deatharse

@lowjoel So I've had a play. Much like my earlier suggested plan I: - installed PVE on a single disk with ZFS and converted it to an encrypted mirror -...

@lowjoel Another consistency point @sarroutbi or @sergio-correia would probably pick up on as a nit-pick is the needless use of the `function` keyword in your bash scripts,

@lowjoel one bug? I have noticed is if you pass the `-f` flag "Do not prompt when overwriting configuration" and there is no current config (i.e. the label does not...

From further investigation the need for properly configured `dropbear` to bring up the network is due to `clevis-initramfs-zfs_21-1~202409290907~ubuntu24.04.1_amd64.deb` missing those capabilities. The normal `clevis-initramfs` has the files: - `/usr/share/initramfs-tools/scripts/local-top/clevis` -...

So I've found an issue with unbinding. If you do not use `sss` and bind 2 tang servers to two labels e.g. ```sh # clevis zfs bind -d rpool -l...

I've had a bit of a further play by creating a second encrypted pool and noticed that was not unlocked. ``` # zpool create \ -o ashift=12 \ -o autotrim=on...

Heres an updated diff for `src/initramfs-tools/scripts/zfs-load-key/clevis-zfs.in` that will handle encrypted datasets in an unencrypted pool: ```diff 22c22,58 < clevis zfs unlock -d "${ENCRYPTIONROOT}" --- > attempt_unlock() { > local dataset=$1...