commit: a7179ece2ec9d2bf285c5a2e821056312670a5f5
parent c35be537826ad6252ce4723416d4e590b1569200
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Wed, 24 Jun 2020 00:16:14 +0200
Entire Disk Encryption: Update
Diffstat:
1 file changed, 49 insertions(+), 25 deletions(-)
diff --git a/articles/Entire Disk Encryption with LUKS and ZFS.xhtml b/articles/Entire Disk Encryption with LUKS and ZFS.xhtml
@@ -4,29 +4,32 @@
<p>This tutorial is for people that know how to install gentoo. By Entire Disk Encryption I mean that even the /boot is encrypted. (but grub isn’t I think I’d need UEFI which too much hard and risky to setup and I don’t have hardware compatible with coreboot)</p>
<h3>Setup the disk</h3>
<ul>
- <li>Disk: /dev/sda</li>
- <li>LUKS container: cryptrpool</li>
- <li>Zpool: rpool</li>
- <li>Your username: haelwenn</li>
- <li>temporary mountpoint: /mnt/gentoo</li>
- <li>UUID of your clean GPT table: 1c578f43-6f16-497c-ba88-986609ffa1d6</li>
+ <li>Disk: /dev/sda, sda1: BIOS Boot(2M+), sda2: Linux
+ <li>LUKS container: $hostname
+ <li>Zpool: $hostname
+ <li>Your username: haelwenn
+ <li>temporary mountpoint: /mnt/gentoo
+ <li>UUID of your clean GPT table: 1c578f43-6f16-497c-ba88-986609ffa1d6
</ul>
-<pre><code>cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --verify-passphrase luksFormat /dev/sda
-cryptsetup luksOpen /dev/sda cryptrpool
+<pre><code>cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --verify-passphrase luksFormat /dev/sda2
+cryptsetup open /dev/sda2 $hostname
-zpool create -f -m none -R /mnt/gentoo rpool /dev/mapper/cryptrpool
-zfs create -o mountpoint=none -o compression=lz4 rpool/ROOT
+zpool create -f -O compression=lz4 -m none -R /mnt/gentoo $hostname /dev/mapper/$hostname
+zfs create $hostname/ROOT
-zfs create -o mountpoint=/ rpool/ROOT/default
+zfs create -o mountpoint=legacy $hostname/ROOT/gentoo
+mkdir /mnt/gentoo
+mount -t zfs $hostname/ROOT/gentoo /mnt/gentoo
-zfs create -o mountpoint=/home rpool/HOME
-zfs create -o mountpoint=/root rpool/HOME/root
-zfs create -o mountpoint=/home/haelwenn rpool/HOME/haelwenn
+zfs create -o mountpoint=/home $hostname/HOME
+zfs create $hostname/HOME/haelwenn
+zfs create -o mountpoint=/root $hostname/HOME/root
-zfs create -o mountpoint=none rpool/GENTOO
-zfs create -o mountpoint=/usr/portage rpool/GENTOO/portage
-zfs create -o mountpoint=/usr/portage/distfiles -o compression=off rpool/GENTOO/distfiles
-zfs create -o mountpoint=/usr/portage/packages -o compression=off rpool/GENTOO/packages</code></pre>
+zfs create $hostname/GENTOO
+zfs create -o mountpoint=/var/cache/distfiles $hostname/GENTOO/distfiles
+zfs create -o mountpoint=/var/cache/binpkgs $hostname/GENTOO/packages
+zfs create -o mountpoint=/var/db/repos $hostname/GENTOO/repos
+zfs create $hostname/GENTOO/repos/gentoo
<h2>Configuring</h2>
<p>USE flags:</p>
<pre><code>sys-boot/grub libzfs device-mapper
@@ -36,10 +39,31 @@ sys-kernel/genkernel cryptsetup</code></pre>
<p>Now you need: <code>sys-boot/grub sys-fs/zfs sys-fs/zfs-kmod sys-kernel/genkernel</code>. You can also replace genkernel with dracut.</p>
<p>Configuring ZFS for boot-up: <code>rc-update add zfs-import boot && rc-update add zfs-mount && rc-update add zfs-zed</code></p>
<h3>initramfs (genkernel)</h3>
-<pre><code>sed -i 's/.*LUKS=.*/LUKS="yes"/' /etc/genkernel.conf
-sed -i 's/.*ZFS=.*/ZFS="yes"/' /etc/genkernel.conf
-sed -i 's/.*DISKLABEL=.*/DISKLABEL="yes"/' /etc/genkernel.conf
-genkernel --luks --zfs --disklabel initramfs</code></pre>
+<pre><code>mv /etc/genkernel.conf /etc/genkernel.conf.dist
+cat >/etc/genkernel.conf <<-EOF
+GK_SHARE="${GK_SHARE:-/usr/share/genkernel}"
+CACHE_DIR="/var/cache/genkernel"
+DISTDIR="/var/cache/distfiles"
+LOGFILE="/var/log/genkernel.log"
+DEFAULT_KERNEL_SOURCE="/usr/src/linux"
+LOGLEVEL=1
+
+INSTALL="yes"
+SYMLINK="yes"
+BUSYBOX="yes"
+LUKS="yes"
+ZFS="yes"
+DISKLABEL="yes"
+
+KERNEL_SYMLINK_NAME="vmlinuz"
+
+COMPRESS_INITRD="yes"
+COMPRESS_INITRD_TYPE="best"
+
+INITRAMFS_SYMLINK_NAME="initramfs"
+MICROCODE_INITRAMFS="yes"
+EOF
+genkernel initramfs</code></pre>
<h3>GRUB</h3>
<p>As grub-mkconfig is a piece of crap which does unreadable config, I do it myself. Here it is:</p>
<pre><code>#/boot/grub/grub.cfg
@@ -56,9 +80,9 @@ set prefix=(crypto0)/ROOT/default/@/boot/grub
insmod gzio
-menuentry 'Gentoo Hardened 4.4.2' {
- linux /ROOT/default/@/boot/vmlinuz-4.4.2-hardened root=ZFS=rpool/ROOT/default crypt_root=UUID=1c578f43-6f16-497c-ba88-986609ffa1d6 rd.luks.uuid=1c578f43-6f16-497c-ba88-986609ffa1d6 dozfs rootfstype=zfs
- initrd /ROOT/default/@/boot/initramfs-genkernel-x86_64-4.4.2-hardened
+menuentry 'Gentoo' {
+ linux /ROOT/default/@/boot/vmlinuz root=ZFS=rpool/ROOT/default crypt_root=UUID=1c578f43-6f16-497c-ba88-986609ffa1d6 dozfs=cache rootfstype=zfs
+ initrd /ROOT/default/@/boot/initramfs
}
</code></pre>
<p>And that should be all !</p>
