3 minutes
ZFS encrypted home on Arch Linux
Let’s say that you have a shiny new Arch Linux installation.
And you read somewhere about the cool features of ZFS.
And you want them on your system.
Disclaimer: things will break soon or leater. Be ready to dig in the problems and learn how it works :P
And please, do backups on another drive.
The ZFS driver
ZFS is distributed under the CDDL license, which prevent it to be included on the Linux kernel.
You have then two options to have a ZFS driver on Arch Linux:
- You use a DKMS package, which will recompile everytime you update the kernel
- You use one of the binary packages distributed by archzfs repository.
You should be fine with the zfs-linux
stable release, which do not require recompilation (good especially on low-power systems or laptop), but sometimes the updates may be a bit behind and it will prevent your kernel to upgrade.
In general, switching between zfs-linux
and zfs-dkms
should always be possible.
How to install it
The Arch Linux ZFS page has a lot of good material on that.
Personally, I prefer to keep my root under a mainstream ext4
filesystem, with a ZFS partition mounted on /home
.
This allows for easy backups (you snapshot only your home folder) and the ability to recover the system when the driver fails to build (you won’t be able to access your files, but the system will boot fine and you can downgrade the kernel or apply other fixes).
I installed the system without ZFS, then booted it, installed the driver, moved my -almost empty- /home
to /homebak
, created a new zfs dataset in /home
and copied the files from the legacy folder. You can skip the copy if you have just installed the system.
Automatic start
If you followed the Arch guide, the driver should start automatically at boot, otherwise, make sure that you have enabled the services and they are running:
sudo systemctl enable zfs-import-cache
sudo systemctl enable zfs-import.target
sudo systemctl enable zfs-mount
sudo systemctl enable zfs.target
The encryption problem
The above will work when you don’t have encrypted volumes.
But when you have, you have to insert your key.
On a single user system, the easiest way to insert the keys is to get prompted for them at boot, just before the login screen. On the Arch Linux ZFS page there are some nice information on how to load the keys at boot.
The load-key loop
The Arch Linux systemd example works well on most cases.
However, that until
will loop forever until it import the key, which may never happen if you system has a broken driver.
The solution
Create a new service file on /etc/systemd/system/zfs-load-key@.service
with the following:
[Unit]
Description=Load %I encryption keys
Before=systemd-user-sessions.service
After=zfs-import.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/bash -c 'for i in {1..5}; do (systemd-ask-password "[$i/5] Encrypted ZFS password for %I" --no-tty | zfs mount -l %I) && break; echo "Try again!"; done'
[Install]
WantedBy=zfs-mount.service
This will ask for the key for a maximum of 5 times, then it will proceed for the login without the partition mounted.
This is good to recover a broken system: if the zfs mount
command fails for the missing driver, it won’t prevent the system to boot.
Now you have to enable it for every encrypted partition you have. But if you are on a single user system, I guess you’ll have only one…
Let’s say it is zroot/home
, then you have to enable the systemd unit for it:
sudo systemctl enable zfs-load-key@zroot-home.service
You’ll have to escape the path /
in your dataset name with -
.
Moreover, since this will be run after zfs-import
, on a broken system this should not work and, thus, you’ll never be prompted for the password.