Comment by E39M5S62
5 days ago
Quick note on #2 - there aren't really any issues with storing your encryption root passphrase in a file. If the file is owned by root, with no read permissions for any account, only root can access it. Since it's stored on an encrypted dataset, and your initramfs is as well, it's unreadable when the machine is off. Lastly, if anybody _does_ have a root shell on your machine, they can change the encryption passphrase without needing to know the current value.
In short, I'm not sure there are any real issues with having it on disk but unreadable by anybody but root.
In general I agree with you but there is one difference - a sneaky user with physical access can read it and _not_ change it, vs changing it. The latter is more detectable. But this is minor.
Yeah. Unfortunately, ZFS encryption is missing a few creature comforts of something like LUKS. I've stuck with native OpenZFS mechanisms, though, to keep the complexity sprawl to a minimum.
Absolutely - I know that but thanks for pointing that out again. There is no real "use case" for NOT storing the key into a root owned file. However, as I don't do it for myself there is no way of accidentally deleting the file, copying it quickly from my system to another drive when I accidentally left a root shell open and went to the restrooms (that never happens;) and the one single place I store the key (my head) is pretty much unreadable for everyone except me (at least for now :-) Being paranoid doesn't mean they are not after you :p
Since I reboot my notebook only about once in a month it is no real hassle to enter the key twice 12 times a year :-)