PrivSec-dev/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-11-09 16:21:34 -05:00
Code

Update

Browse Source
This commit is contained in:
Tommy 2023-07-26 16:24:38 -07:00
parent e8b62e23cb
commit 3cdaf86886
2 changed files with 38 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
content/posts/linux/Root ZFS Encryption, Mirroring, and Remote Unlocking with Ubuntu.md
View File

@ -9,6 +9,12 @@ While Unbutu supports ZFS on root filesystems with an easy snapshot and rollback
![ZFSBootMenu](/images/zfsbootmenu.png) ![ZFSBootMenu](/images/zfsbootmenu.png)
## Enter the Shell
Enter the shell on your Ubuntu Installer:
## Partitioning the Disk ## Partitioning the Disk
Esentially, we need a 512MB ESP partition for ZFSBootMenu and a `/` partition for the rest of the system. If you are using a single disk, just make those 2 partitions on your disk. If you are planning to do mirroring, set up both on of these partitions on each disk. Esentially, we need a 512MB ESP partition for ZFSBootMenu and a `/` partition for the rest of the system. If you are using a single disk, just make those 2 partitions on your disk. If you are planning to do mirroring, set up both on of these partitions on each disk.
@ -24,10 +30,41 @@ cfdisk /dev/nvme0n2
## Mirroring the ESP partition ## Mirroring the ESP partition
__Skip this if you are not doing mirroring__ _Skip this if you are not doing mirroring_
While the EFI specs do not support `mdadm`, we can setup mdadm with metadata v1.0, which will be put at the end of the parition and allows it to boot. While the EFI specs do not support `mdadm`, we can setup mdadm with metadata v1.0, which will be put at the end of the parition and allows it to boot.
```bash ```bash
mdadm --create /dev/md0 --level 1 --raid-disks --metadata 1.0 /dev/nvme0n1p1 /dev/nvme0n1p2 mdadm --create /dev/md0 --level 1 --raid-disks --metadata 1.0 /dev/nvme0n1p1 /dev/nvme0n1p2
``` ```
## Setup the ZFS partition
This part is mostly based on the [official ZFSBootMenu guide](https://docs.zfsbootmenu.org/en/v2.2.x/guides/ubuntu/uefi.html) with some changes to work around some not-so-great instructions there.
### Creating the zpool
#### Getting the Disk ID.
First, we must get the disk IDs from `/dev/disk/by-id`. The official guide uses the dynamically assigned drive identifier (`/dev/sda`, `/dev/nvme0n1`, etc), which is not what we want to do with zpools, since it will cause problems later on.
![/dev/disk/by-id](/images/disk-by-id.png)
#### Installing ZFS-Utils
```bash
sudo apt install zfsutils-linux -y
```
#### Create the encryption key
```bash
echo 'SomeKeyphrase' > /etc/zfs/zroot.key
chmod 000 /etc/zfs/zroot.key
```
#### For non-mirroring setup
```bash
sudo zpool create -o ashift=12 -O compression=zstd -O acltype=posixacl -O xattr=sa -O atime=off -O encryption=on -O keylocation=file:///etc/zfs/zroot.key -O keyformat=passphrase -o autotrim=on -m none zroot /dev/disk/by-id/nvme-SAMSUNG_MZQL21T9HCJR-00A07_XXXXXXX-part2
```

BIN
static/images/disk-by-id.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 396 KiB