Mandos with ZFS native encryption

Tomas tomas at fritiofson.se
Mon Jul 24 00:59:49 CEST 2023 

After some investigation I found the "zfsunlock" script that gets invoked in initramfs stage, actually execute the "systemd-ask-password".

This is the script:
https://github.com/openzfs/zfs/raw/master/contrib/initramfs/zfsunlock

The systemd-ask-password output into the "zfs load-key "$zfs_fs_name" command. I created a systemd service and a systemd path file to get password-agent started.

# Systemd .service file at /etc/systemd/system
[Unit]
Description="start mandos password-agent"
[Service]
ExecStart=password-agent

# Systemd .path file at /etc/systemd/system
[Unit]
Description="Monitor /etc/systemd/ask-password for changes"
[Path]
PathExistsGlob=/etc/systemd/ask-password/ask.*
Unit=password-agent.service

At boot I see plugin-runner is started, and then the password prompt show up, but nothing happens. I also tried to have DirectoryNotEmpty instead of PathExistsGlob.

To make sure the network setup is correct I tried before with the same Mandos server but the client was (the same computer) but with a Debian 12 installation with LUKS encrypted LVM, and Mandos was working flawlessly. Do you see any errors in my configuration? Is it better to modify the zfsunlock script to invoke mandos directly?

Hälsningar Tomas

------- Original Message -------
On Monday, July 3rd, 2023 at 14:59, Teddy Hogeborn <teddy at recompile.se> wrote:

> Tomas tomas at fritiofson.se writes:
>
> > I am building out a three node Proxmox cluster on top of Debian 12. I
> > use ZFS native encryption on all three nodes and has
> > dropbear-initramfs configured for remote password entry via SSH at
> > initramfs stage. I want to add Mandos to this and run server and
> > client on all three nodes but I am unable to find any documentation on
> > how to set it up properly with ZFS native encryption. Can someone here
> > point me in the right direction? Can I insert the password to
> > zfsunlock via output from mandos client?
>
>
> The Mandos Client program "mandos-client" only outputs the password to
> its standard output. It should be reasonably simple to use this to
> engineer your own solution.
>
> Note: If your system can use passwords supplied to a systemd "Password
> Agent", then the program password-agent(8mandos), included in the Mandos
> Client installation, runs mandos-client internally, and sends any
> password thus obtained to any active systemd Password Agent password
> questions. (It is intended to run in a initramfs image created by
> dracut when systemd is installed.)
>
> /Teddy Hogeborn
>
> --
> The Mandos Project
> https://www.recompile.se/mandos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20230723/3ee50dce/attachment.htm>

More information about the Mandos-Dev mailing list