From owner-freebsd-stable@freebsd.org  Sat May 16 09:51:52 2020
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1C2E72EBF76
 for <freebsd-stable@mailman.nyi.freebsd.org>;
 Sat, 16 May 2020 09:51:52 +0000 (UTC)
 (envelope-from thomas.e.zander@googlemail.com)
Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3])
 by mx1.freebsd.org (Postfix) with ESMTP id 49PLCW6BBVz4C73
 for <freebsd-stable@freebsd.org>; Sat, 16 May 2020 09:51:51 +0000 (UTC)
 (envelope-from thomas.e.zander@googlemail.com)
Received: by mailman.nyi.freebsd.org (Postfix)
 id D44662EBF75; Sat, 16 May 2020 09:51:51 +0000 (UTC)
Delivered-To: stable@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id D41132EBF74
 for <stable@mailman.nyi.freebsd.org>; Sat, 16 May 2020 09:51:51 +0000 (UTC)
 (envelope-from thomas.e.zander@googlemail.com)
Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com
 [IPv6:2607:f8b0:4864:20::1033])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 49PLCV6hrFz4C6y;
 Sat, 16 May 2020 09:51:50 +0000 (UTC)
 (envelope-from thomas.e.zander@googlemail.com)
Received: by mail-pj1-x1033.google.com with SMTP id s69so2091210pjb.4;
 Sat, 16 May 2020 02:51:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
 bh=P51cK4wd0p2l07W1WdRUD8r4yagmq+q5Xsg5v/VwF+g=;
 b=MuD7IkuuvdK3wf6cAix2xvQvq7FghFEKM+1t5V9sKtzmrGvhjD4joPUodWglyTg9bf
 xzCX8FgcLXe134RyGIBYQuqPWE0VHVQ88HCFWbPljZQjQP90JVRJs4qfDyvTOVnBQ6E5
 +tzUCx5S95oCmc/RI/LlWeoTbU63SUyZusI56nO6Je6EvgHSK4AstLltOIDx/P4wlsKV
 o3/Up6/l9+664LAIS/7PLOE2Rb72nE1oLPN9cQfvxKNdQ6MyoWCFCQ8PJ6r0Pe8vyshD
 i48y2NbT/AlPpQs5V0I336pS/sCBA2P9tXjh873dxE1Kj9qP1hU9QWZwZm+FcXAYPTWb
 ajMQ==
X-Gm-Message-State: AOAM531+ItAxRV2KjWs19PXIP92Ai6ln+djLiUbXQWfK8I0RNvZySIvY
 WGjxT+d/+EghsxHkiFJtUcM5vd+6wQwunK6AGPfe6dO5HCg=
X-Google-Smtp-Source: ABdhPJy7HwEMrVoS3VYKXgWoRYlem5v6b3YdZQ45vWLyw9tvyp8c6zJ0wkfNtwJyuoolQBss+TV3h6D+ie+LMvPoXwU=
X-Received: by 2002:a17:90a:2949:: with SMTP id
 x9mr7452246pjf.99.1589622708801; 
 Sat, 16 May 2020 02:51:48 -0700 (PDT)
MIME-Version: 1.0
From: Thomas Zander <thomas.e.zander@googlemail.com>
Date: Sat, 16 May 2020 11:51:22 +0200
Message-ID: <CAFU734wh-2MtqF3XUbCwE5wbCLDhdWqtSsJWUdL4i4hgJvS62A@mail.gmail.com>
Subject: State of encrypted-almost-everything on ZFS in 2020
To: stable@freebsd.org
Cc: allanjude@freebsd.org
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: 49PLCV6hrFz4C6y
X-Spamd-Bar: --
X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[googlemail.com:s=20161025];
 FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c];
 FREEMAIL_FROM(0.00)[googlemail.com];
 MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[];
 TO_MATCH_ENVRCPT_ALL(0.00)[];
 IP_SCORE(0.00)[ip: (-9.57), ipnet: 2607:f8b0::/32(-0.33), asn: 15169(-0.42),
 country: US(-0.05)]; DKIM_TRACE(0.00)[googlemail.com:+];
 RCPT_COUNT_TWO(0.00)[2];
 RCVD_IN_DNSWL_NONE(0.00)[3.3.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org
 : 127.0.5.0]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 16 May 2020 09:51:52 -0000

Hi,

can the following be done these days?
- Encrypted ZFS root pool on RAID-Z
- Supply the key for the encrypted root pool during boot via USB thumb drive
  - No keyboard is attached to the machine
  - No /boot on the thumb drive, just the key
- I don't mind if /boot is encrypted or not (the use case is not to
protect against nation state attackers)
- Bonus points if I can use bectl

Every single posting regarding this topic I can find always comes down to either
a) One needs /boot on the thumb drive, or
b) One uses a keyboard and supplies a passphrase instead of a keyfile.

I'd like to have a setup where essentially nothing is stored on the
USB drive except the keyfile.

Thank you and best regards
Riggs