https://wiki.alpinelinux.org/w/api.php?action=feedcontributions&feedformat=atom&user=R2Alpine Linux - User contributions [en]2026-05-03T19:22:39ZUser contributionsMediaWiki 1.40.0https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18399Root on ZFS with native encryption2020-12-31T04:13:25Z<p>R2: /* Fix zfs decrypt */ fix</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Initramfs fixes =<br />
== Fix zfs decrypt ==<br />
As of this writing, the initramfs script has a bug for entering ZFS password at boot. When booting the system, root dataset will fail to mount {{ic|sh: `active`, unknown operand}}and drop into emergency shell.<br />
<br />
In {{ic|/usr/share/mkinitfs/initramfs-init}}:<br />
# BROKEN: if <u>[ $(zpool list -H -o feature@encryption $_root_pool) = "active" ]</u>; then<br />
# add double quotes around $()<br />
if [ "$(zpool list -H -o feature@encryption $_root_pool)" = "active" ]; then<br />
local _encryption_root=$(zfs get -H -o value encryptionroot $_root_vol)<br />
if [ "$_encryption_root" != "-" ]; then<br />
eval zfs load-key $_encryption_root<br />
fi <br />
fi<br />
<br />
== Enable persistent device names ==<br />
Special modifications need to be made to populate {{ic|/dev/disk/by-*}} in initramfs.<br />
<br />
Ensure {{ic|eudev}} is installed<br />
apk add eudev<br />
Create {{ic|/etc/mkinitfs/features.d/eudev.files}} to add {{ic|eudev}} to initramfs.<br />
tee /etc/mkinitfs/features.d/eudev.files << EOF<br />
/bin/udevadm<br />
/sbin/udevadm<br />
/sbin/udevd<br />
/etc/udev/*<br />
/lib/udev/*<br />
/usr/lib/libudev*<br />
EOF<br />
Edit {{ic|/usr/share/mkinitfs/initramfs-init}}.<br />
<br />
Add functions from {{ic|/etc/init.d/udev*}} at the beginning of the file.<br />
{{Text art|<nowiki><br />
# persistent device names from eudev, see /etc/init.d/udev*<br />
eudev_start_pre() {<br />
# load unix domain sockets if built as module, Bug #221253<br />
# and not yet loaded, Bug #363549<br />
if [ ! -e /proc/net/unix ]; then<br />
if ! modprobe unix; then<br />
eerror "Cannot load the unix domain socket module"<br />
return 1<br />
fi<br />
fi<br />
<br />
if [ -e /proc/sys/kernel/hotplug ]; then<br />
echo "" >/proc/sys/kernel/hotplug<br />
fi<br />
<br />
return 0<br />
}<br />
<br />
eudev_dir_writeable()<br />
{<br />
touch "$1"/.test.$$ 2>/dev/null && rm "$1"/.test.$$<br />
}<br />
<br />
# store persistent-rules that got created while booting<br />
# when / was still read-only<br />
eudev_store_persistent_rules()<br />
{<br />
# create /etc/udev/rules.d if it does not exist and /etc/udev is writable<br />
[ -d /etc/udev/rules.d ] || \<br />
eudev_dir_writeable /etc/udev && \<br />
mkdir -p /etc/udev/rules.d<br />
<br />
# only continue if rules-directory is writable<br />
eudev_dir_writeable /etc/udev/rules.d || return 0<br />
<br />
local file dest<br />
for file in /run/udev/tmp-rules--*; do<br />
dest=${file##*tmp-rules--}<br />
[ "$dest" = '*' ] && break<br />
type=${dest##70-persistent-}<br />
type=${type%%.rules}<br />
cat "$file" >> /etc/udev/rules.d/"$dest" && rm -f "$file"<br />
done<br />
}<br />
<br />
eudev_start()<br />
{<br />
eudev_start_pre<br />
udevd -d<br />
# store persistent-rules that got created while booting<br />
# when / was still read-only<br />
eudev_store_persistent_rules<br />
# Populating /dev with existing devices through uevents"<br />
udevadm trigger --type=subsystems --action=add<br />
udevadm trigger --type=devices --action=add<br />
}<br />
</nowiki>}}<br />
After the following section, which populates {{ic|/dev}}<br />
{{Text art|<nowiki><br />
mount -t devtmpfs -o exec,nosuid,mode=0755,size=2M devtmpfs /dev 2>/dev/null \<br />
|| mount -t tmpfs -o exec,nosuid,mode=0755,size=2M tmpfs /dev<br />
<br />
# pty device nodes (later system will need it)<br />
[ -c /dev/ptmx ] || mknod -m 666 /dev/ptmx c 5 2<br />
[ -d /dev/pts ] || mkdir -m 755 /dev/pts<br />
mount -t devpts -o gid=5,mode=0620,noexec,nosuid devpts /dev/pts<br />
<br />
# shared memory area (later system will need it)<br />
[ -d /dev/shm ] || mkdir /dev/shm<br />
mount -t tmpfs -o nodev,nosuid,noexec shm /dev/shm<br />
</nowiki>}}<br />
add this paragraph.<br />
{{Text art|<nowiki><br />
# persistent device names from eudev <br />
if [ -f /sbin/udevadm ]; then<br />
eudev_start<br />
fi<br />
</nowiki>}}<br />
To let {{ic|zpool import}} to use persistent names, use zpool.cache to import pool<br />
zpool set cachefile=/etc/zfs/zpool.cache rpool_$poolUUID<br />
zpool set cachefile=/etc/zfs/zpool.cache bpool_$poolUUID<br />
echo /etc/zfs/zpool.cache >> /etc/mkinitfs/features.d/zfs.files<br />
replace {{ic|zpool import}} with {{ic|zpool import -c /etc/zfs/zpool.cache}}<br />
find and replace<br />
-d /dev $_root_pool<br />
with<br />
-c /etc/zfs/zpool.cache<br />
and<br />
-d /dev -f $_root_pool<br />
with<br />
-f -c /etc/zfs/zpool.cache<br />
Rebuild initramfs with<br />
mkinitfs<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
<br />
{{ic|shadow}} is available in community repo. Enable it first:<br />
vi /etc/apk/repositories<br />
# uncomment community line<br />
Install<br />
apk add shadow sudo eudev<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/sh -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Optional: Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
Rebuild initramfs with {{ic|mkinitfs}}.<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
<br />
Until this is fixed, we need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$UUID/ROOT/default /sysroot<br />
= Disk space stat =<br />
Without optional swap or cryptsetup:<br />
*bpool used 25.2M<br />
*rpool used 491M<br />
*efi used 416K<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18398Root on ZFS with native encryption2020-12-31T04:00:09Z<p>R2: /* Enable persistent device names */ find and replace</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Initramfs fixes =<br />
== Fix zfs decrypt ==<br />
As of this writing, the initramfs has a bug for entering ZFS password at boot. When booting the system, root dataset will fail to mount {{ic|sh: `active`, unknown operand}}and drop into emergency shell.<br />
<br />
In {{ic|/usr/share/mkinitfs/initramfs-init}}:<br />
# Ask for encryption password<br />
if <u>[ $(zpool list -H -o feature@encryption $_root_pool) = "active" ]</u>; then<br />
# replace underline with <u>true</u> will fix it<br />
# if true; then<br />
local _encryption_root=$(zfs get -H -o value encryptionroot $_root_vol)<br />
if [ "$_encryption_root" != "-" ]; then<br />
eval zfs load-key $_encryption_root<br />
fi <br />
fi<br />
<br />
== Enable persistent device names ==<br />
Special modifications need to be made to populate {{ic|/dev/disk/by-*}} in initramfs.<br />
<br />
Ensure {{ic|eudev}} is installed<br />
apk add eudev<br />
Create {{ic|/etc/mkinitfs/features.d/eudev.files}} to add {{ic|eudev}} to initramfs.<br />
tee /etc/mkinitfs/features.d/eudev.files << EOF<br />
/bin/udevadm<br />
/sbin/udevadm<br />
/sbin/udevd<br />
/etc/udev/*<br />
/lib/udev/*<br />
/usr/lib/libudev*<br />
EOF<br />
Edit {{ic|/usr/share/mkinitfs/initramfs-init}}.<br />
<br />
Add functions from {{ic|/etc/init.d/udev*}} at the beginning of the file.<br />
{{Text art|<nowiki><br />
# persistent device names from eudev, see /etc/init.d/udev*<br />
eudev_start_pre() {<br />
# load unix domain sockets if built as module, Bug #221253<br />
# and not yet loaded, Bug #363549<br />
if [ ! -e /proc/net/unix ]; then<br />
if ! modprobe unix; then<br />
eerror "Cannot load the unix domain socket module"<br />
return 1<br />
fi<br />
fi<br />
<br />
if [ -e /proc/sys/kernel/hotplug ]; then<br />
echo "" >/proc/sys/kernel/hotplug<br />
fi<br />
<br />
return 0<br />
}<br />
<br />
eudev_dir_writeable()<br />
{<br />
touch "$1"/.test.$$ 2>/dev/null && rm "$1"/.test.$$<br />
}<br />
<br />
# store persistent-rules that got created while booting<br />
# when / was still read-only<br />
eudev_store_persistent_rules()<br />
{<br />
# create /etc/udev/rules.d if it does not exist and /etc/udev is writable<br />
[ -d /etc/udev/rules.d ] || \<br />
eudev_dir_writeable /etc/udev && \<br />
mkdir -p /etc/udev/rules.d<br />
<br />
# only continue if rules-directory is writable<br />
eudev_dir_writeable /etc/udev/rules.d || return 0<br />
<br />
local file dest<br />
for file in /run/udev/tmp-rules--*; do<br />
dest=${file##*tmp-rules--}<br />
[ "$dest" = '*' ] && break<br />
type=${dest##70-persistent-}<br />
type=${type%%.rules}<br />
cat "$file" >> /etc/udev/rules.d/"$dest" && rm -f "$file"<br />
done<br />
}<br />
<br />
eudev_start()<br />
{<br />
eudev_start_pre<br />
udevd -d<br />
# store persistent-rules that got created while booting<br />
# when / was still read-only<br />
eudev_store_persistent_rules<br />
# Populating /dev with existing devices through uevents"<br />
udevadm trigger --type=subsystems --action=add<br />
udevadm trigger --type=devices --action=add<br />
}<br />
</nowiki>}}<br />
After the following section, which populates {{ic|/dev}}<br />
{{Text art|<nowiki><br />
