logo

blog

My website can't be that messy, right? git clone https://hacktivis.me/git/blog.git
commit: a7179ece2ec9d2bf285c5a2e821056312670a5f5
parent c35be537826ad6252ce4723416d4e590b1569200
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Wed, 24 Jun 2020 00:16:14 +0200

Entire Disk Encryption: Update

Diffstat:

Marticles/Entire Disk Encryption with LUKS and ZFS.xhtml74+++++++++++++++++++++++++++++++++++++++++++++++++-------------------------
1 file changed, 49 insertions(+), 25 deletions(-)

diff --git a/articles/Entire Disk Encryption with LUKS and ZFS.xhtml b/articles/Entire Disk Encryption with LUKS and ZFS.xhtml @@ -4,29 +4,32 @@ <p>This tutorial is for people that know how to install gentoo. By Entire Disk Encryption I mean that even the /boot is encrypted. (but grub isn’t I think I’d need UEFI which too much hard and risky to setup and I don’t have hardware compatible with coreboot)</p> <h3>Setup the disk</h3> <ul> - <li>Disk: /dev/sda</li> - <li>LUKS container: cryptrpool</li> - <li>Zpool: rpool</li> - <li>Your username: haelwenn</li> - <li>temporary mountpoint: /mnt/gentoo</li> - <li>UUID of your clean GPT table: 1c578f43-6f16-497c-ba88-986609ffa1d6</li> + <li>Disk: /dev/sda, sda1: BIOS Boot(2M+), sda2: Linux + <li>LUKS container: $hostname + <li>Zpool: $hostname + <li>Your username: haelwenn + <li>temporary mountpoint: /mnt/gentoo + <li>UUID of your clean GPT table: 1c578f43-6f16-497c-ba88-986609ffa1d6 </ul> -<pre><code>cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --verify-passphrase luksFormat /dev/sda -cryptsetup luksOpen /dev/sda cryptrpool +<pre><code>cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --verify-passphrase luksFormat /dev/sda2 +cryptsetup open /dev/sda2 $hostname -zpool create -f -m none -R /mnt/gentoo rpool /dev/mapper/cryptrpool -zfs create -o mountpoint=none -o compression=lz4 rpool/ROOT +zpool create -f -O compression=lz4 -m none -R /mnt/gentoo $hostname /dev/mapper/$hostname +zfs create $hostname/ROOT -zfs create -o mountpoint=/ rpool/ROOT/default +zfs create -o mountpoint=legacy $hostname/ROOT/gentoo +mkdir /mnt/gentoo +mount -t zfs $hostname/ROOT/gentoo /mnt/gentoo -zfs create -o mountpoint=/home rpool/HOME -zfs create -o mountpoint=/root rpool/HOME/root -zfs create -o mountpoint=/home/haelwenn rpool/HOME/haelwenn +zfs create -o mountpoint=/home $hostname/HOME +zfs create $hostname/HOME/haelwenn +zfs create -o mountpoint=/root $hostname/HOME/root -zfs create -o mountpoint=none rpool/GENTOO -zfs create -o mountpoint=/usr/portage rpool/GENTOO/portage -zfs create -o mountpoint=/usr/portage/distfiles -o compression=off rpool/GENTOO/distfiles -zfs create -o mountpoint=/usr/portage/packages -o compression=off rpool/GENTOO/packages</code></pre> +zfs create $hostname/GENTOO +zfs create -o mountpoint=/var/cache/distfiles $hostname/GENTOO/distfiles +zfs create -o mountpoint=/var/cache/binpkgs $hostname/GENTOO/packages +zfs create -o mountpoint=/var/db/repos $hostname/GENTOO/repos +zfs create $hostname/GENTOO/repos/gentoo <h2>Configuring</h2> <p>USE flags:</p> <pre><code>sys-boot/grub libzfs device-mapper @@ -36,10 +39,31 @@ sys-kernel/genkernel cryptsetup</code></pre> <p>Now you need: <code>sys-boot/grub sys-fs/zfs sys-fs/zfs-kmod sys-kernel/genkernel</code>. You can also replace genkernel with dracut.</p> <p>Configuring ZFS for boot-up: <code>rc-update add zfs-import boot &amp;&amp; rc-update add zfs-mount &amp;&amp; rc-update add zfs-zed</code></p> <h3>initramfs (genkernel)</h3> -<pre><code>sed -i 's/.*LUKS=.*/LUKS="yes"/' /etc/genkernel.conf -sed -i 's/.*ZFS=.*/ZFS="yes"/' /etc/genkernel.conf -sed -i 's/.*DISKLABEL=.*/DISKLABEL="yes"/' /etc/genkernel.conf -genkernel --luks --zfs --disklabel initramfs</code></pre> +<pre><code>mv /etc/genkernel.conf /etc/genkernel.conf.dist +cat >/etc/genkernel.conf <<-EOF +GK_SHARE="${GK_SHARE:-/usr/share/genkernel}" +CACHE_DIR="/var/cache/genkernel" +DISTDIR="/var/cache/distfiles" +LOGFILE="/var/log/genkernel.log" +DEFAULT_KERNEL_SOURCE="/usr/src/linux" +LOGLEVEL=1 + +INSTALL="yes" +SYMLINK="yes" +BUSYBOX="yes" +LUKS="yes" +ZFS="yes" +DISKLABEL="yes" + +KERNEL_SYMLINK_NAME="vmlinuz" + +COMPRESS_INITRD="yes" +COMPRESS_INITRD_TYPE="best" + +INITRAMFS_SYMLINK_NAME="initramfs" +MICROCODE_INITRAMFS="yes" +EOF +genkernel initramfs</code></pre> <h3>GRUB</h3> <p>As grub-mkconfig is a piece of crap which does unreadable config, I do it myself. Here it is:</p> <pre><code>#/boot/grub/grub.cfg @@ -56,9 +80,9 @@ set prefix=(crypto0)/ROOT/default/@/boot/grub insmod gzio -menuentry 'Gentoo Hardened 4.4.2' { - linux /ROOT/default/@/boot/vmlinuz-4.4.2-hardened root=ZFS=rpool/ROOT/default crypt_root=UUID=1c578f43-6f16-497c-ba88-986609ffa1d6 rd.luks.uuid=1c578f43-6f16-497c-ba88-986609ffa1d6 dozfs rootfstype=zfs - initrd /ROOT/default/@/boot/initramfs-genkernel-x86_64-4.4.2-hardened +menuentry 'Gentoo' { + linux /ROOT/default/@/boot/vmlinuz root=ZFS=rpool/ROOT/default crypt_root=UUID=1c578f43-6f16-497c-ba88-986609ffa1d6 dozfs=cache rootfstype=zfs + initrd /ROOT/default/@/boot/initramfs } </code></pre> <p>And that should be all !</p>