From c38c6d3da21ac77d40e387fd939bf1831377c62c Mon Sep 17 00:00:00 2001 From: Katharina Fey Date: Tue, 18 Jun 2019 19:52:01 +0200 Subject: Adding initial draft of ZFS article --- content/blog/107_encrypted_zfs.md | 148 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 148 insertions(+) create mode 100644 content/blog/107_encrypted_zfs.md diff --git a/content/blog/107_encrypted_zfs.md b/content/blog/107_encrypted_zfs.md new file mode 100644 index 0000000..d79f7cd --- /dev/null +++ b/content/blog/107_encrypted_zfs.md @@ -0,0 +1,148 @@ +Title: Bikeshedding disk partitioning +Category: Blog +Tags: linux, zfs, nixos +Date: 2019-06-14 + +I recently got a new Thinkpad. Well...new is a stretch. +It's an X230, featuring an i5 and 16GB of RAM. + +One of the first things I did with this laptopwas to +[flash coreboot on it](https://octodon.social/users/spacekookie/statuses/10215070602456466)! +And generally I felt like setting up a laptop in the way I would have always wanted. + +And that's where this post begins... + +## Encrypted disk + +So from the start I knew I wanted to have a fully encrypted disk. + +What that means is that your `/boot` partition +(whether it is it's own partition or not), is also encrypted. + +Secondly, I don't like (U)EFI... +What that means is that I'm installing GRUB +in the MBR (with a DOS partition table) instead. + +Now: GRUB stage 1 can handle the encryption for us, +but there's some limitations + +- Keyboard layout limited to `US` +- `/boot` can only be certain partition type +- `/` and `/boot` need be contained in an LVM + +That last one _might_ not be accurate if you only want +to have an `ext4` (or similar) rootfs. But because I +want to have a `zfs` root, I need to embed it into an LVM. +After we've done all this, we will install a linux distribution of choice +(which we'll talk about later). + +Anyway, let's get started! + +## Preparing the disk + +(Feel free to skip this step) + +Something you might want to do is letting your disk look +otherwise uninitialised, or "securely erasing" any data +that is already on it. +But generating random data is a lot of work and `/dev/urandom` +is very slow. + +Instead you can create a crypto-disk (luks) on it, then fill it +with zero's. But because of the encryption it will seem random. + +(/dev/sda is my disk in this example). + +```console +$ cryptsetup luksFormat /dev/sda1 +$ cryptsetup luksOpen /dev/sda sda_crypto +$ dd if=/dev/zero of=/dev/mapper/sda_crypto bs=512 status=progress +``` + +This might take a while, but considerably less time than filling +the disk with random data. After this is done, you might want to +actually wipe the first 4096 bytes. + +```console +cryptsetup luksClose sda_crypto +$ dd if=/dev/urandom of=/dev/sda bs=1M count=8 +``` + +## Basic partitioning + +So what we want to do is setup a single partition on `/dev/sda`, +the same way we did to prepare the disk. Then repeat the previous +command to setup a cryptodisk. + +What follows is the LVM setup: + +```console +$ pvcreate lvm +$ vgcreate vg0 /dev/mapper/lvm +$ lvcreate vg0-boot -l 1G +$ lvcreate vg0-swap -l 16G +$ lvcreate vg0-root -L +100%FREE +``` + +Now we want to create the filesystems. +For `/boot` we can just use `mkfs.ext4`, +but consider that I want to use `zfs` on `/`, +that will require some more work. + +```console +zpool create rtank /dev/mapper/vg0-root # feel free to call your pool whatever! + +# At this point you could also create subvolumes for split `/` and `/home` +``` + +## Mounting & Configuration + +So that's all good. How do we initialise this system now? +We need to mount the zfs pool first, then `/boot` and then install +our linux secret distribution of choice (spoilers: it's [NixOS]!) + +[NixOS]: https://nixos.org + +``` +mkdir -p /mnt/boot +zpool import rtank +mount -t zfs rtank /mnt +mount /dev/mapper/vg0-boot /mnt/boot + +nixos-generate-config --root /mnt +``` + +That last line is obviously NixOS specific. +You now have a fully encrypted disk setup, without +using EFI. Wuuh! + +The rest of this post I want to talk about how to make this +all work with NixOS and reproducable configuration. + +**edit before release** + +```nix +boot.loader.grub = { + enable = true; + version = 2; + efiSupport = false; + copyKernels = true; + device = "/dev/sda"; + zfsSupport = true; + enableCryptodisk = true; +}; +boot.zfs.devNodes = "/dev"; +boot.cleanTmpDir = true; +boot.tmpOnTmpfs = true; +hardware.cpu.intel.updateMicrocode = true; + +fileSystems."/" = { + encrypted = { + enable = true; + label = "lvm"; + blkDev = "/dev/disk/by-uuid/f1440abd-99e3-46a8-aa36-7824972fee54"; + }; + +networking.hostId = ""; +}; +``` -- cgit v1.2.3