhere after mounting rootfs.
cryptsetup open /dev/nvme0n1p3 enc0 && cryptsetup open /dev/nvme1n1p3 enc1 && zpool import -d /dev/mapper zeb
Sometime ago I needed to add remote ssh unlock of LUKS-encrypted ROOTFS with ZFS on a remote server. I have no way but modify init file and add dropbear to it, launch it, and modify cryptsetup command to accept password from fifo. I made a bash script for that, so when I update initramfs, this bash script unpacks initramfs, put my changes, and packs it back.
But I am using gentoo and it's beautiful genkernel. Genkernel includes hooks for ZFS and cryptsetup, if you specify it. I don't know how it is in arch linux, maybe you have also an option to build kernel with genkernel/dracut, that way you can easily include cryptsetup and zfs hooks in initramfs, if it is not already included.
Anyway it is easily doable by modifying init file, try it and post your results here.
your initramfs maybe compressed using different methods, so find how to uncompress it in archlinux. On my side, I modified genkernel to generate it as cpio, and use cpio commands to unpack/pack back.
UPDATE:
You need to edit your mkinitcpio.conf and add 2 hooks
"encrypt zfs" before "filesystems" in HOOKS
next you need to define your luks devices, needed for unlocking in
/etc/crypttab.initramfs # (google crypttab)
This file will be included in next generation of initramfs, so now we are unlocking them at least.
Maybe ZFS will do autoimport on next reboot, but if not, do the following:
create file /usr/lib/initcpio/install/zfsmount
#!/bin/bash
build()
add_runscript
create file /usr/lib/initcpio/hooks/zfsmount
#!/usr/bin/ash
run_hook()
zpool import mypool
and in mkinitcpio.conf add "zfsmount" in HOOKS somewhere in the end, before or after "filesystems"
And, of course, regenerate your initramfs with mkinitcpio
Refs:
https://wiki.archlinux.org/index.php/Installing_Arch_Linux_on_ZFS
https://wiki.archlinux.org/index.php/mkinitcpio
answered Feb 15 '17 at 9:25
Ural
35616
Much thanks for your answer, and I upvoted to get you closer to 50 pts. You'll have to bear with me a bit on the boot process. I'm not sure what you mean by unpacking initramfs and modifying init file, but I can search a bit for that. Does Gentoo use systemd? Is the init file you are talking about part of sysVinit? You don't just mean modifying mkinitcpio.conf?
– airhuff
Feb 15 '17 at 17:58
Also, my ultimate goal is an encrypted root ZFS file system. I figured this would be a simpler question/step toward getting there. I previously posted a question like this except for root on ZFS and it got zero votes, one well-meaning but useless comment and not a single answer even though I did a 50 point bounty! Anyway, it seems like if I could figure out how to get the system to prompt for the encryption passphrase for even a non-root filesystem, I'd be most of the way there.
– airhuff
Feb 15 '17 at 18:20
Gentoo can use systemd, but I prefer default OpenRC. Systemd thinks it is more clever than user IMHO, and too complicated. Latest version of OpenRC have not less functionality. On my side, zfs on encrypted rootfs was easy part. Even I wrote a solution to unlock the rootfs by ssh, and this didn't took much time. Also I have all compiled with -march=native, which increases system overall speed. Maybe think about switching to Gentoo? :)) I have latest updated software, compiled for my own processor and it works perfectly.
– Ural
Feb 16 '17 at 6:19
For encrypted rootfs, have your read wiki.archlinux.org/index.php/Dm-crypt/… and bbs.archlinux.org/viewtopic.php?id=205122 ? For initramfs, I don't know how look systemd's init, but I do the following: gunzip < /boot/initramfs-genkernel-x86_64-$uname | cpio -i --make-directories Now I have initramfs stuff unpacked. I have file 'init', which is a shell script. that doing all stuff, like mounting /proc /sys and rootfs. You can modify it for your needs, and then pack the whole folder back and put to /boot.
– Ural
Feb 16 '17 at 6:21
I did that (unpack/pack back) for adding dropbear to it. Usually I can configure all in genkernel.conf (like yours mkinitcpio.conf), So AFTER generating initramfs, try to unpack it and see what it contain. In ubuntu there is easier way like adding a script to /etc/initramfs-tools/... and it packs it there when building initramfs
– Ural
Feb 16 '17 at 6:26
 |Â
show 5 more comments
up vote
2
down vote
up vote
2
down vote
I don't have 50 reputation to comment, so I'll post my questions here.
Your rootfs is not encrypted? So when you boot, you don't receive any cryptsetup prompts?
