Post
I am contemplating making some of my #FreeBSD datasets encrypted. This is primarily so I could use rsync.net to back them up. Since I don't have physical access to the server, I can't make the root filesystems encrypted -- or can I?
It looks like I should set zfskeys=YES in rc.conf, and then as long as the filesystem keys are in a known location, it'll load them automatically during boot?
@kithrup I don't think you can use rc.conf to control mounting the root FS, it's on the root FS. There is stuff to pass encryption keys from loader to the kernel, which might work, but you'd need to enter a passphrase on the serial console on boot.
The way this is normally done for remote systems (not on FreeBSD) is to have a kernel that boots via secure boot, and then a TPM that releases a key based on the state of the secure-boot attestation.
@david_chisnall I don't think my system has TPM, so that'd be out. I was not thinking rc.conf could be used to handle booting, but possibly an extern USB device could have the key. Not hugely thrilled with that, though.