mount -t devtmpfs -o exec,nosuid,mode=0755,size=2M devtmpfs /dev 2>/dev/null \<br />
|| mount -t tmpfs -o exec,nosuid,mode=0755,size=2M tmpfs /dev<br />
<br />
# pty device nodes (later system will need it)<br />
[ -c /dev/ptmx ] || mknod -m 666 /dev/ptmx c 5 2<br />
[ -d /dev/pts ] || mkdir -m 755 /dev/pts<br />
mount -t devpts -o gid=5,mode=0620,noexec,nosuid devpts /dev/pts<br />
<br />
# shared memory area (later system will need it)<br />
[ -d /dev/shm ] || mkdir /dev/shm<br />
mount -t tmpfs -o nodev,nosuid,noexec shm /dev/shm<br />
</nowiki>}}<br />
add this paragraph.<br />
{{Text art|<nowiki><br />
# persistent device names from eudev <br />
if [ -f /sbin/udevadm ]; then<br />
eudev_start<br />
fi<br />
</nowiki>}}<br />
To let {{ic|zpool import}} to use persistent names, use zpool.cache to import pool<br />
zpool set cachefile=/etc/zfs/zpool.cache rpool_$poolUUID<br />
zpool set cachefile=/etc/zfs/zpool.cache bpool_$poolUUID<br />
echo /etc/zfs/zpool.cache >> /etc/mkinitfs/features.d/zfs.files<br />
replace {{ic|zpool import}} with {{ic|zpool import -c /etc/zfs/zpool.cache}}<br />
find and replace<br />
-d /dev $_root_pool<br />
with<br />
-c /etc/zfs/zpool.cache<br />
and<br />
-d /dev -f $_root_pool<br />
with<br />
-f -c /etc/zfs/zpool.cache<br />
Rebuild initramfs with<br />
mkinitfs<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
<br />
{{ic|shadow}} is available in community repo. Enable it first:<br />
vi /etc/apk/repositories<br />
# uncomment community line<br />
Install<br />
apk add shadow sudo eudev<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/sh -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Optional: Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
Rebuild initramfs with {{ic|mkinitfs}}.<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
<br />
Until this is fixed, we need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$UUID/ROOT/default /sysroot<br />
= Disk space stat =<br />
Without optional swap or cryptsetup:<br />
*bpool used 25.2M<br />
*rpool used 491M<br />
*efi used 416K<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18397Root on ZFS with native encryption2020-12-31T03:54:19Z<p>R2: order</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Initramfs fixes =<br />
== Fix zfs decrypt ==<br />
As of this writing, the initramfs has a bug for entering ZFS password at boot. When booting the system, root dataset will fail to mount {{ic|sh: `active`, unknown operand}}and drop into emergency shell.<br />
<br />
In {{ic|/usr/share/mkinitfs/initramfs-init}}:<br />
# Ask for encryption password<br />
if <u>[ $(zpool list -H -o feature@encryption $_root_pool) = "active" ]</u>; then<br />
# replace underline with <u>true</u> will fix it<br />
# if true; then<br />
local _encryption_root=$(zfs get -H -o value encryptionroot $_root_vol)<br />
if [ "$_encryption_root" != "-" ]; then<br />
eval zfs load-key $_encryption_root<br />
fi <br />
fi<br />
<br />
== Enable persistent device names ==<br />
Special modifications need to be made to populate {{ic|/dev/disk/by-*}} in initramfs.<br />
<br />
Ensure {{ic|eudev}} is installed<br />
apk add eudev<br />
Create {{ic|/etc/mkinitfs/features.d/eudev.files}} to add {{ic|eudev}} to initramfs.<br />
tee /etc/mkinitfs/features.d/eudev.files << EOF<br />
/bin/udevadm<br />
/sbin/udevadm<br />
/sbin/udevd<br />
/etc/udev/*<br />
/lib/udev/*<br />
/usr/lib/libudev*<br />
EOF<br />
Edit {{ic|/usr/share/mkinitfs/initramfs-init}}.<br />
<br />
Add functions from {{ic|/etc/init.d/udev*}} at the beginning of the file.<br />
{{Text art|<nowiki><br />
# persistent device names from eudev, see /etc/init.d/udev*<br />
eudev_start_pre() {<br />
# load unix domain sockets if built as module, Bug #221253<br />
# and not yet loaded, Bug #363549<br />
if [ ! -e /proc/net/unix ]; then<br />
if ! modprobe unix; then<br />
eerror "Cannot load the unix domain socket module"<br />
return 1<br />
fi<br />
fi<br />
<br />
if [ -e /proc/sys/kernel/hotplug ]; then<br />
echo "" >/proc/sys/kernel/hotplug<br />
fi<br />
<br />
return 0<br />
}<br />
<br />
eudev_dir_writeable()<br />
{<br />
touch "$1"/.test.$$ 2>/dev/null && rm "$1"/.test.$$<br />
}<br />
<br />
# store persistent-rules that got created while booting<br />
# when / was still read-only<br />
eudev_store_persistent_rules()<br />
{<br />
# create /etc/udev/rules.d if it does not exist and /etc/udev is writable<br />
[ -d /etc/udev/rules.d ] || \<br />
eudev_dir_writeable /etc/udev && \<br />
mkdir -p /etc/udev/rules.d<br />
<br />
# only continue if rules-directory is writable<br />
eudev_dir_writeable /etc/udev/rules.d || return 0<br />
<br />
local file dest<br />
for file in /run/udev/tmp-rules--*; do<br />
dest=${file##*tmp-rules--}<br />
[ "$dest" = '*' ] && break<br />
type=${dest##70-persistent-}<br />
type=${type%%.rules}<br />
cat "$file" >> /etc/udev/rules.d/"$dest" && rm -f "$file"<br />
done<br />
}<br />
<br />
eudev_start()<br />
{<br />
eudev_start_pre<br />
udevd -d<br />
# store persistent-rules that got created while booting<br />
# when / was still read-only<br />
eudev_store_persistent_rules<br />
# Populating /dev with existing devices through uevents"<br />
udevadm trigger --type=subsystems --action=add<br />
udevadm trigger --type=devices --action=add<br />
}<br />
</nowiki>}}<br />
After the following section, which populates {{ic|/dev}}<br />
{{Text art|<nowiki><br />
mount -t devtmpfs -o exec,nosuid,mode=0755,size=2M devtmpfs /dev 2>/dev/null \<br />
|| mount -t tmpfs -o exec,nosuid,mode=0755,size=2M tmpfs /dev<br />
<br />
# pty device nodes (later system will need it)<br />
[ -c /dev/ptmx ] || mknod -m 666 /dev/ptmx c 5 2<br />
[ -d /dev/pts ] || mkdir -m 755 /dev/pts<br />
mount -t devpts -o gid=5,mode=0620,noexec,nosuid devpts /dev/pts<br />
<br />
# shared memory area (later system will need it)<br />
[ -d /dev/shm ] || mkdir /dev/shm<br />
mount -t tmpfs -o nodev,nosuid,noexec shm /dev/shm<br />
</nowiki>}}<br />
add this paragraph.<br />
{{Text art|<nowiki><br />
# persistent device names from eudev <br />
if [ -f /sbin/udevadm ]; then<br />
eudev_start<br />
fi<br />
</nowiki>}}<br />
To let {{ic|zpool import}} to use persistent names, use zpool.cache to import pool<br />
zpool set cachefile=/etc/zfs/zpool.cache rpool_$poolUUID<br />
zpool set cachefile=/etc/zfs/zpool.cache bpool_$poolUUID<br />
echo /etc/zfs/zpool.cache >> /etc/mkinitfs/features.d/zfs.files<br />
replace {{ic|zpool import}} with {{ic|zpool import -c /etc/zfs/zpool.cache}}<br />
sed -i 's|-d /dev|-c /etc/zfs/zpool.cache|g' /usr/share/mkinitfs/initramfs-init<br />
Rebuild initramfs with<br />
mkinitfs<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
<br />
{{ic|shadow}} is available in community repo. Enable it first:<br />
vi /etc/apk/repositories<br />
# uncomment community line<br />
Install<br />
apk add shadow sudo eudev<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/sh -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Optional: Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
Rebuild initramfs with {{ic|mkinitfs}}.<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
<br />
Until this is fixed, we need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$UUID/ROOT/default /sysroot<br />
= Disk space stat =<br />
Without optional swap or cryptsetup:<br />
*bpool used 25.2M<br />
*rpool used 491M<br />
*efi used 416K<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18396Root on ZFS with native encryption2020-12-31T03:47:50Z<p>R2: /* Enable persistent device names in initramfs */ import from cache</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
<br />
{{ic|shadow}} is available in community repo. Enable it first:<br />
vi /etc/apk/repositories<br />
# uncomment community line<br />
Install<br />
apk add shadow sudo eudev<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/sh -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Optional: Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
Rebuild initramfs with {{ic|mkinitfs}}.<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs has a bug for entering ZFS password at boot. When booting the system, root dataset will fail to mount {{ic|sh: `active`, unknown operand}}and drop into emergency shell.<br />
<br />
In {{ic|/usr/share/mkinitfs/initramfs-init}}:<br />
# Ask for encryption password<br />
if <u>[ $(zpool list -H -o feature@encryption $_root_pool) = "active" ]</u>; then<br />
# replace underline with <u>true</u> will fix it<br />
# if true; then<br />
local _encryption_root=$(zfs get -H -o value encryptionroot $_root_vol)<br />
if [ "$_encryption_root" != "-" ]; then<br />
eval zfs load-key $_encryption_root<br />
fi <br />
fi<br />
<br />
Until this is fixed, we need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$UUID/ROOT/default /sysroot<br />
= Enable persistent device names in initramfs =<br />
Special modifications need to be made to populate {{ic|/dev/disk/by-*}} in initramfs.<br />
<br />
Ensure {{ic|eudev}} is installed<br />
apk add eudev<br />