If you don't receive any passwords promts, I'd suggest you unpacking your initramfs and modify init file, and add the following lines, somewhere after mounting rootfs.
cryptsetup open /dev/nvme0n1p3 enc0 && cryptsetup open /dev/nvme1n1p3 enc1 && zpool import -d /dev/mapper zeb
Sometime ago I needed to add remote ssh unlock of LUKS-encrypted ROOTFS with ZFS on a remote server. I have no way but modify init file and add dropbear to it, launch it, and modify cryptsetup command to accept password from fifo. I made a bash script for that, so when I update initramfs, this bash script unpacks initramfs, put my changes, and packs it back.
But I am using gentoo and it's beautiful genkernel. Genkernel includes hooks for ZFS and cryptsetup, if you specify it. I don't know how it is in arch linux, maybe you have also an option to build kernel with genkernel/dracut, that way you can easily include cryptsetup and zfs hooks in initramfs, if it is not already included.
Anyway it is easily doable by modifying init file, try it and post your results here.
your initramfs maybe compressed using different methods, so find how to uncompress it in archlinux. On my side, I modified genkernel to generate it as cpio, and use cpio commands to unpack/pack back.
UPDATE:
You need to edit your mkinitcpio.conf and add 2 hooks
"encrypt zfs" before "filesystems" in HOOKS
next you need to define your luks devices, needed for unlocking in
/etc/crypttab.initramfs # (google crypttab)
This file will be included in next generation of initramfs, so now we are unlocking them at least.
Maybe ZFS will do autoimport on next reboot, but if not, do the following:
create file /usr/lib/initcpio/install/zfsmount
#!/bin/bash
build()
add_runscript
create file /usr/lib/initcpio/hooks/zfsmount
#!/usr/bin/ash
run_hook()
zpool import mypool
and in mkinitcpio.conf add "zfsmount" in HOOKS somewhere in the end, before or after "filesystems"
And, of course, regenerate your initramfs with mkinitcpio
Refs:
https://wiki.archlinux.org/index.php/Installing_Arch_Linux_on_ZFS
https://wiki.archlinux.org/index.php/mkinitcpio
answered Feb 15 '17 at 9:25
Ural
35616
I don't have 50 reputation to comment, so I'll post my questions here.
Your rootfs is not encrypted? So when you boot, you don't receive any cryptsetup prompts?
If you don't receive any passwords promts, I'd suggest you unpacking your initramfs and modify init file, and add the following lines, somewhere after mounting rootfs.
cryptsetup open /dev/nvme0n1p3 enc0 && cryptsetup open /dev/nvme1n1p3 enc1 && zpool import -d /dev/mapper zeb
Sometime ago I needed to add remote ssh unlock of LUKS-encrypted ROOTFS with ZFS on a remote server. I have no way but modify init file and add dropbear to it, launch it, and modify cryptsetup command to accept password from fifo. I made a bash script for that, so when I update initramfs, this bash script unpacks initramfs, put my changes, and packs it back.
But I am using gentoo and it's beautiful genkernel. Genkernel includes hooks for ZFS and cryptsetup, if you specify it. I don't know how it is in arch linux, maybe you have also an option to build kernel with genkernel/dracut, that way you can easily include cryptsetup and zfs hooks in initramfs, if it is not already included.
Anyway it is easily doable by modifying init file, try it and post your results here.
your initramfs maybe compressed using different methods, so find how to uncompress it in archlinux. On my side, I modified genkernel to generate it as cpio, and use cpio commands to unpack/pack back.
UPDATE:
You need to edit your mkinitcpio.conf and add 2 hooks
"encrypt zfs" before "filesystems" in HOOKS
next you need to define your luks devices, needed for unlocking in
/etc/crypttab.initramfs # (google crypttab)
This file will be included in next generation of initramfs, so now we are unlocking them at least.
Maybe ZFS will do autoimport on next reboot, but if not, do the following:
create file /usr/lib/initcpio/install/zfsmount
#!/bin/bash
build()
add_runscript
create file /usr/lib/initcpio/hooks/zfsmount
#!/usr/bin/ash
run_hook()
zpool import mypool
and in mkinitcpio.conf add "zfsmount" in HOOKS somewhere in the end, before or after "filesystems"
And, of course, regenerate your initramfs with mkinitcpio
Refs:
https://wiki.archlinux.org/index.php/Installing_Arch_Linux_on_ZFS
https://wiki.archlinux.org/index.php/mkinitcpio
answered Feb 15 '17 at 9:25
Ural
35616
edited Feb 18 '17 at 8:20
answered Feb 15 '17 at 9:25
Ural
35616
answered Feb 15 '17 at 9:25
Ural
35616
answered Feb 15 '17 at 9:25
Ural
35616
35616
Much thanks for your answer, and I upvoted to get you closer to 50 pts. You'll have to bear with me a bit on the boot process. I'm not sure what you mean by unpacking initramfs and modifying init file, but I can search a bit for that. Does Gentoo use systemd? Is the init file you are talking about part of sysVinit? You don't just mean modifying mkinitcpio.conf?
