zfs keylocation on server

Asked by René Georgi

We use 20.04 lts on some clients in an professional environment.
Our security needs to encrypt data on the client - so we use zfs with internal encryption and raw keyfile.
It is necessary to have the keyfile on a server that is only reachable from the intranet.
For other distributions there are tutorials how to set up such environment:

zfs create -o encryption=on -o keysource=raw,https://keys.example.com/mykey <pool/dataset>

On 20.04 this give an error because keysource is not a possible option.
Also try to load a key from the server gives this error:

zfs load-key -n -L https://keys.example.com/mykey <pool/dataset>

result in: Key load error: Invalid keylocation.

How can zfs (version 0.8.3) not have the ability to load keys from a server?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said :
#1
Revision history for this message
René Georgi (rene-georgi) said :
#2

The article from Oracle only describes how it works on solaris (and it should work the same way on CentOS).
The question is: Why is zfs on Ubuntu not able to load the key from a server?
You can read the manpage for zfs on ubuntu and search for 'keysource' - there's nothing!

Revision history for this message
Manfred Hampl (m-hampl) said (last edit ):
#3

The documents, e.g. https://openzfs.github.io/openzfs-docs/man/7/zfsprops.7.html talk about the options keylocation and keyformat, and not about an option named keysource

Revision history for this message
René Georgi (rene-georgi) said :
#4

The option keysource is metioned on the article from Oracle (and also on some article I found on the internet for CentOS).
The zfs version used in Ubuntu lacks this option.
But if I use zfs load-key -n -L https://keys.example.com/mykey <pool/dataset> I get the errormessage: Key load error: Invalid keylocation.

So, why is there an option in zfs (on CentOS, zfs version 0.8.0) that in the Ubuntu version 0.8.3 is not present?

Or has someone another solution for the loading of an encryption key from a server?

Revision history for this message
Bernard Stafford (bernard010) said :
#5

Loading a key will not automatically mount the dataset. If that functionality is desired, zfs mount -l
will ask for the key and mount the dataset
https://openzfs.github.io/openzfs-docs/man/8/zfs-load-key.8.html

Load keys for encrypted filesystems as they are being mounted. This is equivalent to executing zfs load-key on each encryption root before mounting it. Note that if a filesystem has keylocation=prompt, this will cause the terminal to interactively block after asking for the key.
https://openzfs.github.io/openzfs-docs/man/8/zfs-mount.8.html

Revision history for this message
René Georgi (rene-georgi) said :
#6

The problem here asked is: why is zfs on ubuntu not able to load the encryption key from a server?
The option to do so is described in some documentation on the internet (for version 0.8.0 of zfs).

We need to load the key from the server in our Intranet - so if someone tries to decrypt the zfs and the client is not in our intranet, the key can't be loaded.

It is possible to load the key from the server via wget or curl - but that saves the key on the client and that should not be.

Revision history for this message
James Vaughn (jmcvaughn) said (last edit ):
#7

Note that Solaris ZFS and ZFS on Linux (now OpenZFS) are unrelated (entirely separate codebases).

Just to copy a summarised version of the discussion between myself and René for the benefit of others:

I believe that you're looking at ZFS 2.x documentation as per [1]. Focal ships with ZFS 0.8 (the version that was stable at the time of Focal's freeze). Newer versions of Ubuntu do/will ship with newer versions of ZFS, and will thus gain support for this feature if their corresponding versions of ZFS have it.

In ZFS 0.8, the `keylocation` parameter only supports the keyword `prompt` or a file path beginning with `file://`. It doesn't appear to support any other identifier (e.g. `https://`).

You can instead use shell redirection to pass the key in to the commands via stdin in a similar way instead, e.g. to create a dataset:

```
sudo zfs create -o encryption=on -o keyformat=raw <pool/dataset> < <(curl https://keys.example.com/mykey)
```

Or to load a key:

```
sudo zfs load-key <pool/dataset> < <(curl https://keys.example.com/mykey)
```

This requires that `keylocation` is set to prompt. If you've not already got this set, for a dataset that already exists:

```
# To set it
sudo zfs set keylocation=prompt <pool/dataset>

# Or to inherit the setting from the parent, which is sometimes like resetting a preference to its defaults
sudo zfs inherit keylocation <pool/dataset>
```

Note that this method will not save the key locally, nor will it expose the key in the command (thus not in the command history, nor in `ps`, etc.).

[1] https://openzfs.github.io/openzfs-docs/man/7/zfsprops.7.html - search "keylocation"
[2] https://zfsonlinux.org/manpages/0.8.3/man8/zfs.8.html

Can you help with this problem?

Provide an answer of your own, or ask René Georgi for more information if necessary.

To post a message you must log in.