Author Topic: Root ZFS on luks encrypted partitions Manjaro KDE  (Read 1849 times)

0 Members and 1 Guest are viewing this topic.

Offline rjonasz

  • Neuling
  • *
  • Posts: 25
  • I'm new. Be nice!
  • Branch: stable
  • Desktop: KDE 5 Plasma
  • GPU Card: nVidia GTX 980M
  • GPU driver: non-free
  • Kernel: 4.4.0-4-MANJARO
  • Skill: Intermediate
Root ZFS on luks encrypted partitions Manjaro KDE
« on: 15. January 2016, 23:17:02 »
Hello,

I recently managed to install Manjaro KDE 15.12 on an encrypted root partition.  I thought I would share my experience.

Boot into the live cd and install Manjaro on a usb stick with one partition; no swap.  I then installed the kernel headers for the live cd and zfs by typing:

pacman -S linux41-headers
pacman -S manajarozfs
Follow the instructions to install the dkms modules.

I then partioned my disks with a boot partition @ 512MB formatted to ext2 and one unformatted partition for the rest of the disk.  The second disk was partioned with one partition unformattted.
I then used cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512  /dev/sda2

to encrypt the two partions except boot.

Then

cryptsetup luksOpen /dev/sda2 cryptroot
cryptsetup luksOpen /dev/sdb1 crypthome

I then created my zfs pools one called rpool and the other vault.  You can type

zpool create -O mountpoint=none -o ashift=12 rpool /dev/mapper/cryptroot
zpool create -O mountpoint=none -o ashift=12 vault /dev/mapper/crypthome

zfs create -o compression=lz4 rpool/ROOT
zfs create -o compression=lz4 vault/HOME

zfs set atime=off rpool/ROOT
zfs set atime=off vault/HOME

Then for swap

zfs create -V 1024M -b $(getconf PAGESIZE) \
              -o compression=off \
              -o primarycache=metadata \
              -o secondarycache=none \
              -o sync=always \
              -o com.sun:auto-snapshot=false rpool/SWAP

zfs set mountpoint=/ rpool/ROOT
zfs set mountpoint=/home vault/HOME

zpool set bootfs=rpool/ROOT rpool

zpool export rpool
zpool export vault

zpool import -d /dev/mapper -R /mnt rpool
zpool import -d /dev/mapper -R /mnt vault

mkdir /mnt/boot

mount the usb stick you installed manjaro on to /media

cd /media
tar cfp - . | ( cd /mnt//; tar xvfp -)

The above will copy the installation to the zfs pools

This information was gleaned from
https://help.ubuntu.com/community/encryptedZfs
https://forum.manjaro.org/index.php?topic=15685.0

Then chroot to /mnt
pacman -Sy
Install zfs as you did above
mkswap /dev/zvol/rpool/SWAP

Edit /etc/crypttab to unlock your disks
https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration

systemctl enable zfs
This will mount your zfs pools at boot

Now I had a problem with the keyboard at boot so I created keys to be read at boot.
The root filesystem's key is on a usb stick while the second home partition is saved /etc/home-password

https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption

Edit /etc/default/grub to look like this

GRUB_CMDLINE_LINUX_DEFAULT="zfs=rpool/ROOT cryptdevice=/dev/sda2:cryptroot boot=zfs cryptkey=/dev/sdc1:ext4:/root.key"

Edit /etc/mkinitcpio.conf to include ext4 and zfs modules
and place zfs before filesystems and encrypt before zfs in the HOOKS..

Generate the initrd image and reboot.  You should be good to go.

What I would like to know is why the keyboard was unsable at boot.  Every keypress sent a carriage return making it impossible to unlock the root partition.

The other question I have is when will zfs be updated to 0.6.5.4?  Current version is 0.6.5.2

Thanks!  I'm really enjoying manjaro.


Offline chimy

  • Jr. Mitglied
  • **
  • Posts: 79
  • I'm new. Be nice!
  • Skill: Intermediate
Re: Root ZFS on luks encrypted partitions Manjaro KDE
« Reply #1 on: 15. January 2016, 23:25:54 »
What I would like to know is why the keyboard was unsable at boot.  Every keypress sent a carriage return making it impossible to unlock the root partition.

