Auto-Mount native encrypted dataset on boot

New to OpenZFS on OS X (Or ZFS in general)? Ask your questions here!

Auto-Mount native encrypted dataset on boot

Postby sir_brickalot » Mon Oct 15, 2018 1:44 am

What is the best way to mount an OpenZFS encrypted dataset without user interaction?

Right now I handle it this way:

  • add the password for the dataset to keychain
    GUI:
    open /Applications/Utitlies/Keychain\ Access.app > Create a new Keychain item > add 'KeychainItemName' and 'password'
    Terminal:
    https://www.netmeister.org/blog/keychain-passwords.html
  • create a bash script to retrieve password from Keychain and us the .command suffix for the file name ('mount_dataset.command') :

    Code: Select all
    #!/bin/bash
    # mount encrypted zfs dataset on login

    security find-generic-password -a ${USER} -s 'KeychainItemName' -w | sudo zfs mount -l tank/dataset

  • Add 'mount_dataset.command' file to Settings/Users & Groups/Login Items

When I login into the system a terminal window opens and I have to enter my admin password for the mount to finish.
Is there a better way without user interaction?

[edit: typo]
Last edited by sir_brickalot on Fri Nov 13, 2020 12:58 am, edited 1 time in total.
sir_brickalot
 
Posts: 23
Joined: Tue Apr 11, 2017 11:13 am

Re: Auto-Mount native encrypted dataset on boot

Postby 0x42h » Fri Nov 13, 2020 12:06 am

Doesn't seem to get much better than that, doesn't it?

I've been looking into this too. Being quite a Linux geek, I was hoping it wasn't such a hassle as I find many things to be with mac and all it's proprietary stuff, also a consequence of the developments they make to their software, of course, I suppose. Nevertheless, it's a pain in the neck, this one.

What I'm trying to do, is get /Users to mount before the system becomes aware of the significance of the /Users folder. This seems to fail, even with a launchd plist that I made and/or modifying the /usr/local/libexec/zfs/launchd.d/zpool-import-all.sh to not only import, but also automount the dataset, which also doesn't work, of course, because also that is run from a plist.

It seems that, what we want, needs to be done before launchd and I haven't been able to find a location for that. And even if you do, you probably won't be having keyboard interaction possible yet, at that time. The only way that I've been able to get anything to automount somewhere, was by using the keylocation=file:///x/y/z, of course, but of course that circumvents the purpose of the encryption pretty much, unless your key is on an APFS-encrypted drive, of course, albeit I'd wish I wouldn't need that either, but that is where the first plausible thing to try out seems to lie.

Have you found any better solutions, meanwhile? I'd love to hear about it.
0x42h
 
Posts: 2
Joined: Thu Nov 12, 2020 11:47 pm

Re: Auto-Mount native encrypted dataset on boot

Postby sir_brickalot » Fri Nov 13, 2020 1:07 am

No I did't. With Catalina it got worse even:

Now I get a separate confirmation request to allow access to the keychain before terminal can access the keychain. But I didn't really look into it, yet.

And of course I get interrupted by all the other apps that reopen on reboot (partly expecting access to the still unmounted dataset).
Rebooting remotely via ssh is even more difficult.
sir_brickalot
 
Posts: 23
Joined: Tue Apr 11, 2017 11:13 am

Re: Auto-Mount native encrypted dataset on boot

Postby 0x42h » Wed Dec 02, 2020 11:35 am

Hey @sir_brickalot,

I was wondering, as an alternative; isn't there a way to use Core Storage encryption on boot instead and have a ZFS dataset on top of that, which is the root? Theoretically this would do the trick of having the dataset encrypted (although non-ZFS-native) with all the joy of ZFS, right?

I can't really find anything about having this setup, so I'm guessing it can't be done, but, can it, afayk?
0x42h
 
Posts: 2
Joined: Thu Nov 12, 2020 11:47 pm

Re: Auto-Mount native encrypted dataset on boot

Postby Sharko » Wed Dec 02, 2020 3:40 pm

You can find information on setting up ZFS on top of a FileVault encrypted volume here on the site: https://openzfsonosx.org/wiki/Encryption

It does seem to work for auto-mount if your boot drive is FileVault encrypted also - otherwise there seems to be a timing issue as far as the auto-import script being able to see the volume that has ZFS on it for importing.

