commit: 9a79a592c105acb9489a5f9160a2e9b8fb1d6870
parent db235a95a3fb088d1f7108d2ce7398f0b6e9483a
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Tue, 6 May 2025 20:14:22 +0200
articles/Entire Disk Encryption with LUKS and ZFS: LUKS1 + section links
Diffstat:
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/articles/Entire Disk Encryption with LUKS and ZFS.xhtml b/articles/Entire Disk Encryption with LUKS and ZFS.xhtml
@@ -1,17 +1,24 @@
<article xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="h-entry">
<a class="u-url" href="/articles/Entire%20Disk%20Encryption%20with%20LUKS%20and%20ZFS"><h1 class="p-name">Entire Disk Encryption with LUKS and ZFS</h1></a>
<p>Note: this is done from my current system, notes and my mind.</p>
-<p>This tutorial is for people that know how to install gentoo. By Entire Disk Encryption I mean that even the /boot is encrypted. (but grub isn’t I think I’d need UEFI which too much hard and risky to setup and I don’t have hardware compatible with coreboot)</p>
-<h3>Setup the disk</h3>
+<p>
+ This tutorial is for people that know how to install gentoo.
+ By Entire Disk Encryption I mean that even the <code>/boot</code> is encrypted (although grub isn't).
+</p>
+
+<h3 id="disk-setup">Setup the disk <a href="#disk-setup">§</a></h3>
<ul>
- <li>Disk: /dev/sda, sda1: BIOS Boot(2M+), sda2: Linux</li>
+ <li>Disk: /dev/sda, sda1: BIOS Boot(2M+) / EFI System, sda2: Linux</li>
<li>LUKS container: $hostname</li>
<li>Zpool: $hostname</li>
<li>Your username: haelwenn</li>
<li>temporary mountpoint: /mnt/gentoo</li>
<li>UUID of your clean GPT table: 1c578f43-6f16-497c-ba88-986609ffa1d6</li>
</ul>
-<pre><code>cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --verify-passphrase luksFormat /dev/sda2
+<p>
+ Picked LUKS1 because LUKS2 with GRUB is still too unstable and GRUB error messages are pretty bad, so better pick a safe one.
+</p>
+<pre><code>cryptsetup --type luks1 --cipher aes-xts-plain64 --key-size 512 --hash sha512 --verify-passphrase luksFormat /dev/sda2
cryptsetup open /dev/sda2 $hostname
zpool create -f -O compression=lz4 -m none -R /mnt/gentoo $hostname /dev/mapper/$hostname
@@ -30,7 +37,8 @@ zfs create -o mountpoint=/var/cache/distfiles $hostname/GENTOO/distfiles
zfs create -o mountpoint=/var/cache/binpkgs $hostname/GENTOO/packages
zfs create -o mountpoint=/var/db/repos $hostname/GENTOO/repos
zfs create $hostname/GENTOO/repos/gentoo</code></pre>
-<h2>Configuring</h2>
+
+<h2 id="config">Configuring <a href="#config">§</a></h2>
<p>USE flags:</p>
<pre><code>sys-boot/grub libzfs device-mapper
sys-fs/zfs rootfs
@@ -38,7 +46,8 @@ sys-fs/zfs-kmod rootfs
sys-kernel/genkernel cryptsetup</code></pre>
<p>Now you need: <code>sys-boot/grub sys-fs/zfs sys-fs/zfs-kmod sys-kernel/genkernel</code>. You can also replace genkernel with dracut.</p>
<p>Configuring ZFS for boot-up: <code>rc-update add zfs-import boot && rc-update add zfs-mount && rc-update add zfs-zed</code></p>
-<h3>initramfs (genkernel)</h3>
+
+<h3 id="initrd">initramfs (genkernel) <a href="#initrd">§</a></h3>
<pre><code>mv /etc/genkernel.conf /etc/genkernel.conf.dist
cat >/etc/genkernel.conf <<-EOF
GK_SHARE="${GK_SHARE:-/usr/share/genkernel}"
@@ -64,7 +73,8 @@ INITRAMFS_SYMLINK_NAME="initramfs"
MICROCODE_INITRAMFS="yes"
EOF
genkernel initramfs</code></pre>
-<h3>GRUB</h3>
+
+<h3 id="grub">GRUB <a href="#grub">§</a></h3>
<p>As grub-mkconfig is a piece of crap which does unreadable config, I do it myself. Here it is:</p>
<pre><code>#/boot/grub/grub.cfg
insmod part_gpt
