[Manjaro-Architect] Use ZFS with encryption

Hey there,
I would like to know if anyone got ZFS on Root with encryption to work. (LUKS or ZFS in house encryption).

I have tried it several times in the past days with either creating my own zpool with all options and toggles I could find


or with creating a LUKS partition and installing zfs on top but there was no setup, that booted.

With LUKS I got grub to boot, only to be prompted with the error, that the kernel modules are not loaded.
If I type modprobe zfs it does work. So I assumed that it is only a matter of adding 2 Strings in /etc/default/grub or /boot/grub/grub.conf. But I could not find anything.

With ZFS in "standard mode" I got it to boot successful, but I need encryption. Since the CLI does not seem to support it, I tried creating a zpool with encryption key, etc. and adding datasets as suggested by several (ArchLinux) Articles about ZoR. Or only creating the zpool and than create the datasets via setup-tool. This resulted in a grub-error, where grub is unable to understand the filesystem.

What I tried:

zpool create -f -o ashift=12 -O acltype=posixacl -O relatime=on -O xattr=sa -O dnodesize=legacy -O normalization=formD -O mountpoint=none -O canmount=off -O devices=off -R /mnt -O compression=lz4 -O encryption=aes-256-gcm -O keyformat=passphrase -O keylocation=prompt -d -o feature@allocation_classes=enabled -o feature@async_destroy=enabled -o feature@bookmarks=enabled -o feature@embedded_data=enabled -o feature@empty_bpobj=enabled -o feature@enabled_txg=enabled -o feature@extensible_dataset=enabled -o feature@filesystem_limits=enabled -o feature@hole_birth=enabled -o feature@large_blocks=enabled -o feature@lz4_compress=enabled -o feature@project_quota=enabled -o feature@resilver_defer=enabled -o feature@spacemap_histogram=enabled -o feature@encryption=enabled -o feature@spacemap_v2=enabled -o feature@userobj_accounting=enabled -o feature@zpool_checkpoint=enabled  tank /dev/nvme0n1p3

zfs create -o mountpoint=none tank/data
zfs create -o mountpoint=none tank/ROOT
zfs create -o mountpoint=/ -o canmount=noauto tank/ROOT/default
zfs create -o mountpoint=/home tank/data/home
zfs create -o mountpoint=/root tank/data/home/root

zpool set bootfs=tank/ROOT/default tank

I hope someone can help :smiley:

Thanks in advance!

Our zfs expert @dalto is taking a break, so it might take a while.

This seems to be the most relevant section. Using luks instead of the native zfs encryption might be more reliable.


So, after installing zfs on luks, check that mkinitcpio.conf has the hooks keyboard encrypt zfs and grub has the right parameters, something like

cryptdevice=UUID=device-UUID:cryptroot root=/dev/mapper/<zfs-root-volume>

It is possible that manjaro-architect doesn't set those parameters properly automatically.

See also:

Caveat emptor, I know next to nothing about zfs.

Using zfs in top of luks was the way to go when zfs did not support native encryption. But this is obsolte nowadays. zfs should always own the full device/partition without any luks layer in between to take full advantage of all its healing capabilities.

That said I am afraid I can not help much with your problem. I am using zfs encryption on all my zfs pools. But I do not have zfs on ROOT.


Thank you! :smiley:

I wasn´t even looking at mkinitcpio.conf.

After adding the hooks and the crpytdevice and adding some /sbin/modprobe zfs in the hooks/zfs file of mkinitcpio I got it to boot sort of properly. (I have to input my password twice at two points.(of the cryptodisk) But this is not that huge of an issue to me. )

Even though this version (with LUKS) works, I do prefer zfs with native encryption.
So if anyone has a clue or the zfs expert is back I would love to hear back from them :smiley:

Do you have linux56-zfs extramodule installed?

Hey, I do not know which type of source linux56-zfs came from. I did just sudo pacman -Sy linux56-zfs and /sbin/modprobe zfs before executing setup.

Or what did you mean ? :smiley:

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by