Create {{ic|/etc/mkinitfs/features.d/eudev.files}} to add {{ic|eudev}} to initramfs.<br />
tee /etc/mkinitfs/features.d/eudev.files << EOF<br />
/bin/udevadm<br />
/sbin/udevadm<br />
/sbin/udevd<br />
/etc/udev/*<br />
/lib/udev/*<br />
/usr/lib/libudev*<br />
EOF<br />
Edit {{ic|/usr/share/mkinitfs/initramfs-init}}.<br />
<br />
Add functions from {{ic|/etc/init.d/udev*}} at the beginning of the file.<br />
{{Text art|<nowiki><br />
# persistent device names from eudev, see /etc/init.d/udev*<br />
eudev_start_pre() {<br />
# load unix domain sockets if built as module, Bug #221253<br />
# and not yet loaded, Bug #363549<br />
if [ ! -e /proc/net/unix ]; then<br />
if ! modprobe unix; then<br />
eerror "Cannot load the unix domain socket module"<br />
return 1<br />
fi<br />
fi<br />
<br />
if [ -e /proc/sys/kernel/hotplug ]; then<br />
echo "" >/proc/sys/kernel/hotplug<br />
fi<br />
<br />
return 0<br />
}<br />
<br />
eudev_dir_writeable()<br />
{<br />
touch "$1"/.test.$$ 2>/dev/null && rm "$1"/.test.$$<br />
}<br />
<br />
# store persistent-rules that got created while booting<br />
# when / was still read-only<br />
eudev_store_persistent_rules()<br />
{<br />
# create /etc/udev/rules.d if it does not exist and /etc/udev is writable<br />
[ -d /etc/udev/rules.d ] || \<br />
eudev_dir_writeable /etc/udev && \<br />
mkdir -p /etc/udev/rules.d<br />
<br />
# only continue if rules-directory is writable<br />
eudev_dir_writeable /etc/udev/rules.d || return 0<br />
<br />
local file dest<br />
for file in /run/udev/tmp-rules--*; do<br />
dest=${file##*tmp-rules--}<br />
[ "$dest" = '*' ] && break<br />
type=${dest##70-persistent-}<br />
type=${type%%.rules}<br />
cat "$file" >> /etc/udev/rules.d/"$dest" && rm -f "$file"<br />
done<br />
}<br />
<br />
eudev_start()<br />
{<br />
eudev_start_pre<br />
udevd -d<br />
# store persistent-rules that got created while booting<br />
# when / was still read-only<br />
eudev_store_persistent_rules<br />
# Populating /dev with existing devices through uevents"<br />
udevadm trigger --type=subsystems --action=add<br />
udevadm trigger --type=devices --action=add<br />
}<br />
</nowiki>}}<br />
After the following section, which populates {{ic|/dev}}<br />
{{Text art|<nowiki><br />
mount -t devtmpfs -o exec,nosuid,mode=0755,size=2M devtmpfs /dev 2>/dev/null \<br />
|| mount -t tmpfs -o exec,nosuid,mode=0755,size=2M tmpfs /dev<br />
<br />
# pty device nodes (later system will need it)<br />
[ -c /dev/ptmx ] || mknod -m 666 /dev/ptmx c 5 2<br />
[ -d /dev/pts ] || mkdir -m 755 /dev/pts<br />
mount -t devpts -o gid=5,mode=0620,noexec,nosuid devpts /dev/pts<br />
<br />
# shared memory area (later system will need it)<br />
[ -d /dev/shm ] || mkdir /dev/shm<br />
mount -t tmpfs -o nodev,nosuid,noexec shm /dev/shm<br />
</nowiki>}}<br />
add this paragraph.<br />
{{Text art|<nowiki><br />
# persistent device names from eudev <br />
if [ -f /sbin/udevadm ]; then<br />
eudev_start<br />
fi<br />
</nowiki>}}<br />
To let {{ic|zpool import}} to use persistent names, use zpool.cache to import pool<br />
zpool set cachefile=/etc/zfs/zpool.cache rpool_$poolUUID<br />
zpool set cachefile=/etc/zfs/zpool.cache bpool_$poolUUID<br />
echo /etc/zfs/zpool.cache >> /etc/mkinitfs/features.d/zfs.files<br />
replace {{ic|zpool import}} with {{ic|zpool import -c /etc/zfs/zpool.cache}}<br />
sed -i 's|-d /dev|-c /etc/zfs/zpool.cache|g' /usr/share/mkinitfs/initramfs-init<br />
<br />
= Disk space stat =<br />
Without optional swap or cryptsetup:<br />
*bpool used 25.2M<br />
*rpool used 491M<br />
*efi used 416K<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18395Root on ZFS with native encryption2020-12-31T03:34:44Z<p>R2: /* Enable persistent device names in initramfs */ zpool import fix</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
<br />
{{ic|shadow}} is available in community repo. Enable it first:<br />
vi /etc/apk/repositories<br />
# uncomment community line<br />
Install<br />
apk add shadow sudo eudev<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/sh -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Optional: Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
Rebuild initramfs with {{ic|mkinitfs}}.<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs has a bug for entering ZFS password at boot. When booting the system, root dataset will fail to mount {{ic|sh: `active`, unknown operand}}and drop into emergency shell.<br />
<br />
In {{ic|/usr/share/mkinitfs/initramfs-init}}:<br />
# Ask for encryption password<br />
if <u>[ $(zpool list -H -o feature@encryption $_root_pool) = "active" ]</u>; then<br />
# replace underline with <u>true</u> will fix it<br />
# if true; then<br />
local _encryption_root=$(zfs get -H -o value encryptionroot $_root_vol)<br />
if [ "$_encryption_root" != "-" ]; then<br />
eval zfs load-key $_encryption_root<br />
fi <br />
fi<br />
<br />
Until this is fixed, we need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$UUID/ROOT/default /sysroot<br />
= Enable persistent device names in initramfs =<br />
Special modifications need to be made to populate {{ic|/dev/disk/by-*}} in initramfs.<br />
<br />
Ensure {{ic|eudev}} is installed<br />
apk add eudev<br />
Create {{ic|/etc/mkinitfs/features.d/eudev.files}} to add {{ic|eudev}} to initramfs.<br />
tee /etc/mkinitfs/features.d/eudev.files << EOF<br />
/bin/udevadm<br />
/sbin/udevadm<br />
/sbin/udevd<br />
/etc/udev/*<br />
/lib/udev/*<br />
/usr/lib/libudev*<br />
EOF<br />
Edit {{ic|/usr/share/mkinitfs/initramfs-init}}.<br />
<br />
Add functions from {{ic|/etc/init.d/udev*}} at the beginning of the file.<br />
{{Text art|<nowiki><br />
# persistent device names from eudev, see /etc/init.d/udev*<br />
eudev_start_pre() {<br />
# load unix domain sockets if built as module, Bug #221253<br />
# and not yet loaded, Bug #363549<br />
if [ ! -e /proc/net/unix ]; then<br />
if ! modprobe unix; then<br />
eerror "Cannot load the unix domain socket module"<br />
return 1<br />
fi<br />
fi<br />
<br />
if [ -e /proc/sys/kernel/hotplug ]; then<br />
echo "" >/proc/sys/kernel/hotplug<br />
fi<br />
<br />
return 0<br />
}<br />
<br />
eudev_dir_writeable()<br />
{<br />
touch "$1"/.test.$$ 2>/dev/null && rm "$1"/.test.$$<br />
}<br />
<br />
# store persistent-rules that got created while booting<br />
# when / was still read-only<br />
eudev_store_persistent_rules()<br />
{<br />
# create /etc/udev/rules.d if it does not exist and /etc/udev is writable<br />
[ -d /etc/udev/rules.d ] || \<br />
eudev_dir_writeable /etc/udev && \<br />
mkdir -p /etc/udev/rules.d<br />
<br />
# only continue if rules-directory is writable<br />
eudev_dir_writeable /etc/udev/rules.d || return 0<br />
<br />
local file dest<br />
for file in /run/udev/tmp-rules--*; do<br />
dest=${file##*tmp-rules--}<br />
[ "$dest" = '*' ] && break<br />
type=${dest##70-persistent-}<br />
type=${type%%.rules}<br />
cat "$file" >> /etc/udev/rules.d/"$dest" && rm -f "$file"<br />
done<br />
}<br />
<br />
eudev_start()<br />
{<br />
eudev_start_pre<br />
udevd -d<br />
# store persistent-rules that got created while booting<br />
# when / was still read-only<br />
eudev_store_persistent_rules<br />
# Populating /dev with existing devices through uevents"<br />
udevadm trigger --type=subsystems --action=add<br />
udevadm trigger --type=devices --action=add<br />
}<br />
</nowiki>}}<br />
After the following section, which populates {{ic|/dev}}<br />
{{Text art|<nowiki><br />
mount -t devtmpfs -o exec,nosuid,mode=0755,size=2M devtmpfs /dev 2>/dev/null \<br />
|| mount -t tmpfs -o exec,nosuid,mode=0755,size=2M tmpfs /dev<br />
<br />
# pty device nodes (later system will need it)<br />
[ -c /dev/ptmx ] || mknod -m 666 /dev/ptmx c 5 2<br />
[ -d /dev/pts ] || mkdir -m 755 /dev/pts<br />
mount -t devpts -o gid=5,mode=0620,noexec,nosuid devpts /dev/pts<br />
<br />
# shared memory area (later system will need it)<br />
[ -d /dev/shm ] || mkdir /dev/shm<br />
mount -t tmpfs -o nodev,nosuid,noexec shm /dev/shm<br />
</nowiki>}}<br />
add this paragraph.<br />
{{Text art|<nowiki><br />
# persistent device names from eudev <br />
if [ -f /sbin/udevadm ]; then<br />
eudev_start<br />
fi<br />
</nowiki>}}<br />
To let {{ic|zpool import}} to use persistent names, replace {{ic|/dev}} with {{ic|/dev/disk-id}}<br />
sed -i 's|zpool import -N -d /dev|zpool import -N -d /dev/disk/by-id|g' /usr/share/mkinitfs/initramfs-init<br />
<br />
= Disk space stat =<br />
Without optional swap or cryptsetup:<br />
*bpool used 25.2M<br />
*rpool used 491M<br />
*efi used 416K<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18394Root on ZFS with native encryption2020-12-31T03:29:04Z<p>R2: /* Enable persistent device names in initramfs */ update</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
<br />
{{ic|shadow}} is available in community repo. Enable it first:<br />
vi /etc/apk/repositories<br />
# uncomment community line<br />
Install<br />
apk add shadow sudo eudev<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/sh -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Optional: Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
