-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for ZFS encryption #467
base: master
Are you sure you want to change the base?
Conversation
59a2544
to
97bf779
Compare
Would there be any instructions, how this can be tested? I'd like to aid in this implementation, but am unsure how. Is there something that can be done by third-parties? |
I've packaged my changes for Ubuntu in a PPA. After you install that, it's essentially just using
Testing would be good. But I only have this specific initramfs configuration. |
Thank you for the quick reply. I have found the PPA. Unfortunately I have never used Clevis and cannot unpack the sentence
to infer what a test setup would look like. I'm able to set up an LXD/Incus virtual network that contains an Ubuntu VM/system container and a block devices that contains an encrypted ZFS pool plus a separate instance for Clevis. As a tester I would ask myself:
I am having the intuition that Would it seem suitable to add some documentation with this cycle? The information could go to the |
Ah, OK. Have a look at the Arch wiki. In my case, I want to bind the key with both my TPM and with a Yubikey, so I used
If you want a server, I think you're referring to Tang. I haven't set that up; my key unlock is purely held on the TPM and with a Yubikey, there's no network involved in my setup.
Essentially Clevis does most of the heavy lifting. All this PR does is teach Clevis how to unlock ZFS datasets, which is why there isn't significant documentation. The two arguments:
Calling |
I'm on it, but give a few months. Thanks for the link and for helping me understand the relationship between Tang and Clevis better. |
97bf779
to
fc9e6a6
Compare
Installing the ZFS integration should not imply installing the LUKS integration.
fc9e6a6
to
4317bd7
Compare
this would be a huge help for our organization 👍 |
Supersedes #373. Description copied:
Further work by @lowjoel:
clevis-zfs-bind
,clevis-zfs-unlock
(at reboot), andclevis-zfs-unbind
Once we're happy with the code I can squash the commits to those by @techhazard and myself.