blog

Entire Disk Encryption with LUKS and ZFS.xhtml (3698B)

<!--
Copyright © 2014 Haelwenn (lanodan) Monnier
SPDX-License-Identifier: LAL-1.3
-->
<article xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="h-entry">
<a class="u-url" href="/articles/Entire%20Disk%20Encryption%20with%20LUKS%20and%20ZFS"><h1 class="p-name">Entire Disk Encryption with LUKS and ZFS</h1></a>
<p>Note: this is done from my current system, notes and my mind.</p>
<p>
	This tutorial is for people that know how to install gentoo.
	By Entire Disk Encryption I mean that even the <code>/boot</code> is encrypted (although grub isn't).
</p>
<h3 id="disk-setup">Setup the disk <a href="#disk-setup">§</a></h3>
<ul>
	<li>Disk: /dev/sda, sda1: BIOS Boot(2M+) / EFI System, sda2: Linux</li>
	<li>LUKS container: $hostname</li>
	<li>Zpool: $hostname</li>
	<li>Your username: haelwenn</li>
	<li>temporary mountpoint: /mnt/gentoo</li>
	<li>UUID of your clean GPT table: 1c578f43-6f16-497c-ba88-986609ffa1d6</li>
</ul>
<p>
	Picked LUKS1 because LUKS2 with GRUB is still too unstable and GRUB error messages are pretty bad, so better pick a safe one.
</p>
<pre><code>cryptsetup --type luks1 --cipher aes-xts-plain64 --key-size 512 --hash sha512 --verify-passphrase luksFormat /dev/sda2
cryptsetup open /dev/sda2 $hostname
zpool create -f -O compression=lz4 -m none -R /mnt/gentoo $hostname /dev/mapper/$hostname
zfs create $hostname/ROOT
zfs create -o mountpoint=legacy $hostname/ROOT/gentoo
mkdir /mnt/gentoo
mount -t zfs $hostname/ROOT/gentoo /mnt/gentoo
zfs create -o mountpoint=/home $hostname/HOME
zfs create $hostname/HOME/haelwenn
zfs create -o mountpoint=/root $hostname/HOME/root
zfs create $hostname/GENTOO
zfs create -o mountpoint=/var/cache/distfiles $hostname/GENTOO/distfiles
zfs create -o mountpoint=/var/cache/binpkgs $hostname/GENTOO/packages
zfs create -o mountpoint=/var/db/repos $hostname/GENTOO/repos
zfs create $hostname/GENTOO/repos/gentoo</code></pre>
<h2 id="config">Configuring <a href="#config">§</a></h2>
<p>USE flags:</p>
<pre><code>sys-boot/grub libzfs device-mapper
sys-fs/zfs rootfs
sys-fs/zfs-kmod rootfs
sys-kernel/genkernel cryptsetup</code></pre>
<p>Now you need: <code>sys-boot/grub sys-fs/zfs sys-fs/zfs-kmod sys-kernel/genkernel</code>. You can also replace genkernel with dracut.</p>
<p>Configuring ZFS for boot-up: <code>rc-update add zfs-import boot &amp;&amp; rc-update add zfs-mount &amp;&amp; rc-update add zfs-zed</code></p>
<h3 id="initrd">initramfs (genkernel) <a href="#initrd">§</a></h3>
<pre><code>mv /etc/genkernel.conf /etc/genkernel.conf.dist
cat &gt;/etc/genkernel.conf &lt;&lt;-EOF
GK_SHARE="${GK_SHARE:-/usr/share/genkernel}"
CACHE_DIR="/var/cache/genkernel"
DISTDIR="/var/cache/distfiles"
LOGFILE="/var/log/genkernel.log"
DEFAULT_KERNEL_SOURCE="/usr/src/linux"
LOGLEVEL=1
INSTALL="yes"
SYMLINK="yes"
BUSYBOX="yes"
LUKS="yes"
ZFS="yes"
DISKLABEL="yes"
KERNEL_SYMLINK_NAME="vmlinuz"
COMPRESS_INITRD="yes"
COMPRESS_INITRD_TYPE="best"
INITRAMFS_SYMLINK_NAME="initramfs"
MICROCODE_INITRAMFS="yes"
EOF
genkernel initramfs</code></pre>
<h3 id="grub">GRUB <a href="#grub">§</a></h3>
<p>As grub-mkconfig is a piece of crap which does unreadable config, I do it myself. Here it is:</p>
<pre><code>#/boot/grub/grub.cfg
insmod part_gpt
insmod cryptodisk
insmod luks
insmod gcry_rijndael
insmod gcry_sha512
insmod zfs
cryptomount -u 1c578f43-6f16-497c-ba88-986609ffa1d6
set root=(crypto0)
set prefix=(crypto0)/ROOT/default/@/boot/grub
insmod gzio
menuentry 'Gentoo' {
	linux /ROOT/default/@/boot/vmlinuz root=ZFS=rpool/ROOT/default crypt_root=UUID=1c578f43-6f16-497c-ba88-986609ffa1d6 dozfs=cache rootfstype=zfs
	initrd /ROOT/default/@/boot/initramfs
}
</code></pre>
<p>And that should be all !</p>
</article>