Feature Request: Pool Dencryption during Booting

[alexsmartens]

Thanks for an awesome write-up!
Do you have an idea on how to use a key instead of a passphrase? And unlock the pool during booting?

[alexsmartens]

I have an idea about some changes to your script that theoretically should make it, however it does not work so far.

@dynerose, do think you could check it out?

https://github.com/alexsmartens/dual-boot-encrytpted-Ubuntu-installation/blob/master/Ubuntu20.04-encryptedZFS

[dynerose]

Hi, Nice work. I was thinking about it. Maybe the key should be placed on a usb drive? It could be read automatically from there. Alex Martens <[email protected]> ezt írta (időpont: 2020. máj. 18., H, 23:54):

…

Thanks for an awesome write-up! Do you have an idea on how to use a key instead of a passphrase? And unlock the pool during booting? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#4>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGRBNLGP4IIXWGKI3DYJRH3RSGVBJANCNFSM4NEONNIQ> .

[alexsmartens]

Good point!
So the final idea is do a full drive encryption and to decrypt the drive on boot with the key stored in TPM 2.0.
The implementation would look like this: the boot partition is ext4 encrypted with LUKS and it is encrypted with the key from TPM. Then, the decrypted boot partition stores the key for the root ZFS volume, and the root volume is decrypted.

[alexsmartens]

At the moment, I'm having troubles with decrypting the ZFS root with the key: chungy/zfs-boottime-encryption#2.
It seems, like the problem is somewhere in the GRUB config. What do you think?