nas:truenas:encrypted_boot-pool_with_zbm
**This is an old revision of the document!**
Table of Contents
Encrypted boot-pool with ZBM on TrueNAS Scale
This is adapted from the Debian bookworm instructions for ZBM
Preparation
Add an ssh key to the root acount. Log in using ssh to the root account. sudo does not allow chroot anymore.
Update a TrueNAS System that uses ZBM
Manual steps after applying an update
Do not choos to immediately reboot after applying an update. You need to add the pass phrase to the initrd of the new TrueNAS version. Connect to the admin account on the TrueNAS system using SSH:
export ID=<new release version> mkdir -p /mnt/update mount -t zfs boot-pool/ROOT/${ID} /mnt/update mount -t proc proc /mnt/update/proc mount -t sysfs sys /mnt/update/sys mount -B /dev /mnt/update/dev mount -t devpts pts /mnt/update/dev/pts mount boot-pool/grub /mnt/update/boot/grub -t zfs mount -t zfs -o zfsutil boot-pool/ROOT/${ID}/audit /mnt/update/audit mount -t zfs -o zfsutil boot-pool/ROOT/${ID}/data /mnt/update/data mount -t zfs -o zfsutil boot-pool/ROOT/${ID}/etc /mnt/update/etc mount -t zfs -o zfsutil boot-pool/ROOT/${ID}/home /mnt/update/home mount -t zfs -o zfsutil boot-pool/ROOT/${ID}/mnt /mnt/update/mnt mount -t zfs -o zfsutil boot-pool/ROOT/${ID}/opt /mnt/update/opt mount -t zfs -o zfsutil boot-pool/ROOT/${ID}/root /mnt/update/root mount -t zfs -o zfsutil boot-pool/ROOT/${ID}/usr /mnt/update/usr mount -t zfs -o zfsutil boot-pool/ROOT/${ID}/var /mnt/update/var mount -t zfs -o zfsutil boot-pool/ROOT/${ID}/var/log /mnt/update/var/log cp /etc/zfs/boot-pool.key /mnt/update/etc/zfs/boot-pool.key chmod 000 /mnt/update/etc/zfs/boot-pool.key chroot /mnt/update /usr/bin/zsh
You are now in the new TrueNAS system version:
echo "UMASK=0077" > /etc/initramfs-tools/conf.d/umask.conf update-initramfs -c -k all exit
You can clean up now:
umount -R /mnt/update rmdir /mnt/update
Reboot and the system should ask you for the pass phrase and then the new version should boot as ususal.
Recover if you let the TrueNAS updater reboot before adding the pass phrase to initrd
You will end up in initrd recovery. You can enter the pass phrase and mount root to continue:
zfs load-key -a # boot-pool: <password> mount /boot-pool/ROOT/<version> /ROOT exit
The TrueNAS scale system will now boot. To make the pass phrase permanent you have to write it to the intird:
mount / -o remount,rw echo 'TestMeHard' > /etc/zfs/boot-pool.key chmod 000 /etc/zfs/boot-pool.key echo "UMASK=0077" > /etc/initramfs-tools/conf.d/umask.conf update-initramfs -c -k all
Encrypting a new TrueNAS install
Create an encrypted boot-pool on one of the mirrored boot disks and copy the TrueNAS system
Start an SSH session with the admin account:
sudo -s # Enter admin's password export ID=$(cat /etc/version) # for sdx drives export BOOT_DISK="/dev/sdx" export BOOT_PART="2" export BOOT_DEVICE="${BOOT_DISK}${BOOT_PART}" export POOL_DISK="/dev/sdx" export POOL_PART="3" export POOL_DEVICE="${POOL_DISK}${POOL_PART}" # for NVMes export BOOT_DISK="/dev/nvmeOn1" export BOOT_PART="2" export BOOT_DEVICE="${BOOT_DISK}p${BOOT_PART}" export POOL_DISK="/dev/nvmeOn1" export POOL_PART="3" export POOL_DEVICE="${POOL_DISK}p${POOL_PART}" echo '<A good passphrase, you will need to type this with en_US keyboard layout just after UEFI>' > /etc/zfs/boot-pool.key chmod 000 /etc/zfs/boot-pool.key # the pass phrase is now in an unencrypted part of the system # follow through with these instructions and it will be encrypted on rest (power off) # Change one of the mirrored boot devices to an encrypted boot-pool zpool detach boot-pool "$POOL_DEVICE" zpool labelclear -f "$POOL_DEVICE" zpool create -f -o ashift=12 \ -O compression=lz4 \ -O acltype=posixacl \ -O xattr=sa \ -O relatime=on \ -O encryption=aes-256-gcm \ -O keylocation=file:///etc/zfs/boot-pool.key \ -O keyformat=passphrase \ -o autotrim=on \ -o compatibility=openzfs-2.1-linux \ -m none boot-pool-enc "$POOL_DEVICE" zfs create -o mountpoint=none boot-pool-enc/ROOT zfs snapshot -r boot-pool/ROOT/${ID}@transfer zfs snapshot -r boot-pool/grub@transfer