Skip to Content

ZFS mirror on encrypted drives on Ubuntu 18.04

Posted on 4 mins read

Here’s how you set up a two disk mirror ZFS pool on top of two LUKS encrypted hard drives. I’m working off Ubuntu 18.04 Beta. This configuration will use a keyfile to unlock the drives at boot to enable seamless mounting of the zpool. If you care about security you should either keep the keyfile in a drive that is encrypted at rest (like a LUKS encrypted boot drive) or on a removable USB.

For this post I’m going to assume the two drives you want to dedicate to your zpool are dev/sdd and/dev/sde. Check which drives you want to use by typing sudo lsblk in the terminal and confirming they are the drives you want. If you get it wrong, you’ll lose all the data in the incorrectly identified drive.

Elevate to root

sudo su

Encrypt the drives

apt-get install cryptsetup

cryptsetup -y -v luksFormat /dev/sdd

Enter a passphrase - make it strong!

Repeat with the next drive -

cryptsetup -y -v luksFormat /dev/sdd

Open the encrypted partitions

cryptsetup luksOpen /dev/sdd NAS1

cryptsetup luksOpen /dev/sde NAS2

These opened LUKS volumes are now at /dev/mapper/NAS1 and /dev/mapper/NAS2.

Create the ZFS mirror on top of the open LUKS volumes

apt-get install zfsutils-linux

Make a mountpoint for the ZFS mirror at the root of the filesystem. I’ve called my folder /NAS

mkdir /NAS

Create a ZFS mirror that mounts at /NAS

zpool create NAS mirror /dev/mapper/NAS1 /dev/mapper/NAS2

Check that all is well

zpool status NAS

Set up the LUKS volumes to mount at boot

Create a keyfile of random data, 4kb in size. Save it wherever you want. I’ve saved mine to /root/masterkey.

dd if=/dev/urandom of=/root/masterkey bs=512 count=8

I don’t mind saving it to my root filesystem because I set up my machine with full-disk encryption. If your root filesystme is not encrypted this is a silly place to save it - rather save it to a removable USB that you can separate from the computer after boot.

sudo cryptsetup -v luksAddKey /dev/sdd /root/masterkey

sudo cryptsetup -v luksAddKey /dev/sde /root/masterkey

Verify everything works

First, create a file in the zpool -

touch /NAS/ZFS_test_file

Check that it’s there -

ls -l /NAS/

Output -

-rw-r--r-- 1 root root 0 Mar 20 19:35 ZFS_test_file

Now unmount the ZFS mirror -

zpool export NAS

Check that the mountpount is gone -

ls -l /NAS/

Output -

ls: cannot access '/NAS': No such file or directory

Close the LUKS encrypted partitions -

cryptsetup -v luksClose NAS1

cryptsetup -v luksClose NAS2

Check that they have unmounted -

lsblk

Output -

sdd 8:48 0 3.7T 0 disk

sde 8:64 0 3.7T 0 disk

Now try mount everyting again -

cryptsetup luksOpen /dev/sdd NAS1 --key-file=/root/masterkey

cryptsetup luksOpen /dev/sde NAS2 --key-file=/root/masterkey

Output -

Command successful.

Check all is well -

lsblk

Output -

sdd                        8:48   0   3.7T  0 disk  
└─NAS1                   253:4    0   3.7T  0 crypt 
sde                        8:64   0   3.7T  0 disk  
└─NAS2                   253:5    0   3.7T  0 crypt

Import the zpool -

zpool import NAS

Check all is well -

zpool status NAS

Output -

  pool: NAS
 state: ONLINE
  scan: resilvered 36K in 0h0m with 0 errors on Tue Mar 20 19:42:34 2018
config:

	NAME        STATE     READ WRITE CKSUM
	NAS         ONLINE       0     0     0
	  mirror-0  ONLINE       0     0     0
	    NAS1    ONLINE       0     0     0
	    NAS2    ONLINE       0     0     0

Finally check that the file is still there

ls -l /NAS

Output -

-rw-r--r-- 1 root root 0 Mar 20 19:35 ZFS_test_file

Make the LUKS formatted partitons mount at boot

Automatically unlock the volumes.

Get the /dev/sdd and /dev/sde UUIDs -

cryptsetup luksDump /dev/sdd | grep "UUID"

cryptsetup luksDump /dev/sde | grep "UUID"

Output -

UUID: caf8ae81-ed7d-419d-b8b9-3890aee5afad

UUID: d9f321e9-d644-447a-94a5-43e33db48506

Now open /etc/crypttab

nano /etc/crypttab

# there may be other entries here, put yours at the next line
NAS1 UUID=caf8ae81-ed7d-419d-b8b9-3890aee5afad /root/masterkey luks 
NAS2 UUID=d9f321e9-d644-447a-94a5-43e33db48506 /root/masterkey luks

Save and exit.

Test -

sudo cryptdisks_start NAS1

sudo cryptdisks_start NAS2

zpool import NAS

Finally, reboot and see if your NAS file persists across reboots.

If all went well, you have successfully set up a two-disk ZFS mirror on top of two LUKS encrypted volumes that unlock autmataically at boot.