Rebuild initramfs with {{ic|mkinitfs}}.<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs has a bug for entering ZFS password at boot. When booting the system, root dataset will fail to mount {{ic|sh: `active`, unknown operand}}and drop into emergency shell.<br />
<br />
In {{ic|/usr/share/mkinitfs/initramfs-init}}:<br />
# Ask for encryption password<br />
if <u>[ $(zpool list -H -o feature@encryption $_root_pool) = "active" ]</u>; then<br />
# replace underline with <u>true</u> will fix it<br />
# if true; then<br />
local _encryption_root=$(zfs get -H -o value encryptionroot $_root_vol)<br />
if [ "$_encryption_root" != "-" ]; then<br />
eval zfs load-key $_encryption_root<br />
fi <br />
fi<br />
<br />
Until this is fixed, we need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$UUID/ROOT/default /sysroot<br />
= Enable persistent device names in initramfs =<br />
Special modifications need to be made to populate {{ic|/dev/disk/by-*}} in initramfs.<br />
<br />
Ensure {{ic|eudev}} is installed<br />
apk add eudev<br />
Create {{ic|/etc/mkinitfs/features.d/eudev.files}} to add {{ic|eudev}} to initramfs.<br />
tee /etc/mkinitfs/features.d/eudev.files << EOF<br />
/bin/udevadm<br />
/sbin/udevadm<br />
/sbin/udevd<br />
/etc/udev/*<br />
/lib/udev/*<br />
/usr/lib/libudev*<br />
EOF<br />
Edit {{ic|/usr/share/mkinitfs/initramfs-init}}. <br />
Add functions from {{ic|/etc/init.d/udev*}} at the beginning of the file.<br />
{{Text art|<nowiki><br />
# persistent device names from eudev, see /etc/init.d/udev*<br />
eudev_start_pre() {<br />
# load unix domain sockets if built as module, Bug #221253<br />
# and not yet loaded, Bug #363549<br />
if [ ! -e /proc/net/unix ]; then<br />
if ! modprobe unix; then<br />
eerror "Cannot load the unix domain socket module"<br />
return 1<br />
fi<br />
fi<br />
<br />
if [ -e /proc/sys/kernel/hotplug ]; then<br />
echo "" >/proc/sys/kernel/hotplug<br />
fi<br />
<br />
return 0<br />
}<br />
<br />
eudev_dir_writeable()<br />
{<br />
touch "$1"/.test.$$ 2>/dev/null && rm "$1"/.test.$$<br />
}<br />
<br />
# store persistent-rules that got created while booting<br />
# when / was still read-only<br />
eudev_store_persistent_rules()<br />
{<br />
# create /etc/udev/rules.d if it does not exist and /etc/udev is writable<br />
[ -d /etc/udev/rules.d ] || \<br />
eudev_dir_writeable /etc/udev && \<br />
mkdir -p /etc/udev/rules.d<br />
<br />
# only continue if rules-directory is writable<br />
eudev_dir_writeable /etc/udev/rules.d || return 0<br />
<br />
local file dest<br />
for file in /run/udev/tmp-rules--*; do<br />
dest=${file##*tmp-rules--}<br />
[ "$dest" = '*' ] && break<br />
type=${dest##70-persistent-}<br />
type=${type%%.rules}<br />
cat "$file" >> /etc/udev/rules.d/"$dest" && rm -f "$file"<br />
done<br />
}<br />
<br />
eudev_start()<br />
{<br />
eudev_start_pre<br />
udevd -d<br />
# store persistent-rules that got created while booting<br />
# when / was still read-only<br />
eudev_store_persistent_rules<br />
# Populating /dev with existing devices through uevents"<br />
udevadm trigger --type=subsystems --action=add<br />
udevadm trigger --type=devices --action=add<br />
}<br />
</nowiki>}}<br />
After the following section, which populates {{ic|/dev}}<br />
{{Text art|<nowiki><br />
mount -t devtmpfs -o exec,nosuid,mode=0755,size=2M devtmpfs /dev 2>/dev/null \<br />
|| mount -t tmpfs -o exec,nosuid,mode=0755,size=2M tmpfs /dev<br />
<br />
# pty device nodes (later system will need it)<br />
[ -c /dev/ptmx ] || mknod -m 666 /dev/ptmx c 5 2<br />
[ -d /dev/pts ] || mkdir -m 755 /dev/pts<br />
mount -t devpts -o gid=5,mode=0620,noexec,nosuid devpts /dev/pts<br />
<br />
# shared memory area (later system will need it)<br />
[ -d /dev/shm ] || mkdir /dev/shm<br />
mount -t tmpfs -o nodev,nosuid,noexec shm /dev/shm<br />
</nowiki>}}<br />
add this paragraph.<br />
{{Text art|<nowiki><br />
# persistent device names from eudev <br />
if [ -f /sbin/udevadm ]; then<br />
eudev_start<br />
fi<br />
</nowiki>}}<br />
<br />
= Disk space stat =<br />
Without optional swap or cryptsetup:<br />
*bpool used 25.2M<br />
*rpool used 491M<br />
*efi used 416K<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18393Root on ZFS with native encryption2020-12-31T02:40:44Z<p>R2: /* Persistent device names not available in initramfs */ update</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
<br />
{{ic|shadow}} is available in community repo. Enable it first:<br />
vi /etc/apk/repositories<br />
# uncomment community line<br />
Install<br />
apk add shadow sudo eudev<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/sh -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Optional: Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
Rebuild initramfs with {{ic|mkinitfs}}.<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs has a bug for entering ZFS password at boot. When booting the system, root dataset will fail to mount {{ic|sh: `active`, unknown operand}}and drop into emergency shell.<br />
<br />
In {{ic|/usr/share/mkinitfs/initramfs-init}}:<br />
# Ask for encryption password<br />
if <u>[ $(zpool list -H -o feature@encryption $_root_pool) = "active" ]</u>; then<br />
# replace underline with <u>true</u> will fix it<br />
# if true; then<br />
local _encryption_root=$(zfs get -H -o value encryptionroot $_root_vol)<br />
if [ "$_encryption_root" != "-" ]; then<br />
eval zfs load-key $_encryption_root<br />
fi <br />
fi<br />
<br />
Until this is fixed, we need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$UUID/ROOT/default /sysroot<br />
= Enable persistent device names in initramfs =<br />
Special modifications need to be made to populate {{ic|/dev/disk/by-*}} in initramfs.<br />
<br />
Ensure {{ic|eudev}} is installed<br />
apk add eudev<br />
Create {{ic|/etc/mkinitfs/features.d/eudev.files}} to add {{ic|eudev}} to initramfs.<br />
tee /etc/mkinitfs/features.d/eudev.files << EOF<br />
/bin/udevadm<br />
/sbin/udevadm<br />
/sbin/udevd<br />
/etc/udev/*<br />
/lib/udev/*<br />
/usr/lib/libudev*<br />
EOF<br />
Edit {{ic|/usr/share/mkinitfs/initramfs-init}}. After the following section, which populates {{ic|/dev}}<br />
{{Text art|<nowiki><br />
mount -t devtmpfs -o exec,nosuid,mode=0755,size=2M devtmpfs /dev 2>/dev/null \<br />
|| mount -t tmpfs -o exec,nosuid,mode=0755,size=2M tmpfs /dev<br />
<br />
# pty device nodes (later system will need it)<br />
[ -c /dev/ptmx ] || mknod -m 666 /dev/ptmx c 5 2<br />
[ -d /dev/pts ] || mkdir -m 755 /dev/pts<br />
mount -t devpts -o gid=5,mode=0620,noexec,nosuid devpts /dev/pts<br />
<br />
# shared memory area (later system will need it)<br />
[ -d /dev/shm ] || mkdir /dev/shm<br />
mount -t tmpfs -o nodev,nosuid,noexec shm /dev/shm<br />
</nowiki>}}<br />
add this paragraph.<br />
{{Text art|<nowiki><br />
# persistent device names from eudev <br />
if [ -f /sbin/udevadm ]; then <br />
udevadm trigger --type=subsystems --action=add<br />
udevadm trigger --type=devices --action=add<br />
fi<br />
</nowiki>}}<br />
<br />
= Disk space stat =<br />
Without optional swap or cryptsetup:<br />
*bpool used 25.2M<br />
*rpool used 491M<br />
*efi used 416K<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18392Root on ZFS with native encryption2020-12-31T01:01:17Z<p>R2: /* Persistent device names not available in initramfs */ grammar</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
<br />
{{ic|shadow}} is available in community repo. Enable it first:<br />
vi /etc/apk/repositories<br />
# uncomment community line<br />
Install<br />
apk add shadow sudo eudev<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/sh -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Optional: Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
Rebuild initramfs with {{ic|mkinitfs}}.<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs has a bug for entering ZFS password at boot. When booting the system, root dataset will fail to mount {{ic|sh: `active`, unknown operand}}and drop into emergency shell.<br />
<br />
In {{ic|/usr/share/mkinitfs/initramfs-init}}:<br />
# Ask for encryption password<br />
if <u>[ $(zpool list -H -o feature@encryption $_root_pool) = "active" ]</u>; then<br />
# replace underline with <u>true</u> will fix it<br />
# if true; then<br />
local _encryption_root=$(zfs get -H -o value encryptionroot $_root_vol)<br />
if [ "$_encryption_root" != "-" ]; then<br />
eval zfs load-key $_encryption_root<br />
fi <br />
fi<br />
<br />
Until this is fixed, we need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$UUID/ROOT/default /sysroot<br />
= Persistent device names not available in initramfs =<br />
Currently, random block device names such as {{ic|/dev/sda}} is still used in initramfs, {{ic|/dev/disk/by-*}} are not populated until entering system.<br />
<br />
Still need to find a way to add eudev to initramfs.<br />
<br />
= Disk space stat =<br />
Without optional swap or cryptsetup:<br />
*bpool used 25.2M<br />
