Saturday 28 Sep 2024

Unlock ZFS with a key file

Instead of typing a passphrase every time you mount your pool, why not try a key file. After you specify the location of the key file, during the mount of the zfs datasets, this location is queried for the key. You could store they key file on a USB drive or on a remote location (such as network share).

zfs change-key -l -o keylocation=file:///mnt/network_share/zfs.key -o keyformat=[passphrase | hex | raw] name_pool/dataset_name

-l Load key
-o options

For example (using raw mode on a dataset called pictures on a pool named, pool)

zfs change-key -l -o keylocation=file:///mnt/network_share/zfs.key -o keyformat=raw pool/pictures

key formats

• hex
• passphrase
• raw

Let's generate a key file. You can use openssl or urandom to achieve this.

I used a raw file as my key, but you can specify a passphrase instead. That way, you can manually mount if you know the key. That being said, if you backup the raw file you should be able to access. You must backup the key file - for without this you cannot mount (unless you know the password).

openssl rand -out /path/to/keyfile/zfs.key 32

• rand (randomisation tool)
• -out (path to the output file)
• 32 (32-bit key - ZFS supports up to 32 bits)

or

dd if=/dev/urandom of=/path/to/keyfile/zfs.key bs=32 count=1

• bs (choose 32 for a 32-bit key - ZFS supports up to 32 bits)
• count (create 1 line)
• if (random device)
• of (path to the output file)

That's it. The key file will look like this:

This is OKAY, but if you want it in a human-readable format, consider using the passphrase or the hex option.

openssl rand -hex -out /path/to/keyfile/zfs.key 32