6

I also accidentally changed the keylocation property and I'm not even sure what was the original value. I have found a path like 'file:///run/keystore/rpool/system.key' but that doesn't work because

sudo zfs load-key

fails with 'Failed to open key material file'.

proke
  • 61
  • 1
  • 2

1 Answers1

8

The actual key file was stored in a dedicated zfs volume call keystore, and it was protected by Luks encryption. That's the prompt-up on the boot screen which asks for your password.

If you would like to decrypt and mount the ZFS volumes on another machine, first, open the Luks filesystem to get the key file, for example:

$ sudo cryptsetup open /dev/zvol/rpool/keystore zfskey

It will create a new device under the /dev directory, e.g. /dev/dm-0. You can mount it via the Nautilus file manager easily. Supposedly there is only one file, i.e. system.key.

With that key file you can decrypt your ZFS pool, for example:

$ sudo cat /path/to/system.key | sudo zfs load-key -L prompt rpool

Finally, mount the ZFS volume. You might need to change the mountpoint to somewhere before actually mount the volume. For example:

$ sudo zfs get mountpoint rpool/USERDATA/username_1b23ae
#(Backup the oritional mountpoint value)
$ sudo zfs set mountpoint=/mnt rpool/USERDATA/username_1b23ae
$ sudo zfs mount rpool/USERDATA/username_1b23ae
Jimmy4a69
  • 81
  • The alternate mount procedure can be simplified by importing the pool using the -R <temp_mountpoint>, which doesn't require setting and then restoring the mountpoint property. I'd also suggest to suggest zfs mount -a as a shortcut to mount everything (Ubuntu for example, uses many datasets, so it's tedious to mount them one by one). – Marcus Dec 11 '22 at 14:52