zfs send -pRP boot-pool/ROOT/${ID}@transfer | zfs recv -d -o encryption=on -x keyformat -x keylocation boot-pool-enc zfs send -pRP boot-pool/grub@transfer | zfs recv -d -o encryption=on -x keyformat -x keylocation boot-pool-enc zfs set org.zfsbootmenu:active=on boot-pool-enc/ROOT/${ID} zpool set bootfs=boot-pool-enc/ROOT/${ID} boot-pool-enc zpool export boot-pool-enc # necessary changes for booting without the pass phrase zpool import -N -R /mnt/enc boot-pool-enc zfs load-key -L prompt boot-pool-enc mkdir -p /mnt/enc mount boot-pool-enc/ROOT/${ID} /mnt/enc -t zfs mount -t proc proc /mnt/enc/proc mount -t sysfs sys /mnt/enc/sys mount -B /dev /mnt/enc/dev mount -t devpts pts /mnt/enc/dev/pts mount boot-pool-enc/grub /mnt/enc/boot/grub -t zfs zfs mount boot-pool-enc/ROOT/${ID}/audit zfs mount boot-pool-enc/ROOT/${ID}/data zfs mount boot-pool-enc/ROOT/${ID}/etc zfs mount boot-pool-enc/ROOT/${ID}/home zfs mount boot-pool-enc/ROOT/${ID}/mnt zfs mount boot-pool-enc/ROOT/${ID}/opt zfs mount boot-pool-enc/ROOT/${ID}/root zfs mount boot-pool-enc/ROOT/${ID}/usr zfs mount boot-pool-enc/ROOT/${ID}/var zfs mount boot-pool-enc/ROOT/${ID}/var/log chroot /mnt/enc /usr/bin/zsh
You are now in a shell in the copied, encrypted TrueNAS system
echo "UMASK=0077" > /etc/initramfs-tools/conf.d/umask.conf update-initramfs -c -k all exit
Install ZBM in the EFI partition (ZBM does not support secure boot, it is not signed)
mount ${BOOT_DEVICE} /boot/efi mkdir -p /boot/efi/EFI/ZBM curl -o /boot/efi/EFI/ZBM/VMLINUZ.EFI -L https://get.zfsbootmenu.org/efi cp /boot/efi/EFI/ZBM/VMLINUZ.EFI /boot/efi/EFI/ZBM/VMLINUZ-BACKUP.EFI efibootmgr -c -d "$BOOT_DISK" -p "$BOOT_PART" \ -L "ZFSBootMenu (Backup)" \ -l '\EFI\ZBM\VMLINUZ-BACKUP.EFI' efibootmgr -c -d "$BOOT_DISK" -p "$BOOT_PART" \ -L "ZFSBootMenu" \ -l '\EFI\ZBM\VMLINUZ.EFI' umount ${BOOT_DEVICE}
Unmount the encrypted TrueNAS System
umount -R /mnt/enc # You can remove the snapshots created to copy the TrueNAS System # zfs destroy -r boot-pool/ROOT/${ID}@transfer # zfs destroy -r boot-pool/grub@transfer # zfs destroy -r boot-pool-enc/ROOT/${ID}@transfer # zfs destroy -r boot-pool-enc/grub@transfer zpool export boot-pool-enc reboot
Rename the boot-pools
This can be done in the ZFS Boot Menu Rescue shell after the reboot. The commands need to be typed with en-US keyboard layout
zpool import -f boot-pool boot-pool-old zpool export boot-pool-old zpool export boot-pool-enc zpool import boot-pool-enc boot-pool reboot
Add back the second mirror device to the boot-pool
Unlock and start TrueNAS. If it works as expected convert the second mirror boot device to a mirror device for the now encrypted boot-pool. Again open an SSH connection as the admin user:
sudo -s export ID=$(cat /etc/version) # for sdx drives export BOOT_DISK="/dev/sdy" export BOOT_PART="2" export BOOT_DEVICE="${BOOT_DISK}${BOOT_PART}" export POOL_DISK="/dev/sdy" export POOL_PART="3" export POOL_DEVICE="${POOL_DISK}${POOL_PART}" export CURRENT_POOL_DISK="/dev/sdx" export CURRENT_POOL_PART="3" export CURRENT_POOL_DEVICE="${CURRENT_POOL_DISK}${CURRENT_POOL_PART}" # for NVMes export BOOT_DISK="/dev/nvmePn1" export BOOT_PART="2" export BOOT_DEVICE="${BOOT_DISK}p${BOOT_PART}" export POOL_DISK="/dev/nvmePn1" export POOL_PART="3" export POOL_DEVICE="${POOL_DISK}p${POOL_PART}" export CURRENT_POOL_DISK="/dev/nvmeOn1" export CURRENT_POOL_PART="3" export CURRENT_POOL_DEVICE="${CURRENT_POOL_DISK}p${CURRENT_POOL_PART}" zpool labelclear -f "$POOL_DEVICE" zpool attach boot-pool "$CURRENT_POOL_DEVICE" "$POOL_DEVICE" # now also add ZBM to the second EFI partition mount ${BOOT_DEVICE} /boot/efi mkdir -p /boot/efi/EFI/ZBM curl -o /boot/efi/EFI/ZBM/VMLINUZ.EFI -L https://get.zfsbootmenu.org/efi cp /boot/efi/EFI/ZBM/VMLINUZ.EFI /boot/efi/EFI/ZBM/VMLINUZ-BACKUP.EFI efibootmgr -c -d "$BOOT_DISK" -p "$BOOT_PART" \ -L "ZFSBootMenu (Backup)" \ -l '\EFI\ZBM\VMLINUZ-BACKUP.EFI' efibootmgr -c -d "$BOOT_DISK" -p "$BOOT_PART" \ -L "ZFSBootMenu" \ -l '\EFI\ZBM\VMLINUZ.EFI' umount ${BOOT_DEVICE}
nas/truenas/encrypted_boot-pool_with_zbm.1730455627.txt.gz · Last modified: by admin