mirror of
https://github.com/PrivSec-dev/privsec.dev
synced 2025-01-04 03:01:34 -05:00
Fix typos in ZFS Encryption post (#261)
Fix typos Signed-off-by: Friendly Rabbit <169707731+friendly-rabbit-35@users.noreply.github.com>
This commit is contained in:
parent
c508504759
commit
7843b6f163
@ -13,7 +13,7 @@ _The post also assumes that the Proxmox installation is new and does not have an
|
|||||||
|
|
||||||
## Encrypting the `rpool/ROOT` dataset
|
## Encrypting the `rpool/ROOT` dataset
|
||||||
|
|
||||||
Proxmox installs its system inside of the `rpool/ROOT` dataset. This is what we will encrypt first.
|
Proxmox installs its system inside the `rpool/ROOT` dataset. This is what we will encrypt first.
|
||||||
|
|
||||||
First, boot into the initramfs. On the startup menu, press `e` to edit the boot argument. Remove `root=ZFS=rpool/ROOT/pve-1 boot=zfs` from the argument and press `enter`.
|
First, boot into the initramfs. On the startup menu, press `e` to edit the boot argument. Remove `root=ZFS=rpool/ROOT/pve-1 boot=zfs` from the argument and press `enter`.
|
||||||
|
|
||||||
@ -25,7 +25,7 @@ Load in the `zfs` kernel module:
|
|||||||
modprobe zfs
|
modprobe zfs
|
||||||
```
|
```
|
||||||
|
|
||||||
Next, follow [this gist](https://gist.github.com/yvesh/ae77a68414484c8c79da03c4a4f6fd55) to encrypt the dataset. You do not need to use any sort of live USB or rescue mode, as the initramfs has all what we need. In case it gets moved or deleted, I will copy and paste it here (we will make a few changes to better suite our purposes as well):
|
Next, follow [this gist](https://gist.github.com/yvesh/ae77a68414484c8c79da03c4a4f6fd55) to encrypt the dataset. You do not need to use any sort of live USB or rescue mode, as the initramfs has all that we need. In case it gets moved or deleted, I will copy and paste it here (we will make a few changes to better suit our purposes as well):
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
# Import the old
|
# Import the old
|
||||||
@ -82,7 +82,7 @@ Create a diceware passphrase, and save it to `/.data.key`. Then, continue with:
|
|||||||
# Remove all but ASCII characters
|
# Remove all but ASCII characters
|
||||||
perl -i -pe 's/[^ -~]//g' /.data.key
|
perl -i -pe 's/[^ -~]//g' /.data.key
|
||||||
|
|
||||||
# Set the approprieate permission
|
# Set the appropriate permission
|
||||||
chmod 400 /.data.key
|
chmod 400 /.data.key
|
||||||
|
|
||||||
# Make the key immutable
|
# Make the key immutable
|
||||||
@ -92,7 +92,7 @@ chattr +i /.data.key
|
|||||||
zfs create acltype=posix -o atime=off -o compression=zstd-3 -o checksum=blake3 -o dnodesize=auto -o encryption=on -o keyformat=passphrase -o keylocation=file:///.data.key -o overlay=off -o xattr=sa rpool/data
|
zfs create acltype=posix -o atime=off -o compression=zstd-3 -o checksum=blake3 -o dnodesize=auto -o encryption=on -o keyformat=passphrase -o keylocation=file:///.data.key -o overlay=off -o xattr=sa rpool/data
|
||||||
```
|
```
|
||||||
|
|
||||||
Next, we need to setup a systemd service for automatic unlocking. Put the following inside of `/etc/systemd/system/zfs-load-key.service`
|
Next, we need to set up a systemd service for automatic unlocking. Put the following inside `/etc/systemd/system/zfs-load-key.service`:
|
||||||
|
|
||||||
```
|
```
|
||||||
[Unit]
|
[Unit]
|
||||||
|
Loading…
Reference in New Issue
Block a user