ZFS - natively encrypted + ssh unlock


I would like to achieve following setup:

/dev/sda -> ZFS -> rpool -> arch linux dataset (encrypted)
On the rpool also zvol, which would be LUKS encrypted and contain a filesystem with a key for the encrypted dataset/datasets.

Booting would look like:

Boot grub (or systemd-boot or anything else)

Importing the rpool, creating the block device for the LUKS zvol

Starting LAN connection sshd/dropbear

Prompting for password/allowing ssh connection to unlock the LUKS zvol and mount it

Load the key for encrypted dataset(s) from the LUKS filesystem, then ideally closing the LUKS

Mount the encrypted dataset as / (+ any other)

Boot into it.

Has anyone done something similar/can share a guide? The wiki does not exactly cover the steps…

Many thanks…


Oh boy, just use BTRFS, then you can use Full Disc Encryption as opposed to Data At Rest Root, BTRFS in my opinion is more feature rich, compatible, and easy, if you want ZFS your gonna have a fun day, remember ZFS is a BSD standard, not Linux, so finding all the steps may be hard as Arch CAN have it if you either get the packages from the AUR or edit the pacman.conf file to include the unofficial repository, but it's not supported on Arch as far as I'm aware due to it being Unofficial, so you likely won't get much help on this Forum, except maybe a few off site links, that are on you to figure out, but here's a hint, go to the Artix Wiki, and I think Artix & Void have a full guide come to think of it, not posting the link cuz I don't wanna get in trouble, also FreeBSD, OpenBSD, GhostBSD & Gentoos wikis all have documentation as well. Just remember Grub isnt fully compatible with Luks2 & ZFS isn't compatible with full encryption, just partial and only for the root as well, not home or any other volumes you may wanna encrypt. Good luck.

Edit: found this for you, it's the closest to a full guide as I could find, and specifical for Arch and Systemd systems if you still need a good detailed step by step guide that is: … 928860fbb5