*rpool used 491M<br />
*efi used 416K<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18391Root on ZFS with native encryption2020-12-31T01:00:44Z<p>R2: /* Reboot */ missing eudev to initramfs</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
<br />
{{ic|shadow}} is available in community repo. Enable it first:<br />
vi /etc/apk/repositories<br />
# uncomment community line<br />
Install<br />
apk add shadow sudo eudev<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/sh -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Optional: Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
Rebuild initramfs with {{ic|mkinitfs}}.<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs has a bug for entering ZFS password at boot. When booting the system, root dataset will fail to mount {{ic|sh: `active`, unknown operand}}and drop into emergency shell.<br />
<br />
In {{ic|/usr/share/mkinitfs/initramfs-init}}:<br />
# Ask for encryption password<br />
if <u>[ $(zpool list -H -o feature@encryption $_root_pool) = "active" ]</u>; then<br />
# replace underline with <u>true</u> will fix it<br />
# if true; then<br />
local _encryption_root=$(zfs get -H -o value encryptionroot $_root_vol)<br />
if [ "$_encryption_root" != "-" ]; then<br />
eval zfs load-key $_encryption_root<br />
fi <br />
fi<br />
<br />
Until this is fixed, we need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$UUID/ROOT/default /sysroot<br />
= Persistent device names not available in initramfs =<br />
Currently, random block device names such as {{ic|/dev/sda}} is still used in initramfs, {{ic|/dev/disk/by-*}} are not populated until entering system.<br />
<br />
Still finding a way to add eudev to initramfs.<br />
<br />
= Disk space stat =<br />
Without optional swap or cryptsetup:<br />
*bpool used 25.2M<br />
*rpool used 491M<br />
*efi used 416K<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18390Root on ZFS with native encryption2020-12-31T00:57:46Z<p>R2: /* Enable ZFS services */ handled by fstab, not used</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
<br />
{{ic|shadow}} is available in community repo. Enable it first:<br />
vi /etc/apk/repositories<br />
# uncomment community line<br />
Install<br />
apk add shadow sudo eudev<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/sh -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Optional: Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
Rebuild initramfs with {{ic|mkinitfs}}.<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs has a bug for entering ZFS password at boot. When booting the system, root dataset will fail to mount {{ic|sh: `active`, unknown operand}}and drop into emergency shell.<br />
<br />
In {{ic|/usr/share/mkinitfs/initramfs-init}}:<br />
# Ask for encryption password<br />
if <u>[ $(zpool list -H -o feature@encryption $_root_pool) = "active" ]</u>; then<br />
# replace underline with <u>true</u> will fix it<br />
# if true; then<br />
local _encryption_root=$(zfs get -H -o value encryptionroot $_root_vol)<br />
if [ "$_encryption_root" != "-" ]; then<br />
eval zfs load-key $_encryption_root<br />
fi <br />
fi<br />
<br />
Until this is fixed, we need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$UUID/ROOT/default /sysroot<br />
<br />
= Disk space stat =<br />
Without optional swap or cryptsetup:<br />
*bpool used 25.2M<br />
*rpool used 491M<br />
*efi used 416K<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18389Root on ZFS with native encryption2020-12-31T00:50:49Z<p>R2: /* Reboot */ fix</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
<br />
{{ic|shadow}} is available in community repo. Enable it first:<br />
vi /etc/apk/repositories<br />
# uncomment community line<br />
Install<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/sh -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Optional: Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
Rebuild initramfs with {{ic|mkinitfs}}.<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs has a bug for entering ZFS password at boot. When booting the system, root dataset will fail to mount {{ic|sh: `active`, unknown operand}}and drop into emergency shell.<br />
<br />
In {{ic|/usr/share/mkinitfs/initramfs-init}}:<br />
# Ask for encryption password<br />
if <u>[ $(zpool list -H -o feature@encryption $_root_pool) = "active" ]</u>; then<br />
# replace underline with <u>true</u> will fix it<br />
# if true; then<br />
local _encryption_root=$(zfs get -H -o value encryptionroot $_root_vol)<br />
if [ "$_encryption_root" != "-" ]; then<br />
eval zfs load-key $_encryption_root<br />
fi <br />
fi<br />
<br />
Until this is fixed, we need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$UUID/ROOT/default /sysroot<br />
<br />
= Disk space stat =<br />
Without optional swap or cryptsetup:<br />
*bpool used 25.2M<br />
*rpool used 491M<br />
*efi used 416K<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18388Root on ZFS with native encryption2020-12-31T00:43:07Z<p>R2: /* Reboot */ fixes and bugs</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
<br />
{{ic|shadow}} is available in community repo. Enable it first:<br />
vi /etc/apk/repositories<br />
# uncomment community line<br />
Install<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/sh -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Optional: Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
Rebuild initramfs with {{ic|mkinitfs}}.<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs has a bug for entering ZFS password at boot. When booting the system, root dataset will fail to mount {{ic|sh: `active`, unknown operand}}and drop into emergency shell.<br />
<br />
In {{ic|/usr/share/mkinitfs/initramfs-init}}:<br />
# Ask for encryption password<br />
if <u>[ $(zpool list -H -o feature@encryption $_root_pool) = "active" ]</u>; then<br />
local _encryption_root=$(zfs get -H -o value encryptionroot $_root_vol)<br />
if [ "$_encryption_root" != "-" ]; then<br />
eval zfs load-key $_encryption_root<br />
fi <br />
fi<br />
<br />
Until this is fixed, we need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$UUID/ROOT/default /sysroot<br />
<br />
= Disk space stat =<br />
Without optional swap or cryptsetup:<br />
*bpool used 25.2M<br />
*rpool used 491M<br />
*efi used 416K<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18387Root on ZFS with native encryption2020-12-30T17:25:36Z<p>R2: /* Optional: Enable encrypted swap partition */ mkinitfs</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
<br />
{{ic|shadow}} is available in community repo. Enable it first:<br />
vi /etc/apk/repositories<br />
# uncomment community line<br />
Install<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/sh -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Optional: Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
Rebuild initramfs with {{ic|mkinitfs}}.<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs $(cat /proc/cmdline | sed 's|.*ZFS=||' | awk '{ print $1 }') /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].<br />
<br />
Note that initramfs will attempt to import all visible pools on boot, even exported ones. Be sure only pools you want are connected. See {{ic|/etc/init.d/zfs-import}}.<br />
<br />
= Disk space stat =<br />
Without optional swap or cryptsetup:<br />
*bpool used 25.2M<br />
*rpool used 491M<br />
*efi used 416K<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18386Root on ZFS with native encryption2020-12-30T17:17:39Z<p>R2: /* Reboot */ note for initramfs</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
<br />
{{ic|shadow}} is available in community repo. Enable it first:<br />
vi /etc/apk/repositories<br />
# uncomment community line<br />
Install<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/sh -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Optional: Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
Rebuild initramfs.<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs $(cat /proc/cmdline | sed 's|.*ZFS=||' | awk '{ print $1 }') /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].<br />
<br />
Note that initramfs will attempt to import all visible pools on boot, even exported ones. Be sure only pools you want are connected. See {{ic|/etc/init.d/zfs-import}}.<br />
<br />
= Disk space stat =<br />
Without optional swap or cryptsetup:<br />
*bpool used 25.2M<br />
*rpool used 491M<br />
*efi used 416K<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18385Root on ZFS with native encryption2020-12-30T16:59:50Z<p>R2: /* Reboot */ disk space stat</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
<br />
{{ic|shadow}} is available in community repo. Enable it first:<br />
vi /etc/apk/repositories<br />
# uncomment community line<br />
Install<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/sh -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Optional: Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
