Skill: Advanced Complexity: Significant EstTimeToComplete: ~3 Hours
Encrypted ZFS Root
ZFS Root/Boot Help https://github.com/zfsonlinux/pkg-zfs/wiki/HOWTO-install-Ubuntu-to-a-Native-ZFS-Root-Filesystem
http://docs.oracle.com/cd/E19253-01/819-5461/gaynr/index.html
DON'T CHANGE rpool - seems to be hard wired in zfs utils (root_pool didn't work... *MAYBE could specify rpool=OtherPoolName on grub initrd line - but didn't try)
Boot to LiveCD sudo -i #apt-get -y install openssh-server #passwd root
SSD 216GB (/dev/sda)
dd if=/dev/zero of=/dev/sda bs=1M count=10 dd if=/dev/zero of=/dev/sdb bs=1M count=10
parted -a optimal /dev/sda mklabel msdos unit MB mkpart primary 1 513 mkpart primary 513 -1 toggle 1 boot
parted -a optimal /dev/sdb mklabel gpt unit MB mkpart vpool 1 -1
(/etc/gai.conf - ipv4 precedence)
2 drives, install 13.04 ALL on temp part, CONTINUE TESTING
apt-add-repository --yes ppa:zfs-native/stable apt-get -y update apt-get -y install ubuntu-zfs
(while that is compiling/installing - setup crypts) cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sda2 cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 /dev/sdb1
cryptsetup luksOpen /dev/sda2 root_crypt cryptsetup luksOpen /dev/sdb1 vault_crypt
Buile 2048K random key dd if=/dev/urandom of=/tmp/keyfile bs=512 count=4 cryptsetup luksAddKey /dev/sdb1 <path>/keyfile
mkfs.ext4 -m 0 -L /boot -j /dev/sda1 zpool create -O mountpoint=none -o ashift=12 rpool /dev/mapper/root_crypt (sda4) zpool create -O mountpoint=none -o ashift=12 vpool /dev/mapper/vault_crypt (sdb1)
zfs create -V 1024M -b $(getconf PAGESIZE) \
- -o compression=off \ -o primarycache=metadata \ -o secondarycache=none \ -o sync=always \ -o com.sun:auto-snapshot=false rpool/SWAP
zfs create -o compression=lz4 rpool/ROOT zfs create -o compression=lz4 vpool/VAULT zfs set atime=off rpool/ROOT zfs set atime=off vpool/VAULT
#zfs umount -a zfs set mountpoint=/ rpool/ROOT zfs set mountpoint=/vault vpool/VAULT zpool set bootfs=rpool/ROOT rpool zpool export rpool zpool export vpool
zpool import -d /dev/mapper -R /mnt/zfs rpool zpool import -d /dev/mapper -R /mnt/zfs vpool
mkdir /mnt/raring; mount <tmpFS> /mnt/raring #cp /etc/resolv.conf /mnt/raring/etc/resolv.conf (if needed)
mkdir /mnt/zfs/boot;mount /dev/sda1 /mnt/zfs/boot cd /mnt/raring; tar cfp - . | ( cd /mnt/zfs/;tar xvfp -) #cp /etc/resolv.conf /mnt/zfs/etc/resolv.conf (if needed)
mkdir /mnt/zfs/root/luks; chmod 700 /mnt/zfs/root/luks cp <path>/keyfile /mnt/zfs/root/luks/.; chmod 400 /mnt/zfs/root/luks/keyfile
umount /mnt/raring (keep sdb1 for redo if necessary)
mount -o bind /proc /mnt/zfs/proc mount -o bind /dev /mnt/zfs/dev mount -o bind /dev/pts /mnt/zfs/dev/pts mount -o bind /sys /mnt/zfs/sys chroot /mnt/zfs /bin/bash --login
hostid > /etc/hostid (if not exists AND then take(or not) maintainers on zfs package install later...) ln -s /dev/mapper/root_crypt /dev/root_crypt (otherwise update-grub complains cant find canonical path)
apt-add-repository --yes ppa:zfs-native/stable apt-get -y update apt-get -y install ubuntu-zfs zfs-initramfs cryptsetup
==Modify fstab. Remove 'temp' entries and replace with zfs target ones.
echo '/dev/sda1 /boot auto defaults 0 0' >> /etc/fstab echo '/dev/mapper/root_crypt / zfs defaults 0 0' >> /etc/fstab echo '/dev/zvol/rpool/SWAP none swap defaults 0 0' >> /etc/fstab
# For update-grub/crypt <crypto_LUKS_SD# UUID> echo 'root_crypt UUID=<uuid-no-quotes> none luks,discard' >> /etc/crypttab
# For initramfs (need to unlock ALL the volumes. Can't pass a key since /dev/mapper/root_crypt NOT mounted /root yet... zfs mountpoint=legacy and vpool/VAULT in fstab doesn't work. /etc/default/zfs ZFS_MOUNT=yes doesn't work. Haven't tried the keyscript with an external key. Double prompt for now...) SO, to assure all crypt containers mount include them all in /etc/initramfs-tools/conf.d/cryptroot (must be 'cryptroot' for the initramfs crypt scripts to read them all (other named files will be 'ignored')).
/lib/cryptsetup/scripts/decrypt_derived root_crypt > /tmp/key cryptsetup luksAddKey /dev/sdb1 /tmp/key
cp /lib/cryptsetup/scripts/decrypt_derived /etc/initramfs-tools/scripts/luks/get.root_crypt.decrypt_derived
vi /etc/initramfs-tools/scripts/luks/get.root_crypt.decrypt_derived add CRYPT_DEVICE=root_crypt to top of file then replace $1 with the new variable. s/\$1/\$CRYPT_DEVICE/gc # Couldn't find a way for /etc/initramfs-tools/conf.d/cryptroot entries to pass 'key=' to the 'keyscript='
target=root_crypt,source=UUID=<uuid-no-quotes>,key=none,root dev,discard target=vault_crypt,source=UUID=<uuid-no-quotes>,key=root_crypt,keyscript=/scripts/luks/get.root_crypt.decrypt_derived
# With these settings zfs will 'auto' mount the other volumes as expected
# For future update-grub (still not sure why /dev/* instead of /dev/mapper/*) echo 'ENV{DM_NAME}=="root_crypt", SYMLINK+="root_crypt"' > /etc/udev/rules.d/99-local.rules
(until certain - remove splash quiet from /etc/defatult/grub CMD line MAKE sure boot=zfs) Add boot=zfs to GRUB_CMDLINE_LINUX_DEFAULT= Won't boot without.
update-initramfs -c -k all update-grub grub-install /dev/sda
exit umount /mnt/zfs/boot umount /mnt/zfs/sys umount /mnt/zfs/dev/pts umount /mnt/zfs/proc umount /mnt/zfs/dev
#zfs umount -a zpool export vpool zpool export rpool
reboot
Creative Commons License
Author: James B. Crocker
EMail: james@constantsc.net
http://i.creativecommons.org/l/by-sa/3.0/88x31.png
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 License.