commit: d8cf731f4ebb3ca26cbcc1e2d99487808271e8dc parent d0cd1e0bd7e32cdfa494e09eeb8107ce478c869b Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me> Date: Fri, 15 Jul 2016 05:38:05 +0200 articles: Entire Disk Encryption with LUKS and ZFSDiffstat:
| A | articles/Entire Disk Encryption with LUKS and ZFS.html | 63 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | articles/Entire Disk Encryption with LUKS and ZFS.shtml | 16 | ++++++++++++++++ |
| M | home.shtml | 3 | +++ |
3 files changed, 82 insertions(+), 0 deletions(-)diff --git a/articles/Entire Disk Encryption with LUKS and ZFS.html b/articles/Entire Disk Encryption with LUKS and ZFS.html@@ -0,0 +1,63 @@ +<a href="/articles/Entire%20Disk%20Encryption%20with%20LUKS%20and%20ZFS"><h1>Entire Disk Encryption with LUKS and ZFS</h1></a> +<p>Note: this is done from my current system, notes and my mind.</p> +<p>This tutorial is for people that know how to install gentoo. By Entire Disk Encryption I mean that even the /boot is encrypted. (but grub isn’t I think I’d need UEFI which too much hard and risky to setup and I don’t have hardware compatible with coreboot)</p> +<h3>Setup the disk</h3> +<ul> + <li>Disk: /dev/sda + <li>LUKS container: cryptrpool + <li>Zpool: rpool + <li>Your username: haelwenn + <li>temporary mountpoint: /mnt/gentoo + <li>UUID of your clean GPT table: 1c578f43-6f16-497c-ba88-986609ffa1d6 +</ul> +<pre><code>cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --verify-passphrase luksFormat /dev/sda +cryptsetup luksOpen /dev/sda cryptrpool + +zpool create -f -m none -R /mnt/gentoo rpool /dev/mapper/cryptrpool +zfs create -o mountpoint=none -o compression=lz4 rpool/ROOT + +zfs create -o mountpoint=/ rpool/ROOT/default + +zfs create -o mountpoint=/home rpool/HOME +zfs create -o mountpoint=/root rpool/HOME/root +zfs create -o mountpoint=/home/haelwenn rpool/HOME/haelwenn + +zfs create -o mountpoint=none rpool/GENTOO +zfs create -o mountpoint=/usr/portage rpool/GENTOO/portage +zfs create -o mountpoint=/usr/portage/distfiles -o compression=off rpool/GENTOO/distfiles +zfs create -o mountpoint=/usr/portage/packages -o compression=off rpool/GENTOO/packages</code></pre> +<h2>Configuring</h2> +<p>USE flags:</p> +<pre><code>sys-boot/grub libzfs device-mapper +sys-fs/zfs rootfs +sys-fs/zfs-kmod rootfs +sys-kernel/genkernel cryptsetup</pre></code> +<p>Now you need: <code>sys-boot/grub sys-fs/zfs sys-fs/zfs-kmod sys-kernel/genkernel</code>. You can also replace genkernel with dracut.</p> +<p>Configuring ZFS for boot-up: <code>rc-update add zfs-import boot && rc-update add zfs-mount && rc-update add zfs-zed</code></p> +<h3>initramfs (genkernel)</h3> +<pre><code>sed -i 's/.*LUKS=.*/LUKS="yes"/' /etc/genkernel.conf +sed -i 's/.*/.*ZFS.*/ZFS="yes"/' /etc/genkernel.conf +sed -i 's/.*/.*DISKLABEL.*/DISKLABEL="yes"/' /etc/genkernel.conf +genkernel --luks --zfs --disklabel initramfs</code></pre> +<h3>GRUB</h3> +<p>As grub-mkconfig is a piece of crap which does unreadable config, I do it myself. Here it is:</p> +<pre><code>#/boot/grub/grub.cfg +insmod part_gpt +insmod cryptodisk +insmod luks +insmod gcry_rijndael +insmod gcry_sha512 +insmod zfs + +cryptomount -u 1c578f43-6f16-497c-ba88-986609ffa1d6 +set root=(crypto0) +set prefix=(crypto0)/ROOT/default/@/boot/grub + +insmod gzio + +menuentry 'Gentoo Hardened 4.4.2' { + linux /ROOT/default/@/boot/vmlinuz-4.4.2-hardened root=ZFS=rpool/ROOT/default crypt_root=UUID=1c578f43-6f16-497c-ba88-986609ffa1d6 rd.luks.uuid=1c578f43-6f16-497c-ba88-986609ffa1d6 dozfs rootfstype=zfs + initrd /ROOT/default/@/boot/initramfs-genkernel-x86_64-4.4.2-hardened +} +</code></pre> +<p>And that should be all !</p>diff --git a/articles/Entire Disk Encryption with LUKS and ZFS.shtml b/articles/Entire Disk Encryption with LUKS and ZFS.shtml@@ -0,0 +1,16 @@ +<!DOCTYPE html> +<html lang="en"> + <head> +<!--#include file="/templates/head.shtml" --> + <title>Entire Disk Encryption with LUKS and ZFS — Cyber-home of lanodan</title> + <link type="application/rss+xml" href="/rss" title="flux RSS" rel="alternate"></link> + </head> + <body> +<!--#include file="/templates/en/nav.shtml" --> + <article> +<!--#include file="/articles/Entire Disk Encryption with LUKS and ZFS.html"--> + </article> + <a href="/articles/Entire%20Disk%20Encryption%20with%20LUKS%20and%20ZFS.html">article only(plain HTML)</a> +<!--#include file="/templates/en/footer.html" --> + </body> +</html>diff --git a/home.shtml b/home.shtml@@ -8,6 +8,9 @@ <body> <!--#set var="transPageUrl" value='accueil' --><!--#include file="templates/en/nav.shtml" --> <article> +<!--#include file="/articles/Entire Disk Encryption with LUKS and ZFS.html"--> + </article> + <article> <!--#include file="/articles/Tagged by toot6.html"--> </article> <article>