logo

blog

My website can't be that messy, right? git clone https://hacktivis.me/git/blog.git

Entire Disk Encryption with LUKS and ZFS.xhtml (3389B)

    

  1. <article xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="h-entry">
  2. <a class="u-url" href="/articles/Entire%20Disk%20Encryption%20with%20LUKS%20and%20ZFS"><h1 class="p-name">Entire Disk Encryption with LUKS and ZFS</h1></a>
  3. <p>Note: this is done from my current system, notes and my mind.</p>
  4. <p>This tutorial is for people that know how to install gentoo. By Entire Disk Encryption I mean that even the /boot is encrypted. (but grub isn’t I think I’d need UEFI which too much hard and risky to setup and I don’t have hardware compatible with coreboot)</p>
  5. <h3>Setup the disk</h3>
  6. <ul>
  7. 	<li>Disk: /dev/sda, sda1: BIOS Boot(2M+), sda2: Linux</li>
  8. 	<li>LUKS container: $hostname</li>
  9. 	<li>Zpool: $hostname</li>
  10. 	<li>Your username: haelwenn</li>
  11. 	<li>temporary mountpoint: /mnt/gentoo</li>
  12. 	<li>UUID of your clean GPT table: 1c578f43-6f16-497c-ba88-986609ffa1d6</li>
  13. </ul>
  14. <pre><code>cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --verify-passphrase luksFormat /dev/sda2
  15. cryptsetup open /dev/sda2 $hostname
  17. zpool create -f -O compression=lz4 -m none -R /mnt/gentoo $hostname /dev/mapper/$hostname
  18. zfs create $hostname/ROOT
  20. zfs create -o mountpoint=legacy $hostname/ROOT/gentoo
  21. mkdir /mnt/gentoo
  22. mount -t zfs $hostname/ROOT/gentoo /mnt/gentoo
  24. zfs create -o mountpoint=/home $hostname/HOME
  25. zfs create $hostname/HOME/haelwenn
  26. zfs create -o mountpoint=/root $hostname/HOME/root
  28. zfs create $hostname/GENTOO
  29. zfs create -o mountpoint=/var/cache/distfiles $hostname/GENTOO/distfiles
  30. zfs create -o mountpoint=/var/cache/binpkgs $hostname/GENTOO/packages
  31. zfs create -o mountpoint=/var/db/repos $hostname/GENTOO/repos
  32. zfs create $hostname/GENTOO/repos/gentoo</code></pre>
  33. <h2>Configuring</h2>
  34. <p>USE flags:</p>
  35. <pre><code>sys-boot/grub libzfs device-mapper
  36. sys-fs/zfs rootfs
  37. sys-fs/zfs-kmod rootfs
  38. sys-kernel/genkernel cryptsetup</code></pre>
  39. <p>Now you need: <code>sys-boot/grub sys-fs/zfs sys-fs/zfs-kmod sys-kernel/genkernel</code>. You can also replace genkernel with dracut.</p>
  40. <p>Configuring ZFS for boot-up: <code>rc-update add zfs-import boot &amp;&amp; rc-update add zfs-mount &amp;&amp; rc-update add zfs-zed</code></p>
  41. <h3>initramfs (genkernel)</h3>
  42. <pre><code>mv /etc/genkernel.conf /etc/genkernel.conf.dist
  43. cat &gt;/etc/genkernel.conf &lt;&lt;-EOF
  44. GK_SHARE="${GK_SHARE:-/usr/share/genkernel}"
  45. CACHE_DIR="/var/cache/genkernel"
  46. DISTDIR="/var/cache/distfiles"
  47. LOGFILE="/var/log/genkernel.log"
  48. DEFAULT_KERNEL_SOURCE="/usr/src/linux"
  49. LOGLEVEL=1
  51. INSTALL="yes"
  52. SYMLINK="yes"
  53. BUSYBOX="yes"
  54. LUKS="yes"
  55. ZFS="yes"
  56. DISKLABEL="yes"
  58. KERNEL_SYMLINK_NAME="vmlinuz"
  60. COMPRESS_INITRD="yes"
  61. COMPRESS_INITRD_TYPE="best"
  63. INITRAMFS_SYMLINK_NAME="initramfs"
  64. MICROCODE_INITRAMFS="yes"
  65. EOF
  66. genkernel initramfs</code></pre>
  67. <h3>GRUB</h3>
  68. <p>As grub-mkconfig is a piece of crap which does unreadable config, I do it myself. Here it is:</p>
  69. <pre><code>#/boot/grub/grub.cfg
  70. insmod part_gpt
  71. insmod cryptodisk
  72. insmod luks
  73. insmod gcry_rijndael
  74. insmod gcry_sha512
  75. insmod zfs
  77. cryptomount -u 1c578f43-6f16-497c-ba88-986609ffa1d6
  78. set root=(crypto0)
  79. set prefix=(crypto0)/ROOT/default/@/boot/grub
  81. insmod gzio
  83. menuentry 'Gentoo' {
  84. 	linux /ROOT/default/@/boot/vmlinuz root=ZFS=rpool/ROOT/default crypt_root=UUID=1c578f43-6f16-497c-ba88-986609ffa1d6 dozfs=cache rootfstype=zfs
  85. 	initrd /ROOT/default/@/boot/initramfs
  86. }
  87. </code></pre>
  88. <p>And that should be all !</p>
  89. </article>