– airhuff
Feb 15 '17 at 17:58
Also, my ultimate goal is an encrypted root ZFS file system. I figured this would be a simpler question/step toward getting there. I previously posted a question like this except for root on ZFS and it got zero votes, one well-meaning but useless comment and not a single answer even though I did a 50 point bounty! Anyway, it seems like if I could figure out how to get the system to prompt for the encryption passphrase for even a non-root filesystem, I'd be most of the way there.
– airhuff
Feb 15 '17 at 18:20
Gentoo can use systemd, but I prefer default OpenRC. Systemd thinks it is more clever than user IMHO, and too complicated. Latest version of OpenRC have not less functionality. On my side, zfs on encrypted rootfs was easy part. Even I wrote a solution to unlock the rootfs by ssh, and this didn't took much time. Also I have all compiled with -march=native, which increases system overall speed. Maybe think about switching to Gentoo? :)) I have latest updated software, compiled for my own processor and it works perfectly.
– Ural
Feb 16 '17 at 6:19
For encrypted rootfs, have your read wiki.archlinux.org/index.php/Dm-crypt/… and bbs.archlinux.org/viewtopic.php?id=205122 ? For initramfs, I don't know how look systemd's init, but I do the following: gunzip < /boot/initramfs-genkernel-x86_64-$uname | cpio -i --make-directories Now I have initramfs stuff unpacked. I have file 'init', which is a shell script. that doing all stuff, like mounting /proc /sys and rootfs. You can modify it for your needs, and then pack the whole folder back and put to /boot.
– Ural
Feb 16 '17 at 6:21
I did that (unpack/pack back) for adding dropbear to it. Usually I can configure all in genkernel.conf (like yours mkinitcpio.conf), So AFTER generating initramfs, try to unpack it and see what it contain. In ubuntu there is easier way like adding a script to /etc/initramfs-tools/... and it packs it there when building initramfs
– Ural
Feb 16 '17 at 6:26
 |Â
show 5 more comments
Much thanks for your answer, and I upvoted to get you closer to 50 pts. You'll have to bear with me a bit on the boot process. I'm not sure what you mean by unpacking initramfs and modifying init file, but I can search a bit for that. Does Gentoo use systemd? Is the init file you are talking about part of sysVinit? You don't just mean modifying mkinitcpio.conf?
– airhuff
Feb 15 '17 at 17:58
Also, my ultimate goal is an encrypted root ZFS file system. I figured this would be a simpler question/step toward getting there. I previously posted a question like this except for root on ZFS and it got zero votes, one well-meaning but useless comment and not a single answer even though I did a 50 point bounty! Anyway, it seems like if I could figure out how to get the system to prompt for the encryption passphrase for even a non-root filesystem, I'd be most of the way there.
– airhuff
Feb 15 '17 at 18:20
Gentoo can use systemd, but I prefer default OpenRC. Systemd thinks it is more clever than user IMHO, and too complicated. Latest version of OpenRC have not less functionality. On my side, zfs on encrypted rootfs was easy part. Even I wrote a solution to unlock the rootfs by ssh, and this didn't took much time. Also I have all compiled with -march=native, which increases system overall speed. Maybe think about switching to Gentoo? :)) I have latest updated software, compiled for my own processor and it works perfectly.
– Ural
Feb 16 '17 at 6:19
For encrypted rootfs, have your read wiki.archlinux.org/index.php/Dm-crypt/… and bbs.archlinux.org/viewtopic.php?id=205122 ? For initramfs, I don't know how look systemd's init, but I do the following: gunzip < /boot/initramfs-genkernel-x86_64-$uname | cpio -i --make-directories Now I have initramfs stuff unpacked. I have file 'init', which is a shell script. that doing all stuff, like mounting /proc /sys and rootfs. You can modify it for your needs, and then pack the whole folder back and put to /boot.
– Ural
Feb 16 '17 at 6:21
I did that (unpack/pack back) for adding dropbear to it. Usually I can configure all in genkernel.conf (like yours mkinitcpio.conf), So AFTER generating initramfs, try to unpack it and see what it contain. In ubuntu there is easier way like adding a script to /etc/initramfs-tools/... and it packs it there when building initramfs
– Ural
Feb 16 '17 at 6:26
Much thanks for your answer, and I upvoted to get you closer to 50 pts. You'll have to bear with me a bit on the boot process. I'm not sure what you mean by unpacking initramfs and modifying init file, but I can search a bit for that. Does Gentoo use systemd? Is the init file you are talking about part of sysVinit? You don't just mean modifying mkinitcpio.conf?