Place the keyboard hook before the encrypt hook and it should work fine. This is necessary to be able to enter your encryption password. If you're useing a specific keymap, put it after keyboard, e.g. ... keyboard keymap encrypt ...
« Last Edit: 15. January 2016, 23:38:50 by chimy »

Offline eugen-b

  • Support Team
  • ****
  • Posts: 3191
  • Branch: testing
  • Desktop: LXDE, Fluxbox, JWM, LXQt, bspwm
  • GPU Card: Intel 82945G/GZ
  • GPU driver: free
  • Kernel: 4.5, 4.6
  • Skill: Intermediate
Re: Root ZFS on luks encrypted partitions Manjaro KDE
« Reply #2 on: 15. January 2016, 23:43:11 »
@rjonasz, that was one impressive post!
About the update jonathon already asked today, so probably not long to wait. First it will be tested in Arch, then will come to Manjaro.
MSI Wind Nettop, Intel Atom 230 1.6GHz (64bit), 2GB RAM
DEs: NET-minimal + (LXDE / Fluxbox / JWM); LXQt OpenRC
how to install on btrfs subvolumes
http://manjaro.github.io/donate/

Offline jonathon

  • Core Team
  • *****
  • Posts: 2104
  • Technologist - Teacher - Tea drinker
  • Branch: Unstable
  • Desktop: MATE 1.14
  • GPU Card: Nvidia GTX680M
  • GPU driver: Bumblebee nvidia+intel
  • Kernel: 4.6.0-*-MANJARO x86_64
  • Skill: Advanced
Re: Root ZFS on luks encrypted partitions Manjaro KDE
« Reply #3 on: 15. January 2016, 23:49:13 »
pacman -S manajarozfs
Follow the instructions to install the dkms modules.

...

The other question I have is when will zfs be updated to 0.6.5.4?  Current version is 0.6.5.2

Probably related;

There are a set of 'extramodules' available that provide pre-compiled ZFS+SPL kernel modules that are patched up to the current kernel; Manjaro had support for ZFS in kernel 4.4 from about 4.4rc3 (see packages: kernel**-spl, kernel**-zfs). I'm happily running ZFS 0.6.5.2 on kernel 4.4.

0.6.5.4 has only just recently been released (and it's the weekend) so probably Monday? :D

@rjonasz, that was one impressive post!
About the update jonathon already asked today, so probably not long to wait. First it will be tested in Arch, then will come to Manjaro.

Actually, Manjaro trail-blazes here. We have pre-compiled modules that Arch doesn't and we support kernels that the official ZFS releases don't. This is one thing (among others) we don't rely on Arch for.
--
MSI GT70: Core i7-3630QM, 16GB, Nvidia GTX680M, Intel 2230, Manjaro-MATE-amd64-EFI
Lenovo X230: Core i5-3320M, 4GB, Intel HD4000, Intel 6205, Manjaro-MATE-amd64
Dell Studio 1749: Core i5 540, 8GB, ATi HD5650, Intel WLAN, Manjaro-Xfce-amd64
Let's go in the garden; you'll find something waiting.

Offline rjonasz

  • Neuling
  • *
  • Posts: 25
  • I'm new. Be nice!
  • Branch: stable
  • Desktop: KDE 5 Plasma
  • GPU Card: nVidia GTX 980M
  • GPU driver: non-free
  • Kernel: 4.4.0-4-MANJARO
  • Skill: Intermediate
Re: Root ZFS on luks encrypted partitions Manjaro KDE
« Reply #4 on: 19. January 2016, 03:11:06 »
Probably related;

There are a set of 'extramodules' available that provide pre-compiled ZFS+SPL kernel modules that are patched up to the current kernel; Manjaro had support for ZFS in kernel 4.4 from about 4.4rc3 (see packages: kernel**-spl, kernel**-zfs). I'm happily running ZFS 0.6.5.2 on kernel 4.4.

0.6.5.4 has only just recently been released (and it's the weekend) so probably Monday? :D

Actually, Manjaro trail-blazes here. We have pre-compiled modules that Arch doesn't and we support kernels that the official ZFS releases don't. This is one thing (among others) we don't rely on Arch for.

Oh wow!  That's amazing.  I'll give kernel 4.4 a try.


Place the keyboard hook before the encrypt hook and it should work fine. This is necessary to be able to enter your encryption password. If you're useing a specific keymap, put it after keyboard, e.g. ... keyboard keymap encrypt ...

Yup That's what I had and still had the problem.  The USB key is just as secure but I wouldn't mind knowing why my keyboard is sending LFCR after every keystroke.