SSH remote ZFS unlocking?

[sotiris-bos]

Hello, this is not an issue but a question/request.

Is there a way to enable SSH to remotely unlock an encrypted ZFS root at boot? I could not find any related documentation.

Something like this dracut module but for booster: https://github.com/gsauthof/dracut-sshd

Thanks

[anatol]

Hi

Booster does not support SSH for remote unlocking. It is a large and complex protocol. Instead, booster supports Tang/EMCR protocol that is much simpler and easier (and does not expose a remote shell). See https://github.com/anatol/booster/issues/24

But the first step here would be implementing ZFS encryption support with a keyfile stored in the image. That's something I need to look at first.

The next step would be to implement handling this file as a clevis-encrypted data.

Once it is implemented, you can easily add different locking policies for your ZFS dataset e.g.:

1. network binding - your zfs will automatically unlock only in presence of a key server in your local network
2. remote unlocking with tang (it is an equivalent of ssh unlocking you ask)
3. TPM unlocking
4. Yubikey unlocking