CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are human.
  • Create new account
  • Reset your password

User account menu

Home
The Hyperlogos
Read Everything

Main navigation

  • Home
  • My Resumé
  • blog
  • Howtos
  • Pages
  • Contact
  • Search

Reading from my old encrypted ZFS root pool

Breadcrumb

  • Home
  • User Blogs
  • User Blog
  • Reading from my old encrypted ZFS root pool
By drink | Sun February 12, 2023

I have recently made the switch as a Linux user from LUKS, LVM and ext4 to ZFS, ZFS, and ZFS. I started it with Ubuntu, which conveniently offered me an encrypted root on zfs option which worked very well for me in general. However, every time I had to interface with systemd it felt like a chore, when what I really wanted was the old school UNIX feel I got from Slackware. And now I've converted to Devuan 4 "Chimaera" on ZFS, which is based on Debian 11 "Bullseye", which is as close to that as I'm willing to get given the amount of work I want to do. In the process, I've had to mount my old zfs filesystems on my new system gracefully, and this is how I went about that.

I got the basics of the process from the Debian Bullseye root on ZFS howto troubleshooting section. But because the Ubuntu installer created a zpool encrypted with a key stored in a keystore, which is protected by a passphrase, there are some extra steps involved in connecting to it.

The key command is "zpool import -N -R /mnt rpool", but we can't do that for multiple reasons, not least because we already have a pool named "rpool". The -N flag specifies not mounting the filesystems (and we don't actually want to use it) while -R root flag "Sets the cachefile property to none and the altroot property to root." That is, it specifies a temporary mountpoint for your pool. An even more interesting option is to append to this command a newpool argument (it's just separated by a space) which causes it to be imported to your zfs configuration with an alternate name. This also affects all of its children, so this represents a convenient way to mount an entire foreign zfs/zpool hierarchy, even if it has the same name as an existing one.

First though, we've got to find the pool, using zpool import. In my case it produced some output like this:

# zpool import
   pool: rpool
     id: 45673734563636345333
  state: ONLINE
 action: The pool can be imported using its name or numeric identifier.
 config:

        some more stuff here

This is a very fake example, but this shows the information you need to see: the relevant action statement, and an id. Any time you are specifying anything in zfs, you can use its unique id. For example I would type the following:

zpool import -N -R /mnt/tmp 45673734563636345333 oldrpool

You only have to do this once for your system to remember the name of that pool. The second time you want to import it, you'd do this:

zpool import -R /mnt/tmp oldrpool

Now my filesystems show up in zfs list:

# zfs list | grep oldrpool
oldrpool                                     414G  43.1G      192K  /mnt/tmp
oldrpool/ROOT                                214G  43.1G      192K  none
oldrpool/ROOT/ubuntu_kbr69h                  214G  43.1G      133G  /mnt/tmp
oldrpool/ROOT/ubuntu_kbr69h/srv              192K  43.1G      192K  /mnt/tmp/srv
oldrpool/ROOT/ubuntu_kbr69h/usr             1.49G  43.1G      192K  /mnt/tmp/usr
oldrpool/ROOT/ubuntu_kbr69h/usr/local       1.49G  43.1G     1.49G  /mnt/tmp/usr/local

etc etc. This is a big step in the right direction. However, I cannot actually mount the root:

# zfs mount oldrpool/ROOT/ubuntu_kbr69h
cannot mount 'oldrpool/ROOT/ubuntu_kbr69h': encryption key not loaded
# zfs load-key oldrpool/ROOT/ubuntu_kbr69h
Key load error: Keys must be loaded for encryption root of 'oldrpool/ROOT/ubuntu_kbr69h' (oldrpool).

So now we need to know where the keys are.

# zfs get encryptionroot oldrpool/ROOT/ubuntu_kbr69h | grep crypt
oldrpool/ROOT/ubuntu_kbr69h  encryptionroot  oldrpool  -
# zfs get all oldrpool | grep key
oldrpool  keylocation           file:///run/keystore/rpool/system.key  local
oldrpool  keyformat             raw                                    -
oldrpool  keystatus             unavailable                            -
# zfs list | grep keystore
oldrpool/keystore                                                                                           518M  43.6G     63.4M  -

There it is. Now, some magic occurs, which means I don't know how I figured this out, and there may even be steps missing. More on this when I find the sources again, although I did manage to find a quick reference to the approach. But...

# ls -l /dev/zvol
total 0
drwxr-xr-x 2 root root 60 Feb 12 09:34 oldrpool
# ls -l /dev/zvol/oldrpool
total 0
lrwxrwxrwx 1 root root 9 Feb 12 09:34 keystore -> ../../zd0
# cryptsetup -v open /dev/zvol/oldrpool/keystore keystore-oldrpool
Enter passphrase for /dev/zvol/oldrpool/keystore:

(the passphrase is entered, no characters are echoed.)

Key slot 0 unlocked.
Command successful.
# mkdir -p /run/keystore/rpool
# mount -v /dev/mapper/keystore-oldrpool /run/keystore/rpool
mount: /dev/mapper/keystore-oldrpool mounted on /run/keystore/rpool.
# zfs load-key oldrpool
# zfs mount -a

At this point, the whole hierarchy appears under /mnt/tmp, and it can be accessed like any other set of mounted filesystems.

linux
ZFS
howto
  • Log in or register to post comments

Footer menu

  • Contact
Powered by Drupal

Copyright © 2025 Martin Espinoza - All rights reserved