Encrypted ZFS with Ubuntu
|
Setting Up the Disk and Bootstrapping
The next step is to set up the encrypted disk. In your terminal, type:
# cryptsetup luksFormat -l 512 -c aes-xts-plain64 -h sha512/dev/sda2 # cryptsetup luksOpen /dev/sda2 cryptroot
The first command will set up the disk as an encrypted partition with a keyfile size of 512 bytes using sha512 as a passphrase hash and aes-xts-plain64 as the encryption cipher. You are, of course, free to adapt these options to your liking. If you want to increase the level of security, overwrite /dev/sda2 with random data before setting it up as an encrypted partition. Note, however, that with a large disk this process may take days. The second command opens the encrypted partition that you just created as cryptroot . Here, you will need to enter the password that you gave when the container was set up.
These commands will set up the entire partition for ZFS. If you want to separate it into multiple slices (e.g., to have encrypted but non-ZFS swap), you can create multiple volumes on top of the encrypted container with the commands provided by lvm2 . Note that if you choose this route, you also will need to install lvm2 in the system you are about to set up. In the setup described here, we will create a ZFS volume for swap later.
After creating the encryption layer, you can set up the actual ZFS filesystem. The Ubuntu installer image does not come with ZFS support. Fortunately, you can use a personal package archive (PPA) for ZFS that makes installing the kernel modules and other required software easy. In your terminal, enter the following:
# apt-add-repository --yes ppa:zfs-native/stable # apt-get update # apt-get install debootstrap ubuntu-zfs
The debootstrap utility is required to install the system later.
Because the ZFS kernel module cannot be distributed in binary form and needs to be compiled, this step will take a few minutes.
Next, you can set up the ZFS pool:
# zpool create -O mountpoint=none -o ashift=12 rpool/dev/mapper/cryptroot # zfs create -o mountpoint=/ rpool/root # zpool set bootfs=rpool/root rpool # zpool export rpool # zpool import -R /mnt rpool
The first command sets up a pool named rpool for a disk with a block size of 4KiB (ashift=12 ). The next step creates a single filesystem for the entire Ubuntu installation. Note that this command will cause an error message because zfs will attempt to mount the new filesystem at the specified mount point. This is of no consequence and saves you from having to specify the mount point later.
For the sake of simplicity, we will create only one filesystem for everything. In a real setup, adding other filesystems for the various parts of the system is advisable. A more complex setup allows you to take better advantage of the many features ZFS offers. For each filesystem, you can specify whether to compress and at what level, reserve a minimum amount of space to be available, or restrict the size. Snapshots can be created per filesystem and will immensely simplify common backup tasks. At this point, it is not necessary to anticipate and create all the filesystems you might need. You can easily create them later.
After setting the bootfs property on the root filesystem, you can export the pool. It is reimported with an alternative root of /mnt , meaning that the filesystem will be mounted at that location. Exporting the pool lets you specify the alternate root and makes sure that all metadata of the newly created pool and filesystem are written to disk.
Now, you can proceed with the actual installation.
# debootstrap quantal /mnt
This step will take a while to complete. Make a cup of tea while you wait.
To speed things up a bit, you could have given the appropriate directory on the Ubuntu live image as source for the packages to install. The command shown will fetch them over the network.
Setting Up the System
After the bootstrapping is done, you can set up the newly installed system. To begin, chroot into it:
# mount --bind /dev/ mnt/dev # chroot /mnt /bin/bash --login
To make it easier to differentiate between commands to be run in the live system and in the newly installed one, in these examples, all commands to be run in the chroot are prefixed with two hashes. In the new system, the first thing to do is to mount all the filesystems you need:
## mount /dev/sda1 /boot ## mount -t proc proc /proc ## mount -t sysfs sysfs /sys ## ln -sf /dev/mapper/cryptroot/dev/cryptroot
Do not mount the special filesystems from the live system as you did for /dev . If you do so, the bootloader will be unable to identify the root filesystem and will not create a boot configuration file. The last command is needed for the same reason. Next, generate the default locale:
## locale-gen en_US.UTF-8
Although this step is not strictly necessary, it will save you from error messages during the rest of the setup. Now you can install some additional software:
## apt-get update ## apt-get install ubuntu-minimal software-properties-common
If you used the boot image as a package source during the installation and it is out of date, you might want to upgrade the already installed software as well. The package software-properties-common contains the apt-add-repository command you'll need to add the ZFS PPA:
## apt-add-repository --yes ppa:zfs-native/stable ## apt-get update ## apt-get install ubuntu-zfs cryptsetup
In addition to installing ZFS support as you did in the live system, cryptsetup is added here so you can handle the encrypted partition.
The last command will install a whole slew of additional packages, including the GRUB boot loader. When asked where to install it, choose the system disk (here /dev/sda ). Next, create a ZFS volume for swap:
## zfs create -V 4G rpool/swap ## mkswap /dev/rpool/swap ## swapon /dev/rpool/swap
In this example, the size of the swap partition is 4GB. You can adapt this to your particular needs.
This also is a good point at which to set up /etc/fstab . You will need entries for /boot and swap .
« Previous 1 2 3 4 Next »
Buy this article as PDF
Pages: 4
(incl. VAT)