Bad install of 17.3 Pro with ZFS+encryption

Installing Zorin OS
1

I have installed zorin 17.3 on a new external ssd disk. I have choosen to use zfs with encryption. The install does work and terminate normally but it's unbootable. The /boot directory is empty but everything else seems to be installed. I have chrooted in the install and tried to reinstall linux kernel packages, ... but I cannot install grub it tells me the efi uses an unknown filesystem. I also cannot update-grub who complain that it cannot load the encryption key.
zfs_mount_at() failed: encryption key not loadedWarning: os-prober will be executed to detect other bootable partitions.

The encryption key is present and I even used it to chroot in the install ...

Is is possible to recover from this bad install ??? Any hint ???

PS: I create this post to avoid polluting Crashes and errors during install of 17.3 Pro

2

One of the things I don't like is the lack of a GRUB menu which I discovered on installing Zorin 17.2 Core. Something had gone wrong with my login password, so I used the live installation media on Ventoy to run Boot Repair. This went smoothly and I could then get to recovery mode. I have never risked using what I still consider an experimental File System. Is there some reason why you donct want Ext4 with LUKS? Again encryption is something else I never use.

3

BTRFS is the experimental filesystem that will eventually break.
ZFS is older and way more stable and offer snapshots.
I need encryption since it's a laptop and I want to keep my data secure. EXT4 is very stable, can be encrypted but offer no snapshot capability. And I'm not sure that LVM snapshots are as stable/secure as ZFS. It's my evaluation, I could be wrong...

PS: I also consider that zorin should not offer to install a bad configuration ...

1 Like
4

Using Brave A.I. search engine via Mojeek came back with this:

" ZFS Mount Warning

The error "zfs_mount_at() failed: encryption key not loaded" and the warning "os-prober will be executed to detect other bootable partitions" can occur when trying to mount an encrypted ZFS file system during the boot process. This typically happens if the encryption key is not available or if the key material file cannot be found, which could be due to incorrect file paths or permission issues.

To resolve the issue, you can try the following steps:

  1. Ensure the key material file is correctly located and accessible. If the file is on another drive or partition, mount that first where it resides.
  • Use the zfs load-key command to load the key manually after the system is booted.
  • If the key material file is in another file system, make sure the mount order of the file systems does not impact the mounting of the encrypted file system.
  • Check the ZFS configuration to ensure that the encryption keys are properly configured.

Additionally, the warning about os-prober not being executed can be ignored if you only have one operating system installed. However, if you want to ensure os-prober is executed, you can set the variable GRUB_DISABLE_OS_PROBER=false in /etc/default/grub and then run update-grub to update the GRUB configuration.

If these steps do not resolve the issue, you may need to reinitialize GRUB or use a live USB with ZFS support to access your ZFS volumes and recover your data.

AI-generated answer. Please verify critical facts."

5

Thanks for the info. But all of this is already verified. I can chroot in the installation and decrypt the filesystem. Everything works manually in the chroot install but not update-grub.
All I can get from update-grub is this :

(CHROOT)root@fido:~# update-grub
Sourcing file `/etc/default/grub'
Sourcing file `/etc/default/grub.d/init-select.cfg'
Generating grub configuration file ...
grub-probe : erreur : système de fichiers inconnu.
Found linux image: vmlinuz-6.8.0-59-generic in rpool/ROOT/ubuntu_htr0gz
Found initrd image: initrd.img-6.8.0-59-generic in rpool/ROOT/ubuntu_htr0gz
Found linux image: vmlinuz-6.8.0-57-generic in rpool/ROOT/ubuntu_htr0gz
Found initrd image: initrd.img-6.8.0-57-generic in rpool/ROOT/ubuntu_htr0gz
zfs_mount_at() failed: encryption key not loadedWarning: os-prober will be executed to detect other bootable partitions.
Its output will be used to detect bootable binaries on them and create new boot entries.
Adding boot menu entry for UEFI Firmware Settings ...
done

Everything is mounted and zfs key is loaded (needed to get in chroot ...).
I haven't figured out what's the real problem here. I will try to have help from Zorin. I want to find out what's wrong with the zorin install with zfs and encryption.

6

Apparently it is an issue with GRUB.

"ZFS Encryption GRUB Error

When encountering the error "grub-probe : erreur : système de fichiers inconnu" while trying to update GRUB on a ZFS with encryption, it indicates that GRUB is unable to recognize the filesystem. This issue can arise due to GRUB's limitations in handling ZFS, especially when encryption is involved.

