This is Gentoo's testing wiki. It is a non-operational environment and its textual content is outdated.
Please visit our production wiki at https://wiki.gentoo.org
User:Fearedbliss/Installing Gentoo Linux On Encrypted ZFS
This page serves as an overlay of steps that can be applied in addition to or in place of some steps from my main installation guide.
The overlay will enable you to install a Gentoo Linux system completely on a single encrypted partition on ZFS. This means that your /boot, /, /home, and swap will all be housed inside of this encrypted partition/pool.
Partition
/dev/sda1 = Whole Disk | LUKS Container | Everything on ZFS | Code: BF00 /dev/sda2 = First 1 MB | GRUB 2 - GPT | BIOS Boot Partition | Code: EF02
Format your drives
We will first create our LUKS container with just a passphrase. This is the passphrase that we will use to unlock the system when the bootloader starts up. However, in order to prevent the initramfs from also asking us for the passphrase again, we will add an embedded keyfile that will be inside of the initramfs. I will discuss how to add this embedded keyfile to this container and how to include this file in the initramfs later on. For now let's get our encrypted container ready:
cryptsetup luksFormat /dev/sda1 cryptsetup luksOpen /dev/sda1 system
Your zpool will be created using this encrypted container:
zpool create -f -o ashift=12 -o cachefile= -O compression=lz4 -m none -R /mnt/gentoo tank /dev/mapper/system
Install required applications
USE Flags
Add the following USE flags to your /etc/portage/make.conf:
USE="udev device-mapper"
Dependencies
When you install GRUB, the following applications should be pulled in:
spl, zfs, zfs-kmod (These three are pulled in because of 'libzfs' use flag) lvm2 (Pulled in because of 'device-mapper') udev (Pulled in because of 'udev' use flag on GRUB). bliss-kernel (Pulled in because a kernel is needed to compile against for spl/zfs-kmod).
Cryptsetup
You can also install the following application which contains our encryption tools:
emerge cryptsetup
Enabling Bootloader encryption hooks
Since our /boot is inside of an encrypted /, GRUB 2 will need to perform a few additional steps in order to decrypt the drive. You can append the following line to the end of your /etc/default/grub file before running grub2-install.
echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
Creating and Embedding a Keyfile
We will now create the keyfile that will allow us to prevent a second passphrase decryption question from appearing when the initramfs is decrypting our drive after the bootloader transferred control to it:
Generate and add the keyfile
dd if=/dev/urandom of=/crypto_keyfile.bin bs=4096 count=1 chmod 000 /crypto_keyfile.bin cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
Enable keyfile support in 'bliss-initramfs'
# Enable embedded keyfile support and add keyfile path to bliss-initramfs open /opt/bliss-initramfs/pkg/hooks/Luks.py _use_keyfile = 1 _keyfile_path = "/crypto_keyfile.bin"
Make GRUB 2 configuration file
The following configuration file specifies the information needed to boot our system. The 'enc_drives' tells bliss-initramfs what drives it should decrypt and the 'enc_type' tells it to use a keyfile (For our case, it will use the embedded keyfile without any further information).
nano /boot/grub/grub.cfg
# Place the following inside the grub.cfg file
set timeout=1
set default=0
insmod part_gpt
insmod zfs
menuentry "Gentoo - 4.4.2-FC.01" {
linux /gentoo/root/@/boot/kernels/4.4.2-FC.01/vmlinuz root=tank/gentoo/root enc_drives=/dev/sda2 enc_type=key by=id elevator=noop quiet
initrd /gentoo/root/@/boot/kernels/4.4.2-FC.01/initrd
}