Rebuild initramfs.<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs $(cat /proc/cmdline | sed 's|.*ZFS=||' | awk '{ print $1 }') /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].<br />
<br />
= Disk space stat =<br />
Without optional swap or cryptsetup:<br />
*bpool used 25.2M<br />
*rpool used 491M<br />
*efi used 416K<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18384Root on ZFS with native encryption2020-12-30T16:56:18Z<p>R2: /* Reboot */ use command</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
<br />
{{ic|shadow}} is available in community repo. Enable it first:<br />
vi /etc/apk/repositories<br />
# uncomment community line<br />
Install<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/sh -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Optional: Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
Rebuild initramfs.<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs $(cat /proc/cmdline | sed 's|.*ZFS=||' | awk '{ print $1 }') /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18383Root on ZFS with native encryption2020-12-30T16:49:51Z<p>R2: /* Enable encrypted swap partition */ optional</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
<br />
{{ic|shadow}} is available in community repo. Enable it first:<br />
vi /etc/apk/repositories<br />
# uncomment community line<br />
Install<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/sh -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Optional: Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
Rebuild initramfs.<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18381Root on ZFS with native encryption2020-12-30T16:49:21Z<p>R2: /* Add normal user account */ use ash</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
<br />
{{ic|shadow}} is available in community repo. Enable it first:<br />
vi /etc/apk/repositories<br />
# uncomment community line<br />
Install<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/sh -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
Rebuild initramfs.<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18379Root on ZFS with native encryption2020-12-30T16:48:23Z<p>R2: /* Install packages */ enable community</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
<br />
{{ic|shadow}} is available in community repo. Enable it first:<br />
vi /etc/apk/repositories<br />
# uncomment community line<br />
Install<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/bash -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
= Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
Rebuild initramfs.<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18378Root on ZFS with native encryption2020-12-30T16:43:37Z<p>R2: /* Enable encrypted swap partition */ rebuild</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/bash -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
= Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
Rebuild initramfs.<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18377Root on ZFS with native encryption2020-12-30T16:41:16Z<p>R2: /* Format and mount EFI partition */ fs type</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount -t vfat $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/bash -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
= Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18376Root on ZFS with native encryption2020-12-30T16:39:24Z<p>R2: /* Variables */ 8 char min</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password, 8 characters min'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/bash -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
= Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18375Root on ZFS with native encryption2020-12-30T16:16:22Z<p>R2: /* Add normal user account */ swap instructions</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/bash -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
= Enable encrypted swap partition =<br />
Install {{ic|cryptsetup}}<br />
apk add cryptsetup<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u> zfs"<br />
Add relevant lines in {{ic|fstab}} and {{ic|crypttab}}. Replace {{ic|$DISK}} with actual disk.<br />
echo swap $DISK-part4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 >> /etc/crypttab<br />
echo /dev/mapper/swap none swap defaults 0 0 >> /etc/fstab<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18374Root on ZFS with native encryption2020-12-30T16:05:44Z<p>R2: /* Recovery in Live environment */ remove reference to archlinux</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/bash -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].<br />
<br />
= Recovery in Live environment =<br />
After installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /bin/sh<br />
<br />
After chroot, mount {{ic|/efi}}<br />
mount /boot/efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18373Root on ZFS with native encryption2020-12-30T16:03:35Z<p>R2: /* Reboot */ recovery</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/bash -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].<br />
<br />
= Recovery in Live environment =<br />
After adding archzfs repo and installing zfs packages, run the following command:<br />
<br />
Create a mount point and store encryption password in a variable:<br />
MOUNTPOINT=`mktemp -d`<br />
ENCRYPTION_PWD='YOUR DISK ENCRYPTION PASSWORD, 8 MINIMUM'<br />
Find the unique UUID of your pool with<br />
zpool import<br />
Import rpool without mounting datasets: {{ic|-N}} for not mounting all datasets; {{ic|-R}} for alternate root.<br />
poolUUID=abc123<br />
zpool import -N -R $MOUNTPOINT rpool_$poolUUID<br />
Load encryption key<br />
echo $ENCRYPTION_PWD | zfs load-key -a<br />
As {{ic|1=canmount=noauto}} is set for {{ic|/}} dataset, we have to mount it manually. To find the dataset, use<br />
zfs list rpool_$poolUUID/ROOT<br />
Mount {{ic|/}} dataset<br />
zfs mount rpool_$UUID/ROOT/''$dataset''<br />
Mount other datasets<br />
zfs mount -a<br />
Import bpool<br />
zpool import -N -R $MOUNTPOINT bpool_$UUID<br />
Find and mount the {{ic|/boot}} dataset, same as above.<br />
zfs list bpool_$UUID/BOOT<br />
zfs mount bpool_$UUID/BOOT/''$dataset''<br />
Chroot<br />
arch-chroot $MOUNTPOINT bash --login<br />
After chroot, mount {{ic|/efi}}<br />
mount /efi<br />
After fixing the system, don't forget to umount and export the pools:<br />
umount $MOUNTPOINT/efi<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18372Root on ZFS with native encryption2020-12-30T15:56:28Z<p>R2: /* Finish GRUB installation */ fix order</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Apply fixes in WARNING.<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/bash -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18370Root on ZFS with native encryption2020-12-30T15:48:05Z<p>R2: /* WARNING */ missing file name</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Generate grub.cfg<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed -i "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/" /etc/grub.d/10_linux<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/bash -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18369Root on ZFS with native encryption2020-12-30T15:47:01Z<p>R2: /* WARNING */ fix format</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Generate grub.cfg<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with the method given in patch.<br />
sed "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/"<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/bash -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18368Root on ZFS with native encryption2020-12-30T15:46:06Z<p>R2: /* WARNING */ update</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Generate grub.cfg<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is to replace detection of rpool with {{ic|zdb -l ${GRUB_DEVICE} | awk -F \' '/ name/ { print $2 }'}}.<br />
sed "s/rpool=.*/rpool=\`zdb -l \${GRUB_DEVICE} \| awk -F \\\' '\/ name\/ { print \$2 }'\`/"<br />
Need to be applied upon every GRUB update until the patch is merged.<br />
== Generate grub.cfg ==<br />
After applying fixes, finally run<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/bash -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18367Root on ZFS with native encryption2020-12-30T15:25:27Z<p>R2: /* Finish GRUB installation */ warning</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Generate grub.cfg<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
== WARNING ==<br />
1. GRUB will fail to detect the ZFS filesystem of {{ic|/boot}} with {{ic|stat}} from Busybox.<br />
<br />
See [https://git.savannah.gnu.org/cgit/grub.git/tree/util/grub-mkconfig.in source file of grub-mkconfig], the problem is:<br />
GRUB_DEVICE="`${grub_probe} --target=device /`"<br />
# will fail with `grub-probe: error: unknown filesystem.`<br />
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"<br />
# will also fail. The final fall back is<br />
if [ x"$GRUB_FS" = xunknown ]; then<br />
GRUB_FS="$(stat -f -c %T / || echo unknown)"<br />
fi<br />