– airhuff
Feb 15 '17 at 17:58
Much thanks for your answer, and I upvoted to get you closer to 50 pts. You'll have to bear with me a bit on the boot process. I'm not sure what you mean by unpacking initramfs and modifying init file, but I can search a bit for that. Does Gentoo use systemd? Is the init file you are talking about part of sysVinit? You don't just mean modifying mkinitcpio.conf?
– airhuff
Feb 15 '17 at 17:58
Also, my ultimate goal is an encrypted root ZFS file system. I figured this would be a simpler question/step toward getting there. I previously posted a question like this except for root on ZFS and it got zero votes, one well-meaning but useless comment and not a single answer even though I did a 50 point bounty! Anyway, it seems like if I could figure out how to get the system to prompt for the encryption passphrase for even a non-root filesystem, I'd be most of the way there.
– airhuff
Feb 15 '17 at 18:20
Also, my ultimate goal is an encrypted root ZFS file system. I figured this would be a simpler question/step toward getting there. I previously posted a question like this except for root on ZFS and it got zero votes, one well-meaning but useless comment and not a single answer even though I did a 50 point bounty! Anyway, it seems like if I could figure out how to get the system to prompt for the encryption passphrase for even a non-root filesystem, I'd be most of the way there.
– airhuff
Feb 15 '17 at 18:20
Gentoo can use systemd, but I prefer default OpenRC. Systemd thinks it is more clever than user IMHO, and too complicated. Latest version of OpenRC have not less functionality. On my side, zfs on encrypted rootfs was easy part. Even I wrote a solution to unlock the rootfs by ssh, and this didn't took much time. Also I have all compiled with -march=native, which increases system overall speed. Maybe think about switching to Gentoo? :)) I have latest updated software, compiled for my own processor and it works perfectly.
– Ural
Feb 16 '17 at 6:19
Gentoo can use systemd, but I prefer default OpenRC. Systemd thinks it is more clever than user IMHO, and too complicated. Latest version of OpenRC have not less functionality. On my side, zfs on encrypted rootfs was easy part. Even I wrote a solution to unlock the rootfs by ssh, and this didn't took much time. Also I have all compiled with -march=native, which increases system overall speed. Maybe think about switching to Gentoo? :)) I have latest updated software, compiled for my own processor and it works perfectly.
– Ural
Feb 16 '17 at 6:19
For encrypted rootfs, have your read wiki.archlinux.org/index.php/Dm-crypt/… and bbs.archlinux.org/viewtopic.php?id=205122 ? For initramfs, I don't know how look systemd's init, but I do the following: gunzip < /boot/initramfs-genkernel-x86_64-$uname | cpio -i --make-directories Now I have initramfs stuff unpacked. I have file 'init', which is a shell script. that doing all stuff, like mounting /proc /sys and rootfs. You can modify it for your needs, and then pack the whole folder back and put to /boot.
– Ural
Feb 16 '17 at 6:21
For encrypted rootfs, have your read wiki.archlinux.org/index.php/Dm-crypt/… and bbs.archlinux.org/viewtopic.php?id=205122 ? For initramfs, I don't know how look systemd's init, but I do the following: gunzip < /boot/initramfs-genkernel-x86_64-$uname | cpio -i --make-directories Now I have initramfs stuff unpacked. I have file 'init', which is a shell script. that doing all stuff, like mounting /proc /sys and rootfs. You can modify it for your needs, and then pack the whole folder back and put to /boot.
– Ural
Feb 16 '17 at 6:21
I did that (unpack/pack back) for adding dropbear to it. Usually I can configure all in genkernel.conf (like yours mkinitcpio.conf), So AFTER generating initramfs, try to unpack it and see what it contain. In ubuntu there is easier way like adding a script to /etc/initramfs-tools/... and it packs it there when building initramfs
– Ural
Feb 16 '17 at 6:26
I did that (unpack/pack back) for adding dropbear to it. Usually I can configure all in genkernel.conf (like yours mkinitcpio.conf), So AFTER generating initramfs, try to unpack it and see what it contain. In ubuntu there is easier way like adding a script to /etc/initramfs-tools/... and it packs it there when building initramfs
– Ural
Feb 16 '17 at 6:26
 |Â
show 5 more comments
up vote
0
down vote
I have the same question but under FreeBSD.
answered 3 mins ago
brunobhr
63
add a comment |Â
up vote
0
down vote
I have the same question but under FreeBSD.
answered 3 mins ago
brunobhr
63
add a comment |Â
up vote
0
down vote
up vote
0
down vote
I have the same question but under FreeBSD.
answered 3 mins ago
brunobhr
63
I have the same question but under FreeBSD.
answered 3 mins ago
brunobhr
63
answered 3 mins ago
brunobhr
63
answered 3 mins ago
brunobhr
63
answered 3 mins ago
brunobhr
63
63
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f342428%2fhow-do-i-automatically-import-a-non-root-encrypted-zfs-pool-on-boot-up%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
