From owner-freebsd-stable@freebsd.org Sat May 16 09:51:52 2020 Return-Path: Delivered-To: freebsd-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1C2E72EBF76 for ; Sat, 16 May 2020 09:51:52 +0000 (UTC) (envelope-from thomas.e.zander@googlemail.com) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 49PLCW6BBVz4C73 for ; Sat, 16 May 2020 09:51:51 +0000 (UTC) (envelope-from thomas.e.zander@googlemail.com) Received: by mailman.nyi.freebsd.org (Postfix) id D44662EBF75; Sat, 16 May 2020 09:51:51 +0000 (UTC) Delivered-To: stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D41132EBF74 for ; Sat, 16 May 2020 09:51:51 +0000 (UTC) (envelope-from thomas.e.zander@googlemail.com) Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49PLCV6hrFz4C6y; Sat, 16 May 2020 09:51:50 +0000 (UTC) (envelope-from thomas.e.zander@googlemail.com) Received: by mail-pj1-x1033.google.com with SMTP id s69so2091210pjb.4; Sat, 16 May 2020 02:51:50 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=P51cK4wd0p2l07W1WdRUD8r4yagmq+q5Xsg5v/VwF+g=; b=MuD7IkuuvdK3wf6cAix2xvQvq7FghFEKM+1t5V9sKtzmrGvhjD4joPUodWglyTg9bf xzCX8FgcLXe134RyGIBYQuqPWE0VHVQ88HCFWbPljZQjQP90JVRJs4qfDyvTOVnBQ6E5 +tzUCx5S95oCmc/RI/LlWeoTbU63SUyZusI56nO6Je6EvgHSK4AstLltOIDx/P4wlsKV o3/Up6/l9+664LAIS/7PLOE2Rb72nE1oLPN9cQfvxKNdQ6MyoWCFCQ8PJ6r0Pe8vyshD i48y2NbT/AlPpQs5V0I336pS/sCBA2P9tXjh873dxE1Kj9qP1hU9QWZwZm+FcXAYPTWb ajMQ== X-Gm-Message-State: AOAM531+ItAxRV2KjWs19PXIP92Ai6ln+djLiUbXQWfK8I0RNvZySIvY WGjxT+d/+EghsxHkiFJtUcM5vd+6wQwunK6AGPfe6dO5HCg= X-Google-Smtp-Source: ABdhPJy7HwEMrVoS3VYKXgWoRYlem5v6b3YdZQ45vWLyw9tvyp8c6zJ0wkfNtwJyuoolQBss+TV3h6D+ie+LMvPoXwU= X-Received: by 2002:a17:90a:2949:: with SMTP id x9mr7452246pjf.99.1589622708801; Sat, 16 May 2020 02:51:48 -0700 (PDT) MIME-Version: 1.0 From: Thomas Zander Date: Sat, 16 May 2020 11:51:22 +0200 Message-ID: Subject: State of encrypted-almost-everything on ZFS in 2020 To: stable@freebsd.org Cc: allanjude@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 49PLCV6hrFz4C6y X-Spamd-Bar: -- X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[googlemail.com:s=20161025]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[googlemail.com]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(0.00)[ip: (-9.57), ipnet: 2607:f8b0::/32(-0.33), asn: 15169(-0.42), country: US(-0.05)]; DKIM_TRACE(0.00)[googlemail.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[3.3.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 May 2020 09:51:52 -0000 Hi, can the following be done these days? - Encrypted ZFS root pool on RAID-Z - Supply the key for the encrypted root pool during boot via USB thumb drive - No keyboard is attached to the machine - No /boot on the thumb drive, just the key - I don't mind if /boot is encrypted or not (the use case is not to protect against nation state attackers) - Bonus points if I can use bectl Every single posting regarding this topic I can find always comes down to either a) One needs /boot on the thumb drive, or b) One uses a keyboard and supplies a passphrase instead of a keyfile. I'd like to have a setup where essentially nothing is stored on the USB drive except the keyfile. Thank you and best regards Riggs