I’ve fully realized the “What’s next?” section at the end of my ZFS encryption post, and I now have a full continuous integration / continuous delivery solution for my home lab. 🎉

There were a few humps to get over, many of them self imposed, but I wanted to document them and some thoughts around decisions I made.

KEYID A6C19D1C082670FD will be retired soon. I haven’t been using any public key servers, so this seems like the most appropriate place to post a rotation notification.

Old key hasn’t been leaked or misused. I’m still using it temporarily personally until I’m sure everything is completely settled.

I finally retired my last Yubikey 4, and have moved everything to ed25519 / cv25519 keys. Everything is supporting KDF now too, so that’s a nice bonus.

I’ve started using a ZFS root filesystem on all of my computers now. Various wants on different systems have led to me using ZFS native encryption on some systems, and ZFS on LVM on LUKS on some others. I’ve had a chance to feel out both options, and I’ve learned a bunch in the meantime, so I decided to try something else now.

This post gets into a scheme that allows a single self contained zpool to offer LUKS key managent and unlocking options on NixOS.