Help with mounting encrypted ZFS datasets

Software & Web Applications
1

I’m not using TrueNAS but OpenSuse Leap 15.5 with OpenZFS.

My goal is to created an encrypted dataset that is unmounted and unavailable until it is manually mounted and the passphrase is entered.

I created an encrypted dataset with the following:

zfs create -o encryption=aes-256-ccm -o keyformat=passphrase  zpool/enc

To test it, I was able to create a test file /zpool/enc/test.txt and read and write from it while the dataset was unmounted.

I then rebooted the system and was still able to read and write to /zpool/enc. I mounted the dataset with

zfs -l -a

The system prompted me for a passphrase, I entered it and the dataset mounted. I created another file /zpool/enc/test2.txt and then rebooted.

Prior to mounting the dataset I was able to read and write /zpool/enc/test2.txt and read and write from the directory as whole.

It appears to me that this dataset is mounting at boot, and/or it doesn’t seem to make any difference whether it is mounted or not. I must be doing something wrong here.

When I run

zfs get all zpool/enc

The relevant properties are when the dataset is unmounted are:

mounted               no                     -
encryption            aes-256-ccm            -
keylocation           prompt                 local
keyformat             passphrase             -
keystatus             unavailable            -

When the datatset is unmounted and the keystatus is unavailable I can read and write files that were written to it when it was previously mounted. What am I doing wrong?

2

Are you certain that the test files are being created in the dataset and not just in the directory where that dataset will mount? That’s the first thing that comes to mind and would be quick to check with a mount command.

In case you’re looking for a group of ZFS experts, you might check out discourse.practicalzfs.com. That sort of the successor to Reddit’s r/zfs. Jim Salter, the admin behind syncoid and sanoid, is the one who runs it and there are some good minds there.

3

Thanks for the reply. It was not writing to the dataset but just to the directory where the dataset was mounted. Which was weird because the dataset was mounted there. I destroyed that particular dataset and the files were still present, so I deleted the directory that the dataset was mounted to and then recreated the dataset the same way I did before and mounted it in the same place and I don’t know why but everything is working now the way I intended to.