Actually non-tor certificates will (sadly) be signed with Let’s Encrypt a bit before 2017-05-26, tor will be self-signed
Support La Quadrature Du Net

Entire Disk Encryption with LUKS and ZFS

Note: this is done from my current system, notes and my mind.

This tutorial is for people that know how to install gentoo. By Entire Disk Encryption I mean that even the /boot is encrypted. (but grub isn’t I think I’d need UEFI which too much hard and risky to setup and I don’t have hardware compatible with coreboot)

Setup the disk

cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --verify-passphrase luksFormat /dev/sda
cryptsetup luksOpen /dev/sda cryptrpool

zpool create -f -m none -R /mnt/gentoo rpool /dev/mapper/cryptrpool
zfs create -o mountpoint=none -o compression=lz4 rpool/ROOT

zfs create -o mountpoint=/ rpool/ROOT/default

zfs create -o mountpoint=/home rpool/HOME
zfs create -o mountpoint=/root rpool/HOME/root
zfs create -o mountpoint=/home/haelwenn rpool/HOME/haelwenn

zfs create -o mountpoint=none rpool/GENTOO
zfs create -o mountpoint=/usr/portage rpool/GENTOO/portage
zfs create -o mountpoint=/usr/portage/distfiles -o compression=off rpool/GENTOO/distfiles
zfs create -o mountpoint=/usr/portage/packages -o compression=off rpool/GENTOO/packages

Configuring

USE flags:

sys-boot/grub libzfs device-mapper
sys-fs/zfs rootfs
sys-fs/zfs-kmod rootfs
sys-kernel/genkernel cryptsetup

Now you need: sys-boot/grub sys-fs/zfs sys-fs/zfs-kmod sys-kernel/genkernel. You can also replace genkernel with dracut.

Configuring ZFS for boot-up: rc-update add zfs-import boot && rc-update add zfs-mount && rc-update add zfs-zed

initramfs (genkernel)

sed -i 's/.*LUKS=.*/LUKS="yes"/' /etc/genkernel.conf
sed -i 's/.*ZFS=.*/ZFS="yes"/' /etc/genkernel.conf
sed -i 's/.*DISKLABEL=.*/DISKLABEL="yes"/' /etc/genkernel.conf
genkernel --luks --zfs --disklabel initramfs

GRUB

As grub-mkconfig is a piece of crap which does unreadable config, I do it myself. Here it is:

#/boot/grub/grub.cfg
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_sha512
insmod zfs

cryptomount -u 1c578f43-6f16-497c-ba88-986609ffa1d6
set root=(crypto0)
set prefix=(crypto0)/ROOT/default/@/boot/grub

insmod gzio

menuentry 'Gentoo Hardened 4.4.2' {
	linux /ROOT/default/@/boot/vmlinuz-4.4.2-hardened root=ZFS=rpool/ROOT/default crypt_root=UUID=1c578f43-6f16-497c-ba88-986609ffa1d6 rd.luks.uuid=1c578f43-6f16-497c-ba88-986609ffa1d6 dozfs rootfstype=zfs
	initrd /ROOT/default/@/boot/initramfs-genkernel-x86_64-4.4.2-hardened
}

And that should be all !

article only(plain HTML), Friendica, Twitter