# `stat` from coreutils will return `zfs`, the correct answer<br />
# `stat` from busybox will return `UNKNOWN`, cause `10_linux` script to fail<br />
Therefore we need to install {{ic|coreutils}}.<br />
apk add coreutils<br />
<br />
2. GRUB will stuff an empty result if it does not support root pool.<br />
<br />
GRUB is lagging behind development of OpenZFS, see [https://lists.gnu.org/archive/html/grub-devel/2020-12/msg00239.html]. A temporary fix is<br />
grub-mkconfig | sed "s|root=ZFS=/ROOT|root=ZFS=rpool_$poolUUID/ROOT|g" > /boot/grub/grub.cfg<br />
Need to be applied upon every {{ic|grub-mkconfig}} command.<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/bash -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18366Root on ZFS with native encryption2020-12-30T14:09:40Z<p>R2: /* Finish GRUB installation */ warning</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Generate grub.cfg<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
WARNING: as of 3.12.3, the Alpine Linux version of GRUB (not upstream version) can not properly detect ZFS root device. A temporary fix: The correct root device, rpool_$poolUUID/ROOT/default is missing from grub.cfg, fix with a sed command<br />
sed -i "s|root=PARTUUID.*|root=ZFS=rpool_$poolUUID/ROOT/default|g" /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/bash -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18365Root on ZFS with native encryption2020-12-30T13:35:55Z<p>R2: /* Dataset creation */ not needed</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Generate grub.cfg<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
The correct root device, rpool_$poolUUID/ROOT/default is missing from grub.cfg, fix with a sed command<br />
sed -i "s|root=PARTUUID.*|root=ZFS=rpool_$poolUUID/ROOT/default|g" /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/bash -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18364Root on ZFS with native encryption2020-12-30T13:11:03Z<p>R2: /* Dataset creation */ note for legacy mountpoints</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
To be able to mount datasets with {{ic|/etc/fstab}} instead of native ZFS handling, set datasets to {{ic|1=mountpoint=legacy}}. Child datasets will inherit this property.<br />
zfs set mountpoint=legacy rpool_$poolUUID/ROOT/default<br />
zfs set mountpoint=legacy bpool_$poolUUID/BOOT/default<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Generate grub.cfg<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
The correct root device, rpool_$poolUUID/ROOT/default is missing from grub.cfg, fix with a sed command<br />
sed -i "s|root=PARTUUID.*|root=ZFS=rpool_$poolUUID/ROOT/default|g" /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/bash -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18363Root on ZFS with native encryption2020-12-30T13:00:35Z<p>R2: /* Preparations */ missing subtitle</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations ==<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Generate grub.cfg<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
The correct root device, rpool_$poolUUID/ROOT/default is missing from grub.cfg, fix with a sed command<br />
sed -i "s|root=PARTUUID.*|root=ZFS=rpool_$poolUUID/ROOT/default|g" /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/bash -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18362Root on ZFS with native encryption2020-12-30T12:45:28Z<p>R2: /* Dataset creation */ details for dataset layout</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
This layout is intended to separate root file system from persistent files. See [https://wiki.archlinux.org/index.php/User:M0p/Root_on_ZFS_Native_Encryption/Layout] for a description.<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
= Preparations =<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Generate grub.cfg<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
The correct root device, rpool_$poolUUID/ROOT/default is missing from grub.cfg, fix with a sed command<br />
sed -i "s|root=PARTUUID.*|root=ZFS=rpool_$poolUUID/ROOT/default|g" /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/bash -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18361Root on ZFS with native encryption2020-12-30T12:40:54Z<p>R2: /* Setup live environment */ inline code</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by {{ic|setup-disk}}.<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
= Preparations =<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Generate grub.cfg<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
The correct root device, rpool_$poolUUID/ROOT/default is missing from grub.cfg, fix with a sed command<br />
sed -i "s|root=PARTUUID.*|root=ZFS=rpool_$poolUUID/ROOT/default|g" /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/bash -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].</div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18360Root on ZFS with native encryption2020-12-30T12:40:04Z<p>R2: /* = Preparations */ fix title</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by<br />
setup-disk<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
= Preparations =<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Generate grub.cfg<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
The correct root device, rpool_$poolUUID/ROOT/default is missing from grub.cfg, fix with a sed command<br />
sed -i "s|root=PARTUUID.*|root=ZFS=rpool_$poolUUID/ROOT/default|g" /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/bash -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].</div>R2https://wiki.alpinelinux.org/w/index.php?title=Template:Text_art&diff=18359Template:Text art2020-12-30T12:38:46Z<p>R2: copy from archwiki</p>
<hr />
<div><noinclude><br />
{{Template}}<br />
<br />
Block code that does not wrap on narrow screens, intended for [[Wikipedia:Text art|Text art]].<br />
<br />
Use [[Template:bc]] for regular block codes.<br />
<br />
== Usage ==<br />
<br />
{{bc|<nowiki>{{Text art|<nowiki><br />
Alpine Linux<br />
&lt;/nowiki>}}</nowiki>}}<br />
<br />
== Example ==<br />
<br />
{{Text art|<nowiki><br />
Alpine Linux<br />
</nowiki>}}<br />
</noinclude><includeonly><pre<!----> style="white-space: pre !important; font-variant-ligatures: no-common-ligatures;">{{{code|{{{1|{{META Error}}}}}}}}</pre></includeonly></div>R2https://wiki.alpinelinux.org/w/index.php?title=Template:Ic&diff=18358Template:Ic2020-12-30T12:36:59Z<p>R2: inline code</p>
<hr />
<div><noinclude>{{Template}} {{DISPLAYTITLE:Template:ic}}<br />
<br />
Inline code.<br />
<br />
* Use [[Template:bc]] for block code without header.<br />
* Use [[Template:hc]] for block code with header.<br />
<br />
==Usage==<br />
<br />
{{bc|<nowiki>{{ic|code}}</nowiki>}}<br />
<br />
{{Tip|When representing keyboard keys, you can use [[Wikipedia:List of XML and HTML character entity references|HTML entities]] {{ic|&amp;uarr;}}, {{ic|&amp;rarr;}}, {{ic|&amp;darr;}} and {{ic|&amp;larr;}} to depict arrow keys: {{ic|&uarr;}}, {{ic|&rarr;}}, {{ic|&darr;}}, {{ic|&larr;}}}}<br />
<br />
==Example==<br />
<br />
{{ic|code}}</noinclude><includeonly><code>{{{code|{{{1|{{META Error}}}}}}}}</code></includeonly></div>R2https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=18357Root on ZFS with native encryption2020-12-30T12:35:38Z<p>R2: update</p>
<hr />
<div>= Objectives =<br />
This guide aims to setup encrypted Alpine Linux on ZFS with a layout compatible with boot environments. Mirror and RAID-Z supported.<br />
<br />
Except EFI system partition and boot pool {{ic|/boot}}, everything is encrypted. Root pool is encrypted with ZFS native encryption and swap partition is encrypted with dm-crypt.<br />
<br />
To do an unencrypted setup, simply omit {{ic|-O keylocation -O keyformat}} when creating root pool.<br />
<br />
= Notes =<br />
== Swap on ZFS will cause dead lock ==<br />
You shouldn't use a ZVol as a swap device, as it can deadlock under memory pressure. See [https://github.com/openzfs/zfs/issues/7734] This guide will set up swap on a separate partition with plain dm-crypt.<br />
<br />
Resume from swap is not possible, because the key of swap partition can not be stored in the unencrypted boot pool. Busybox initramfs only supports unlocking exactly one LUKS container at boot, therefore boot pool and swap partition can not be both LUKS encrypted. A possible workaround is to import and mount boot pool after booting the system via systemd service.<br />
<br />
== Resume from ZFS will corrupt the pool ==<br />
ZFS does not support freeze/thaw operations, which is required for resuming from hibernation, or suspend to disk. Attempt to resume from a swap on ZFS '''WILL''' corrupt the pool. See [https://github.com/openzfs/zfs/issues/260]<br />
== Encrypted boot pool ==<br />
GRUB supports booting from LUKS-1 encrypted containers. Therefore, it is possible to encrypt both boot pool and root pool to achieve full disk encryption.<br />
<br />
To do this, format boot pool partition as LUKS-1 container and supply the encryption password here. Use keyfile for root pool and embed the keyfile in initramfs.<br />
