Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unlock ZFS Datasets with Shavee during boot #16

Open
marcaddeo opened this issue Sep 21, 2021 · 8 comments
Open

Unlock ZFS Datasets with Shavee during boot #16

marcaddeo opened this issue Sep 21, 2021 · 8 comments

Comments

@marcaddeo
Copy link

I'm using Shavee to unlock a ZFS dataset as part of my boot process, and thought I'd share how I'm doing it:

/etc/systemd/system/[email protected]

[Unit]
Description=Unlock ZFS Dataset %I with Shavee
DefaultDependencies=no
Before=systemd-user-sessions.service
Before=zfs-mount.service
After=zfs-import.target
After=systemd-vconsole-setup.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/sh -c 'set -eu;keystatus="$$(/sbin/zfs get -H -o value keystatus "%I")";[ "$$keystatus" = "unavailable" ] || exit 0;count=0;while [ $$count -lt 3 ];do  systemd-ask-password --id="zfs:%I"    "Enter passphrase for %I"|    shavee -y -s 1 -z "%I" && exit 0;  count=$$((count + 1));done;exit 1'
ExecStop=/bin/sh -c 'set -eu;keystatus="$$(/sbin/zfs get -H -o value keystatus "%I")";[ "$$keystatus" = "available" ] || exit 0;/sbin/zfs unload-key "%I"'

[Install]
WantedBy=zfs-mount.service

I'm using Slot 1 for HMAC challenges on my Yubikey, so you may need to alter the Shavee command if you're using a different slot

Then just enable the service for your encrypted pool, e.g. to unlock zroot/data you'd do systemctl enable zfs-shavee-unlock@zroot-data
@kiavash-at-work
Copy link
Contributor

This is great. I suggest to update the README and add this method as a separate section.

BTW, is there a way to also pass the shavee arguments (like -y -s 1 in this case) during systemctl enable command? That would make it possible to write a single systemd service for all the supported combinations.

@marcaddeo
Copy link
Author

There's no easy way to do that as far as I know. You can pass an "instance" to a systemd service with the @ convention. It will convert hyphens to slashes. So you'd have to figure out a way to encode the Shavee options, a separator, and the dataset name.

@marcaddeo
Copy link
Author

https://unix.stackexchange.com/questions/323914/dynamic-variables-in-systemd-service-unit-files

@ashuio
Copy link
Owner

ashuio commented Sep 22, 2021

I think we can try using configuration files with systemd services.

@kiavash-at-work
Copy link
Contributor

To implement config files in addition to arguments, there is clap_conf however it is very thin on the documentation.

@marcaddeo
Copy link
Author

Config files seem like a good idea!

@kiavash-at-work kiavash-at-work mentioned this issue Feb 16, 2022
Merged
@kiavash-at-work
Copy link
Contributor

This task is gated by clap_conf to support Clap 3.

@kiavash-at-work
Copy link
Contributor

As I mentioned in #20,

... it seems that clap_conf is not updated for clap 3.0. Looking for a replacement, marioortizmanero/structconf feels to be a good candidate for this task.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marcaddeo @kiavash-at-work @ashuio