Entire Disk Encryption with LUKS and ZFS

Note: this is done from my current system, notes and my mind.

This tutorial is for people that know how to install gentoo. By Entire Disk Encryption I mean that even the /boot is encrypted. (but grub isn’t I think I’d need UEFI which too much hard and risky to setup and I don’t have hardware compatible with coreboot)

Setup the disk

cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --verify-passphrase luksFormat /dev/sda2
cryptsetup open /dev/sda2 $hostname

zpool create -f -O compression=lz4 -m none -R /mnt/gentoo $hostname /dev/mapper/$hostname
zfs create $hostname/ROOT

zfs create -o mountpoint=legacy $hostname/ROOT/gentoo
mkdir /mnt/gentoo
mount -t zfs $hostname/ROOT/gentoo /mnt/gentoo

zfs create -o mountpoint=/home $hostname/HOME
zfs create $hostname/HOME/haelwenn
zfs create -o mountpoint=/root $hostname/HOME/root

zfs create $hostname/GENTOO
zfs create -o mountpoint=/var/cache/distfiles $hostname/GENTOO/distfiles
zfs create -o mountpoint=/var/cache/binpkgs $hostname/GENTOO/packages
zfs create -o mountpoint=/var/db/repos $hostname/GENTOO/repos
zfs create $hostname/GENTOO/repos/gentoo

Configuring

USE flags:

sys-boot/grub libzfs device-mapper
sys-fs/zfs rootfs
sys-fs/zfs-kmod rootfs
sys-kernel/genkernel cryptsetup

Now you need: sys-boot/grub sys-fs/zfs sys-fs/zfs-kmod sys-kernel/genkernel. You can also replace genkernel with dracut.

Configuring ZFS for boot-up: rc-update add zfs-import boot && rc-update add zfs-mount && rc-update add zfs-zed

initramfs (genkernel)

mv /etc/genkernel.conf /etc/genkernel.conf.dist
cat >/etc/genkernel.conf <<-EOF
GK_SHARE="${GK_SHARE:-/usr/share/genkernel}"
CACHE_DIR="/var/cache/genkernel"
DISTDIR="/var/cache/distfiles"
LOGFILE="/var/log/genkernel.log"
DEFAULT_KERNEL_SOURCE="/usr/src/linux"
LOGLEVEL=1

INSTALL="yes"
SYMLINK="yes"
BUSYBOX="yes"
LUKS="yes"
ZFS="yes"
DISKLABEL="yes"

KERNEL_SYMLINK_NAME="vmlinuz"

COMPRESS_INITRD="yes"
COMPRESS_INITRD_TYPE="best"

INITRAMFS_SYMLINK_NAME="initramfs"
MICROCODE_INITRAMFS="yes"
EOF
genkernel initramfs

GRUB

As grub-mkconfig is a piece of crap which does unreadable config, I do it myself. Here it is:

#/boot/grub/grub.cfg
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_sha512
insmod zfs

cryptomount -u 1c578f43-6f16-497c-ba88-986609ffa1d6
set root=(crypto0)
set prefix=(crypto0)/ROOT/default/@/boot/grub

insmod gzio

menuentry 'Gentoo' {
	linux /ROOT/default/@/boot/vmlinuz root=ZFS=rpool/ROOT/default crypt_root=UUID=1c578f43-6f16-497c-ba88-986609ffa1d6 dozfs=cache rootfstype=zfs
	initrd /ROOT/default/@/boot/initramfs
}

And that should be all !