Zfs: Question: Any plans for supporting keylocation=https://

Created on 5 Feb 2020  路  3Comments  路  Source: openzfs/zfs

I tried to implement a system where ZFS gets the encryption key from a local HTTP server (as described in the official oracle docs) but creating it using zfs create -o encryption=on -o keylocation=https://mykeyserver/keyforthisserver -o keyformat=raw data/enc fails with

cannot create 'data/enc2': invalid keylocation

Are there any plans on implementing it? For now I'll just mount the key via nfs and use the file:///path method

Feature
Source
picture geek-at

Most helpful comment

Yes, this functionality is planned. There's an initial patch for FreeBSD which uses libfetch. It needs to be adapted for Linux to use libcurl or another library.

picture behlendorf on 5 Feb 2020
👍6

All 3 comments

Yes, this functionality is planned. There's an initial patch for FreeBSD which uses libfetch. It needs to be adapted for Linux to use libcurl or another library.

behlendorf picture behlendorf on 5 Feb 2020
👍6

Perhaps it should be noted that zfs-load-key will accept a key piped from std-out, so you can use curl to direct its output to a pipe to achieve a similar result. I use something similar (smbget) and a systemd service to load the keys when the network is up.

electricboogie picture electricboogie on 8 Sep 2020

Excuse me, I'm not sure this works for raw keys, but it does work for passphrases with the keylocation set to "prompt."

electricboogie picture electricboogie on 8 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pcd1193182 picture pcd1193182  路  4Comments
cinterloper picture cinterloper  路  3Comments
avg-I picture avg-I  路  3Comments
tronder88 picture tronder88  路  3Comments
kernelOfTruth picture kernelOfTruth  路  4Comments