Monday, March 07, 2016

ZFS on Linux with LUKS startup automount; Ubuntu 16.04

When ZFS became a first class citizen under Ubuntu, the issue of ZFS on Linux with LUKS not auto-mounting properly at startup was finally addressed in Xenial 16.04.

The following steps successfully produced a successful auto-mount on a nightly build of Xenial in VirtualBox:

# list block devices using /dev/disk/by-id
sudo ls /dev/disk/by-id

# identify the block device for the LUKS container; here, the example is a VirtualBox device
ata-VBOX_HARDDISK_VBd5b297e5-009dc9f9

# create a key file
sudo dd if=/dev/urandom of=/root/key bs=1024 count=64

# encrypt [using defaults here for simplicity] target block device with key file
sudo cryptsetup luksFormat /dev/disk/by-id/ata-VBOX_HARDDISK_VBd5b297e5-009dc9f9 /root/key

# find the newly encrypted LUKS container uuid
sudo blkid

# the result should show the device with TYPE="crypto_LUKS"
/dev/sdc: UUID="b7458a4d-2d45-42bc-8fe7-f392e0a0f85f" TYPE="crypto_LUKS"

# open the LUKS container with key file and map it to a name, example here is mapped to "crypt-c"
sudo cryptsetup luksOpen UUID=b7458a4d-2d45-42bc-8fe7-f392e0a0f85f --key-file /root/key crypt-c

# add a line for the new LUKS container under crypttab so it can be identified during startup
sudo nano /etc/crypttab
crypt-c UUID=b7458a4d-2d45-42bc-8fe7-f392e0a0f85f /root/key luks

# Identify the LUKS partition UUID
sudo ls /dev/disk/by-id

# the result should show the device starting with dm-uuid-CRYPT
dm-uuid-CRYPT-LUKS1-b7458a4d2d4542bc8fe7f392e0a0f85f-crypt-c

# create the zfs partition on top of the LUKS partition
sudo zpool create -o ashift=12 zfs-test-pool /dev/disk/by-id/dm-uuid-CRYPT-LUKS1-b7458a4d2d4542bc8fe7f392e0a0f85f-crypt-c

# nothing added under /etc/fstab

# upon restarting, zfs-test-pool is auto-mounted and can be verified with zpool status

Reference links:
zfs-raid-and-luks-encryption-in-linux
zfs-on-linux-with-luks-encrypted-disks
zfs-raidz-encryption
zfsonlinux/pkg-zfs/issues/126
cryptsetup/+bug/1422153
Dm-crypt/Device_encryption manual