Between btrfs filesystem usage / and btrfs filesystem du -s / there’s nearly 11GiB difference for used space. I have checked btrfs du -hs <path/to/subvolume> for all subvolume in the filesystem, and total seems to be 72 GiB, hence the confusion. Still I don’t know if I’m using the tools properly or something else is at fault here.
To correct myself, 11GiB is additional space used by snapshot probably used space difference between btrfs fi usage and btrfs fi du -s / is because of diff between snapshot and parent volume (didn’t consider that while adding all used GiB of subvolumes). So btrfs filesystem usage works well to check used/free space.
edit: fix incorrect args; additional space is not diff
Thanks that helped. I have one snapshot of home. Size of diff between btrfs subvolume and Additional space used by snapshot is 11GiB (probably) and btrfs fi du -s / is 72GiB, making 83GiB (closer to btrfs fi df /).
You are right. I shouldn’t have used diff. I’ll fix that
Also, incremental changes from subvolume to its snapshot might be incorrect as that will be new data added to subvolume, rather that old data deleted from subvolume while still present in snapshot. I’ll have to check carefully.
I recently switched to Linux (Zorin OS) and I selected “use ZFS and encrypt” during installation. Now before I can log in it asks me “please unlock disk keystore-rpool” and I have to type in the encryption password it before I’m able to get to the login screen....
Single password prompt instead of auto-decrypt with tpm
User’s files to be encrypted
There are several ways to achieve this:
autologin (recommended for single user system):/ is encrypted using luks or zfs native encryption and user’s home needs to be unencrypted. User’s password may be same as encryption password for convenience, though they still are two passwords used for different purposes.
pam mount:/ is unencrypted or auto-decrypted and user’s home is encrypted independently from / using zfs,luks,fscrypt,etc. In this case, user’s login password must be same as user’s home encryption password. It’s suitable for multi-user system. NOTE: It cannot be used with autologin since user’s home needs to be decrypted to log in.
WARNING: For tpm usage, using secure boot is highly recommended to prevent unauthorized user from accessing key stored in tpm.
To prevent auto-decrypt with tpm, tpm-pin can be used (with autologin for requirement #1).
**systemd-cryptenroll with/without tpm:**As far as I know it can be only used to unlock disk encrypted with luks2. It can be used without tpm with pkcs11-token (e.g. YubiKey) or fido2-device. It also uses parameter encryption while key is unsealed, so safe from key sniffing via communication bus. This is easy if secure boot is enabled and luks2 is used for encryption.
**clevis with tpm:**It can be used in place of systemd-cryptenroll. May be used with zfs native encryption. Though I’m not sure if it uses parameter encryption (correct me).
**unencrypted keyfile on usb:**Not sure about zfs, but you can use keyfile on a usb drive to decrypt luks containers.
NOTE: I’m not a forensic/security expert. I listed a brief overview of methods I could think of to keep user’s files encrypted while providing single password till login.
systemd-cryptenroll: For TPM usage, I highly recommend using secure boot. Though not sure if you can easily do that. A less secure alternative using systemd-cryptenroll would be use tpm2-pin and bind key to no pcrs (discouraged). But then you’ll have to use luks2 for encryption. Notice from man systemd-cryptenroll regarding tpm2-pin:
Note that incorrect PIN entry when unlocking increments the TPM dictionary attack lockout mechanism, and may lock out users for a prolonged time, depending on its configuration. The lockout mechanism is a global property of the TPM, systemd-cryptenroll does not control or configure the lockout mechanism. You may use tpm2-tss tools to inspect or configure the dictionary attack lockout, with tpm2_getcap(1) and tpm2_dictionarylockout(1) commands, respectively Also tpm2-pin is not disk encryption password and short alphanumeric password needed so tpm decrypts the device; so encryption password should be secured in a safe place. Also check if your distro supports systemd-cryptenroll.
usb drive: read previous comment
clevis: It probably isn’t as simple as systemd-cryptenroll but I guess you can use zfs and combine that with tpm2-pin if not using secure boot (discouraged).
You’ll have to make a compromise somewhere between security and convenience. Even if you use pam mount, you’ll have to enter the password, biometrics won’t do.
user’s password can be totally different from luks password if you’re using autologin. You can keep it same but that’s totally optional. You can login without entering any password at all if not using luks (or using autodecrypt), you can see that in live isos.
I’m also planning on using its subvolume and snapshot feature. since zfs also supports native encryption, it’ll be easier to manage subvolums for backups
How do you track security vulnerabilities?
Do you rely on mailing lists or news articles for security vulnerabilities? Please share....
Right way to check free/used storage of btrfs filesystem [SOLVED]
While checking for used and free space in a btrfs subvolume, I’m not getting a consistent value. It’s confusing and doesn’t help....
Encrypted hard drive asking for password every time
I recently switched to Linux (Zorin OS) and I selected “use ZFS and encrypt” during installation. Now before I can log in it asks me “please unlock disk keystore-rpool” and I have to type in the encryption password it before I’m able to get to the login screen....
tell me your experience using zfs/btrfs
cross-posted from: programming.dev/post/9319044...