Which brings up a little idea that I've been kicking around for a while, but haven't implemented yet: what if you stored the native ZFS key in a file on a FileVault-encrypted volume, and set up the key management property to look for that file? As opposed to the usual default of prompting for the passphrase on the command line. Presumably if that FIleVault volume was also the boot disk it would be relatively safe to assume that it would be unlocked by the time the auto-import script went looking for the file, right?
Sharko
 
Posts: 239
Joined: Thu May 12, 2016 12:19 pm

Re: Auto-Mount native encrypted dataset on boot

Postby sir_brickalot » Wed Dec 02, 2020 11:54 pm

0x42h wrote:Hey @sir_brickalot,

I was wondering, as an alternative; isn't there a way to use Core Storage encryption on boot instead and have a ZFS dataset on top of that, which is the root? Theoretically this would do the trick of having the dataset encrypted (although non-ZFS-native) with all the joy of ZFS, right?

I can't really find anything about having this setup, so I'm guessing it can't be done, but, can it, afayk?


Yes that would be the alternative and thats how I managed before but in my opinion native zfs encryption is preferable for several reasons: system-independent, less risk of layering problems, send/recv encrypted.
sir_brickalot
 
Posts: 23
Joined: Tue Apr 11, 2017 11:13 am

Re: Auto-Mount native encrypted dataset on boot

Postby sir_brickalot » Thu Dec 03, 2020 12:02 am

Sharko wrote:what if you stored the native ZFS key in a file on a FileVault-encrypted volume, and set up the key management property to look for that file?
I don't like the idea of saving passwords and keys anywhere in plain text. Isn't that bad practice?
sir_brickalot
 
Posts: 23
Joined: Tue Apr 11, 2017 11:13 am

Re: Auto-Mount native encrypted dataset on boot

Postby Sharko » Thu Dec 03, 2020 1:55 pm

My thinking was that the key file would be set readable only by root, so casual programs that don't run as root (say, Firefox) would not be able to view the key. When the machine is off, the file would be protected by FileVault. The auto-import script runs as root due to where it is stored, so it should be able to do its job. Or so goes my theory.
Sharko
 
Posts: 239
Joined: Thu May 12, 2016 12:19 pm

Re: Auto-Mount native encrypted dataset on boot

Postby FadingIntoBlue » Tue Dec 08, 2020 12:21 am

One way that hasn't been mentioned is to use the cool utility ZetaWatch. Kicks in a bit late in the boot cycle for user directories I suspect, but it is very straightforward to set up to mount encrypted datasets without any user interaction. Has an auto import setting, an Auto Unlock setting, and ability to load and unload keys on the fly. The key can be stored in keychain and referred from there. I keep my personal and media files on encrypted data sets which are unlocked and mounted before Finder has finished loading all the menu bar items.
FadingIntoBlue
 
Posts: 106
Joined: Tue May 27, 2014 12:25 am

Re: Auto-Mount native encrypted dataset on boot

Postby Bingo » Wed Jun 26, 2024 4:49 am

So have you guys managed this?

I've already been using a keyfile on the root of my filevaulted system drive for awhile in High Sierra, so that I can do just
Code: Select all
sudo zfs mount -al
or
Code: Select all
sudo zfs import -l tank
and have the filesystems mount without needing a password prompt.

Now that I've switched to Sonoma, I discovered that the root is no longer writable, and so I couldn't put my /zfskey there. This led me to google, which led me here. I had forgotten how I set this up back in the day, so I already have a fix for that particular problem:

Code: Select all
echo -n "MYPASSWORD" > tank-key # the -n is important, there must not be a newline (also therefore, don't use nano etc.)
sudo chown root:wheel tank-key
sudo mv tank-key /etc/zfs/
sudo chown 0400 /etc/zfs/tank-key
sudo zpool import tank
sudo zfs set keylocation=file:///etc/zfs/tank-key tank
sudo zfs mount -al


But now I'm curious as to how to get this to automount at boot, because I noticed in High Sierra that my encrypted pool would always need a `sudo zfs mount -al` after a reboot, while my non-encrypted pool would automount.

So yeah, if you got this to work, please share :)
Bingo
 
Posts: 18
Joined: Thu Mar 04, 2021 11:18 pm


Return to Absolute Beginners Section

Who is online

Users browsing this forum: No registered users and 3 guests

cron