To address this problem, you can try creating symbolic links for the disks that GRUB is unable to probe. For example, if GRUB is complaining about a specific disk, you can create a symbolic link in the /dev/disk/by-id/ directory for that disk. The formula for creating these links is:

$ sudo ln -sf {sdname}{partN} /dev/disk/by-id/{diskid}-part{partN}

You can determine the disks required by running grub-probe / and creating links until it reports no errors. For instance, if GRUB is unable to find /dev/ata-ADATA_SP550_2G1520009135-part1 , you can create the link as follows:

$ sudo ln -sf /dev/sdf1 /dev/disk/by-id/ata-ADATA_SP550_2G1520009135-part1

Additionally, setting the ZPOOL_VDEV_NAME_PATH environment variable to 1 can help GRUB find the ZFS pool correctly. This variable causes zpool to report full paths to the disks, which can then be used by GRUB utilities to find the disks containing the ZFS pools.

If these steps do not resolve the issue, it might be necessary to consider alternative boot loaders or configurations that better support ZFS with encryption.

The error "grub-probe : erreur : système de fichiers inconnu" can also occur due to GRUB's inability to recognize the filesystem on the root partition, especially when using ZFS with all its features enabled. In such cases, it might be beneficial to use a supported filesystem for the root partition and keep ZFS for other purposes like VMs or data storage.

In some cases, users have resolved similar issues by dropping the ZFS root and using a supported filesystem for the root partition, then converting the root filesystem to ZFS once they have a system that supports UEFI booting.

For more detailed troubleshooting, you can refer to the discussion on the ZFS subreddit 2 and the GitHub issue on the zfsonlinux/grub repository.3

AI-generated answer. Please verify critical facts.

![:globe_with_meridians:]
(https://imgs.search.brave.com/bgJnc5WjJoSzuO8tk20YOzhsdxXTr5QmxX_JyU2UxiQ/rs:fit:32:32:1:0/g:ce/aHR0cDovL2Zhdmlj/b25zLnNlYXJjaC5i/cmF2ZS5jb20vaWNv/bnMvNzFkNmY1ODg4/NmIzNWViN2QyYzg0/MzU0MGZhMGIxODY2/YTE4MjVmM2Y4NjUw/Y2FjZTFmYTk4ZmZm/NTk1YWUxMC9hc2t1/YnVudHUuY29tLw)

grub2 - ZFS grub-probe error failed to get canonical path of /dev/DISK_NAME - Ask Ubuntu
](https://askubuntu.com/questions/827126/zfs-grub-probe-error-failed-to-get-canonical-path-of-dev-disk-name)
🌐
reddit.com
r/zfs on Reddit: GRUB2-probe error when trying to generate boot configuration on ZFS root

🌐
github.com
grub-update does not identify pool correctly: root=ZFS=/ROOT/debian · Issue #18 · zfsonlinux/grub

🌐
github.com
grub-probe fails with Unknown Filesystem · Issue #804 · openzfs/zfs

🌐
diskpart.com
Solutions simples : Grub

7

Boot repair has trouble with encryption and zfs encryption. The way that zorin configure the zfs setup is to have a boot pool (bpool) encrypted with cryptsetup and a root pool (rpool) zfs encrypted. On the boot pool there is a keystore with the zfskey to decrypt the rpool. The grub repair cannot handle that ... I will seriously consider other options than zorin.

8

Best Bootloaders for ZFS Encryption

As of the latest updates, GRUB does not natively support booting from an encrypted ZFS dataset, which means it cannot directly decrypt and boot from an encrypted ZFS root filesystem without additional configuration steps. However, other bootloaders can be used to achieve this functionality.

Systemd-boot is one alternative that can be used to boot from an encrypted ZFS root filesystem. Systemd-boot can load the kernel and initramfs from an encrypted ZFS dataset, provided the initramfs is configured to handle the decryption of the ZFS root dataset.

Another option is to use the initramfs scripts to handle the decryption of the ZFS root dataset. This involves configuring the initramfs to load the necessary keys and decrypt the ZFS pool before mounting the root filesystem.

For a more secure setup, some users recommend using a separate, unencrypted boot partition or USB drive for the bootloader and kernel, which can then decrypt and mount the encrypted ZFS root filesystem during the boot process.

In summary, while GRUB does not currently support booting directly from an encrypted ZFS root filesystem, alternatives like systemd-boot and properly configured initramfs scripts can be used to achieve this functionality.

AI-generated answer. Please verify critical facts.


🌐
reddit.com
r/zfs on Reddit: will grub ever boot encrypted zfs?

🌐
klarasystems.com
OpenZFS Native Encryption - Klara Systems

🌐
github.com
Native encryption support in initramfs scripts · Issue #5489 · openzfs/zfs

🌐
wiki.alpinelinux.org
Root on ZFS with native encryp

9

This zfs setup was created by the Zorin 17.3 installer .... I still don't understand why it would be unbootable or need another bootloader ... Quality control has failed ...

Kid Fail GIF by MOODMAN