I have an Ubuntu-18.04 box running the OS off an SSD which I do NOT want to encrypt. I have 3 additional 2TB drives which I would like to use as encrypted (via LUKS) RAID-Z1 additional storage. I would like to use a different phassphrase for each disk, be prompted for each passphrase as boot time, and automatically create and mount the raidz pool on boot as well.
I have been following the following tutorial.
https://help.ubuntu.com/community/encryptedZfs#ZFS_on_LUKS_Installation
The tutorial above describes encrypting both the boot disk as well as the additional storage drive. Since I am not trying to encrypt the boot disk I tried to parse out all things relevant to that and only perform the operations required to create the additional storage on the 3 2TB drives I am interested in.
I have had some success in that completing the following steps does seem to encrypt each drive, with their own passphrase, and I can turn them into a raidz pool. There are two points of failure I have been unable to resolve:
- My system does not prompt me for the decription passphrase at boot time.
- The raidz pool is not created or mounted at startup. Likely at least in part because of the former problem.
After the machine boots I am able to manually decrypt and then import the previously created pool no problem. Here are my setup setups so far.
$ sudo parted -a optimal /dev/sdb; sudo parted -a optimal /dev/sdc; sudo parted -a optimal /dev/sdd
# the above parted command opens a prompt to enter commands. The following were the commands given
# mklabel gpt
# unit MB
# mkpart vpool 1 -1
$ sudo apt install cryptsetup
$ sudo cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sdb1
$ sudo cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sdc1
$ sudo cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sdd1
$ sudo cryptsetup luksHeaderBackup /dev/sdb1 --header-backup-file /home/user_home/luks_header_backup_sdb1; sudo cryptsetup luksHeaderBackup /dev/sdc1 --header-backup-file /home/user_home/luks_header_backup_sdc1; sudo cryptsetup luksHeaderBackup /dev/sdd1 --header-backup-file /home/user_home/luks_header_backup_sdd1
$ sudo cryptsetup luksOpen /dev/sdb1 vault1_crypt
$ sudo cryptsetup luksOpen /dev/sdc1 vault2_crypt
$ sudo cryptsetup luksOpen /dev/sdd1 vault3_crypt
$ sudo fdisk -l
# The above command was to check the sector size. because there is an old drive in there we have to use 512 sector size. This means using ashift=9 instead of ashift=12 when doing zpool create
$ sudo zpool create -O mountpoint=none -o ashift=9 vault raidz1 /dev/mapper/vault1_crypt /dev/mapper/vault2_crypt /dev/mapper/vault3_crypt
$ sudo zfs set mountpoint=/vault vault
$ blkid # Copied value of each sdb1 sdc1 and sdd1 UUIDs
$ sudo vim /etc/initramfs-tools/conf.d/cryptroot
# Wrote as follows
# target=vault,source=UUID=<UUID-from-blkid-for-sdb1>,key=none
# target=vault,source=UUID=<UUID-from-blkid-for-sdc1>,key=none
# target=vault,source=UUID=<UUID-from-blkid-for-sdd1>,key=none
$ sudo update-initramfs -c -k all
$ sudo update-grub; sudo grub-install /dev/sda
