[Bug 2070066] Re: dracut does not support booting from an encrypted ZFS volume

Sat Mar 29 08:02:09 UTC 2025

Okay I've been able to get this to work: the problem is that dracut
doesn't install anything from /etc/crypttab unless it's run in --host-
only mode, but if it is, then it generally fails to install anything
cryptography related (under an Ubuntu ZFS-on-root native encryption
setup).

It's worth noting no combination of rd.auto rd.luks=1 would seem to
detect the keystore partition, but adding:

```
#/etc/dracut.conf.d/00-crypttab.conf
install_items+=" /etc/crypttab "
```

to my dracut.conf file *did* get the encrypted partition to mount.
However since dracut has no idea what it should do with that.

It's possible to use an undocumented feature here to fix this explicitly
in the simple config:

```
#/etc/dracut.conf.d/01-keystore-rpool-mnt.conf
fstab_lines+=" /dev/mapper/keystore-rpool /run/keystore/rpool auto "
```

(note yes this is a malformed line - dracut appends '0 0 2' to whatever
you put here for the last element)

So the problem seems to be that zfs-dracut needs to explicitly handle
the Ubuntu keystore convention, since I can't see how dracut would
figure it out otherwise - i.e detecting a keystore should trigger a
decrypt operation (or better, force the relevant crypttab line to be
included so tpm2-device etc. options can be used) and then the scripts
need to execute the mount point.

I've tested this setup as letting you login with a password, but it has
another problem: since the ZFS scripts don't know they're waiting for
their own decryption (they're doing udevsettle) then after about 15-20
seconds dracut crashes to the recovery shell from the password prompt.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dracut in Ubuntu.
Matching subscriptions: dracut
https://bugs.launchpad.net/bugs/2070066

Title:
  dracut does not support booting from an encrypted ZFS volume

Status in dracut package in Ubuntu:
  Triaged
Status in zfs-linux package in Ubuntu:
  Confirmed

Bug description:
  Dracut does not support booting from an encrypted ZFS volume. Steps to
  reproduce:

  1. In a VM install Ubuntu 24.10 with an encrypted ZFS volume
  2. Install dracut afterwards: sudo apt install dracut zfs-dracut
  3. Add rd.shell to the boot arguments
  4. Reboot

  The boot will fail:

  ```
  dracut-pre-mount[817]: Warning: ZFS: Key /run/keystore/rpool/system.key for rpool hasn't appeared. Trying anyway.
  dracut-pre-mount[863]: Key load error: Failed to open key material file: No such file or directory
  [FAILED] Failed to mount sysroot.mount - /sysroot.
  ```

  The initrd should have asked for the password, but it did not.

  ProblemType: Bug
  DistroRelease: Ubuntu 24.10
  Package: dracut-core 102-3ubuntu2
  ProcVersionSignature: Ubuntu 6.8.0-31.31-generic 6.8.1
  Uname: Linux 6.8.0-31-generic x86_64
  NonfreeKernelModules: zfs
  ApportVersion: 2.28.1-0ubuntu4
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: ubuntu:GNOME
  Date: Fri Jun 21 09:35:42 2024
  InstallationDate: Installed on 2024-06-20 (1 days ago)
  InstallationMedia: Ubuntu 24.10 "Oracular Oriole" - Daily amd64 (20240617)
  ProcEnviron:
   LANG=de_DE.UTF-8
   PATH=(custom, no user)
   SHELL=/bin/bash
   TERM=xterm-256color
   XDG_RUNTIME_DIR=<set>
  SourcePackage: dracut
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dracut/+bug/2070066/+subscriptions