From owner-freebsd-stable@freebsd.org Mon May 18 22:11:26 2020 Return-Path: Delivered-To: freebsd-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 255FC2DED5A for ; Mon, 18 May 2020 22:11:26 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 49QtWx5vvbz4SRv for ; Mon, 18 May 2020 22:11:25 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: by mailman.nyi.freebsd.org (Postfix) id CADEE2DF309; Mon, 18 May 2020 22:11:25 +0000 (UTC) Delivered-To: stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CAAD12DED59 for ; Mon, 18 May 2020 22:11:25 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 49QtWw2VX8z4SFs; Mon, 18 May 2020 22:11:23 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13:0:0:0:5]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id 04IMB6oO073509 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 May 2020 22:11:10 GMT (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: thomas.e.zander@googlemail.com Received: from [10.58.0.10] (dadvw [10.58.0.10]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id 04IMB3ec078405 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 19 May 2020 05:11:03 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: State of encrypted-almost-everything on ZFS in 2020 To: Thomas Zander , stable@freebsd.org References: Cc: allanjude@freebsd.org From: Eugene Grosbein Message-ID: Date: Tue, 19 May 2020 05:10:55 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * -0.0 SPF_PASS SPF: sender matches SPF record * 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net X-Rspamd-Queue-Id: 49QtWw2VX8z4SFs X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=permerror (mx1.freebsd.org: domain of eugen@grosbein.net uses mechanism not recognized by this client) smtp.mailfrom=eugen@grosbein.net X-Spamd-Result: default: False [-0.31 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[grosbein.net]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_PERMFAIL(0.00)[empty SPF record]; NEURAL_HAM_SHORT(-0.21)[-0.206]; FREEMAIL_TO(0.00)[googlemail.com,freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2020 22:11:26 -0000 16.05.2020 16:51, Thomas Zander via freebsd-stable wrote: > Hi, > > can the following be done these days? > - Encrypted ZFS root pool on RAID-Z > - Supply the key for the encrypted root pool during boot via USB thumb drive > - No keyboard is attached to the machine > - No /boot on the thumb drive, just the key > - I don't mind if /boot is encrypted or not (the use case is not to > protect against nation state attackers) > - Bonus points if I can use bectl > > Every single posting regarding this topic I can find always comes down to either > a) One needs /boot on the thumb drive, or > b) One uses a keyboard and supplies a passphrase instead of a keyfile. Note that root pool does not need to be original boot pool. It is possible to share your disks between two different ZFS pools: small first unencrypted boot pool that boots normally and starts plain shell script that reads the key from any storage you prefer to decrypt and attach second encrypted pool. Then set vfs.root.mountfrom to second pool with kenv(1) and use re-rooting (reboot -r) to re-start booting from now-available encrypted pool. This is how to share disks with GEOM_RAID: 1. Cut first N megabytes of each disk to form N-way mirror using "Promise" on-disk volume label format: graid label -S ${N}M Promise r0 RAID1 /dev/da0 /dev/da1 /dev/da2 ... This gives you /dev/raid/r0 device, use it to create unencrypted non-redundant ZFS boot pool, as GEOM_RAID provides (mirrored) redundancy. 2. Allocate tail of each drive to set of SINGLE graid volumes: graid label Promise r1 SINGLE /dev/da0 graid label Promise r2 SINGLE /dev/da1 graid label Promise r3 SINGLE /dev/da2 ... This gives you devices /dev/raid/r1, /dev/raid/r2 etc. Use them as vdevs to create your encrypted RAID-Z.