logo

blog

My cute blog can’t be this disorganised!

Entire Disk Encryption with LUKS and ZFS.html (2948B)


      1 <a href="/articles/Entire%20Disk%20Encryption%20with%20LUKS%20and%20ZFS"><h1>Entire Disk Encryption with LUKS and ZFS</h1></a>
      2 <p>Note: this is done from my current system, notes and my mind.</p>
      3 <p>This tutorial is for people that know how to install gentoo. By Entire Disk Encryption I mean that even the /boot is encrypted. (but grub isn’t I think I’d need UEFI which too much hard and risky to setup and I don’t have hardware compatible with coreboot)</p>
      4 <h3>Setup the disk</h3>
      5 <ul>
      6 	<li>Disk: /dev/sda
      7 	<li>LUKS container: cryptrpool
      8 	<li>Zpool: rpool
      9 	<li>Your username: haelwenn
     10 	<li>temporary mountpoint: /mnt/gentoo
     11 	<li>UUID of your clean GPT table: 1c578f43-6f16-497c-ba88-986609ffa1d6
     12 </ul>
     13 <pre><code>cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --verify-passphrase luksFormat /dev/sda
     14 cryptsetup luksOpen /dev/sda cryptrpool
     15 
     16 zpool create -f -m none -R /mnt/gentoo rpool /dev/mapper/cryptrpool
     17 zfs create -o mountpoint=none -o compression=lz4 rpool/ROOT
     18 
     19 zfs create -o mountpoint=/ rpool/ROOT/default
     20 
     21 zfs create -o mountpoint=/home rpool/HOME
     22 zfs create -o mountpoint=/root rpool/HOME/root
     23 zfs create -o mountpoint=/home/haelwenn rpool/HOME/haelwenn
     24 
     25 zfs create -o mountpoint=none rpool/GENTOO
     26 zfs create -o mountpoint=/usr/portage rpool/GENTOO/portage
     27 zfs create -o mountpoint=/usr/portage/distfiles -o compression=off rpool/GENTOO/distfiles
     28 zfs create -o mountpoint=/usr/portage/packages -o compression=off rpool/GENTOO/packages</code></pre>
     29 <h2>Configuring</h2>
     30 <p>USE flags:</p>
     31 <pre><code>sys-boot/grub libzfs device-mapper
     32 sys-fs/zfs rootfs
     33 sys-fs/zfs-kmod rootfs
     34 sys-kernel/genkernel cryptsetup</pre></code>
     35 <p>Now you need: <code>sys-boot/grub sys-fs/zfs sys-fs/zfs-kmod sys-kernel/genkernel</code>. You can also replace genkernel with dracut.</p>
     36 <p>Configuring ZFS for boot-up: <code>rc-update add zfs-import boot &amp;&amp; rc-update add zfs-mount &amp;&amp; rc-update add zfs-zed</code></p>
     37 <h3>initramfs (genkernel)</h3>
     38 <pre><code>sed -i 's/.*LUKS=.*/LUKS="yes"/' /etc/genkernel.conf
     39 sed -i 's/.*ZFS=.*/ZFS="yes"/' /etc/genkernel.conf
     40 sed -i 's/.*DISKLABEL=.*/DISKLABEL="yes"/' /etc/genkernel.conf
     41 genkernel --luks --zfs --disklabel initramfs</code></pre>
     42 <h3>GRUB</h3>
     43 <p>As grub-mkconfig is a piece of crap which does unreadable config, I do it myself. Here it is:</p>
     44 <pre><code>#/boot/grub/grub.cfg
     45 insmod part_gpt
     46 insmod cryptodisk
     47 insmod luks
     48 insmod gcry_rijndael
     49 insmod gcry_sha512
     50 insmod zfs
     51 
     52 cryptomount -u 1c578f43-6f16-497c-ba88-986609ffa1d6
     53 set root=(crypto0)
     54 set prefix=(crypto0)/ROOT/default/@/boot/grub
     55 
     56 insmod gzio
     57 
     58 menuentry 'Gentoo Hardened 4.4.2' {
     59 	linux /ROOT/default/@/boot/vmlinuz-4.4.2-hardened root=ZFS=rpool/ROOT/default crypt_root=UUID=1c578f43-6f16-497c-ba88-986609ffa1d6 rd.luks.uuid=1c578f43-6f16-497c-ba88-986609ffa1d6 dozfs rootfstype=zfs
     60 	initrd /ROOT/default/@/boot/initramfs-genkernel-x86_64-4.4.2-hardened
     61 }
     62 </code></pre>
     63 <p>And that should be all !</p>