<br />
Since there isn't any sensitive information in {{ic|/boot}} anyway (unless you want to use a persistent LUKS encrypted swap partition for resume from hibernation), encrypting boot pool provides no meaningful benefit and complicates the installation and recovery process.<br />
<br />
= Pre-installation =<br />
UEFI is required. Supports single disk & multi-disk (stripe, mirror, RAID-Z) installation.<br />
<br />
'''Existing data on target disk(s) will be destroyed.'''<br />
<br />
Download the '''extended''' release from https://www.alpinelinux.org/downloads/, it's shipped with ZFS kernel module.<br />
<br />
Write it to a USB and boot from it.<br />
<br />
== Setup live environment ==<br />
Run the following command to setup the live environment, select disk=none at the last step when asked for disk mode. See [[Installation#Questions_asked_by_setup-alpine]].<br />
setup-alpine<br />
The settings given here will be copied to the target system later by<br />
setup-disk<br />
<br />
== Install system utilities ==<br />
apk update<br />
apk add eudev sgdisk grub-efi zfs<br />
modprobe zfs<br />
Here we must install eudev to have persistent block device names. '''Do not use''' /dev/sda for ZFS pools.<br />
rc-update add udev-trigger sysinit<br />
/etc/init.d/udev-trigger start<br />
<br />
= Variables =<br />
In this step, we will set some variables to make our installation process easier.<br />
DISK=/dev/disk/by-id/ata-HXY_120G_YS<br />
Use unique disk path instead of {{ic|/dev/sda}} to ensure the correct partition can be found by ZFS.<br />
<br />
Other variables<br />
TARGET_USERNAME='your username'<br />
ENCRYPTION_PWD='your root pool encryption password'<br />
TARGET_USERPWD='user account password'<br />
Create a mountpoint<br />
MOUNTPOINT=`mktemp -d`<br />
Create a unique suffix for the ZFS pools: this will prevent name conflict when importing pools on another Root on ZFS system.<br />
poolUUID=$(dd if=/dev/urandom of=/dev/stdout bs=1 count=100 2>/dev/null |tr -dc 'a-z0-9' | cut -c-6)<br />
<br />
= Partitioning =<br />
For a single disk, UEFI installation, we need to create at lease 3 partitions:<br />
* EFI system partition<br />
* Boot pool partition<br />
* Root pool partition<br />
Since [[GRUB]] only partially support ZFS, many features needs to be disabled on the boot pool. By creating a separate root pool, we can then utilize the full potential of ZFS.<br />
<br />
Clear the partition table on the target disk and create EFI, boot and root pool parititions:<br />
sgdisk --zap-all $DISK<br />
sgdisk -n1:0:+512M -t1:EF00 $DISK<br />
sgdisk -n2:0:+2G $DISK # boot pool<br />
sgdisk -n3:0:0 $DISK # root pool<br />
If you want to use a multi-disk setup, such as mirror or RAID-Z, partition every target disk with the same commands above.<br />
<br />
== Optional: Swap partition ==<br />
[[Swap]] support on ZFS is also problematic, therefore it is recommended to create a separate Swap partition if needed. This guide will cover the creation of a separate swap partition.(can not be used for hibernation since the encryption key is discarded when power off.)<br />
<br />
If you want to use swap, reserve some space at the end of disk when creating root pool:<br />
sgdisk -n3:0:-8G $DISK # root pool, reserve 8GB for swap at the end of the disk<br />
sgdisk -n4:0:0 $DISK # swap partition<br />
<br />
= Boot and root pool creation =<br />
As mentioned above, ZFS features need to be selectively enabled for GRUB. All available features are enabled when no {{ic|feature@}} is supplied.<br />
<br />
Here we explicitly enable those GRUB can support.<br />
zpool create \<br />
-o ashift=12 -d \<br />
-o feature@async_destroy=enabled \<br />
-o feature@bookmarks=enabled \<br />
-o feature@embedded_data=enabled \<br />
-o feature@empty_bpobj=enabled \<br />
-o feature@enabled_txg=enabled \<br />
-o feature@extensible_dataset=enabled \<br />
-o feature@filesystem_limits=enabled \<br />
-o feature@hole_birth=enabled \<br />
-o feature@large_blocks=enabled \<br />
-o feature@lz4_compress=enabled \<br />
-o feature@spacemap_histogram=enabled \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O devices=off -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O mountpoint=/boot -R $MOUNTPOINT \<br />
bpool_$poolUUID $DISK-part2<br />
Nothing is stored directly under bpool and rpool, hence {{ic|1=canmount=off}}. The respective {{ic|mountpoint}} properties are more symbolic than practical.<br />
<br />
For root pool all available features are enabled by default<br />
echo $ENCRYPTION_PWD | zpool create \<br />
-o ashift=12 \<br />
-O encryption=aes-256-gcm \<br />
-O keylocation=prompt -O keyformat=passphrase \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on \<br />
-O xattr=sa -O mountpoint=/ -R $MOUNTPOINT \<br />
rpool_$poolUUID $DISK-part3<br />
<br />
== Notes for multi-disk ==<br />
For mirror:<br />
zpool create \<br />
... \<br />
bpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part2 \<br />
/dev/disk/by-id/target_disk2-part2<br />
zpool create \<br />
... \<br />
rpool_$poolUUID mirror \<br />
/dev/disk/by-id/target_disk1-part3 \<br />
/dev/disk/by-id/target_disk2-part3<br />
For RAID-Z, replace mirror with raidz, raidz2 or raidz3.<br />
<br />
= Dataset creation =<br />
{{Text art|<nowiki><br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/HOME<br />
zfs create -o canmount=off -o mountpoint=none rpool_$poolUUID/ROOT<br />
zfs create -o canmount=off -o mountpoint=none bpool_$poolUUID/BOOT<br />
zfs create -o mountpoint=/ -o canmount=noauto rpool_$poolUUID/ROOT/default<br />
zfs create -o mountpoint=/boot -o canmount=noauto bpool_$poolUUID/BOOT/default<br />
zfs mount rpool_$poolUUID/ROOT/default<br />
zfs mount bpool_$poolUUID/BOOT/default<br />
d='usr var var/lib'<br />
for i in $d; do zfs create -o canmount=off rpool_$poolUUID/ROOT/default/$i; done<br />
d='srv usr/local'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/$i; done<br />
d='log spool tmp'<br />
for i in $d; do zfs create rpool_$poolUUID/ROOT/default/var/$i; done<br />
zfs create -o mountpoint=/home rpool_$poolUUID/HOME/default<br />
zfs create -o mountpoint=/root rpool_$poolUUID/HOME/default/root<br />
zfs create rpool_$poolUUID/HOME/default/$TARGET_USERNAME<br />
</nowiki>}}<br />
<br />
<br />
= Format and mount EFI partition =<br />
mkfs.vfat -n EFI $DISK-part1<br />
mkdir $MOUNTPOINT/boot/efi<br />
mount $DISK-part1 $MOUNTPOINT/boot/efi<br />
<br />
= Install Alpine Linux to target disk =<br />
== Preparations =<br />
GRUB will not find the correct path of root device without ZPOOL_VDEV_NAME_PATH=YES.<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
setup-disk refuse to run on ZFS by default, we need to add ZFS to the supported filesystem array.<br />
sed -i 's|supported="ext|supported="zfs ext|g' /sbin/setup-disk<br />
<br />
== Run setup-disk ==<br />
BOOTLOADER=grub USE_EFI=y setup-disk -v $MOUNTPOINT<br />
Note that grub-probe will still fail despite ZPOOL_VDEV_NAME_PATH=YES variable set above. We will deal with this later inside chroot.<br />
<br />
= Chroot into new system =<br />
mount --rbind /dev $MOUNTPOINT/dev<br />
mount --rbind /proc $MOUNTPOINT/proc<br />
mount --rbind /sys $MOUNTPOINT/sys<br />
chroot $MOUNTPOINT /usr/bin/env TARGET_USERPWD=$TARGET_USERPWD TARGET_USERNAME=$TARGET_USERNAME poolUUID=$poolUUID /bin/sh<br />
<br />
= Finish GRUB installation =<br />
As GRUB installation failed half-way in [[#Run setup-disk]], we will finish it here.<br />
<br />
Apply GRUB ZFS fix:<br />
export ZPOOL_VDEV_NAME_PATH=YES<br />
Generate grub.cfg<br />
grub-mkconfig -o /boot/grub/grub.cfg<br />
The correct root device, rpool_$poolUUID/ROOT/default is missing from grub.cfg, fix with a sed command<br />
sed -i "s|root=PARTUUID.*|root=ZFS=rpool_$poolUUID/ROOT/default|g" /boot/grub/grub.cfg<br />
<br />
= Install packages =<br />
These packages are used for creating a common user account. Root account is accessed with sudo. Also package for persisitent block device name must be installed.<br />
apk add shadow sudo eudev<br />
<br />
= Enable ZFS services =<br />
rc-update add zfs-import sysinit<br />
rc-update add zfs-mount sysinit<br />
rc-update add zfs-zed sysinit<br />
rc-update add udev-trigger sysinit<br />
<br />
= Enable sudo access for wheel group =<br />
mv /etc/sudoers /etc/sudoers.original<br />
tee /etc/sudoers << EOF<br />
root ALL=(ALL) ALL<br />
%wheel ALL=(ALL) ALL<br />
EOF<br />
<br />
= Add normal user account =<br />
useradd -s /bin/bash -U -G wheel,video -d /home/$TARGET_USERNAME $TARGET_USERNAME<br />
chown -R $TARGET_USERNAME:$TARGET_USERNAME /home/$TARGET_USERNAME<br />
echo "$TARGET_USERNAME:$TARGET_USERPWD" | chpasswd<br />
<br />
= Finish installation =<br />
Take a snapshot for the clean installation for future use and export all pools.<br />
exit<br />
zfs snapshot -r rpool_$poolUUID/ROOT/default@install<br />
zfs snapshot -r bpool_$poolUUID/BOOT/default@install<br />
Pools must be exported before reboot, or they will fail to be imported on boot.<br />
mount | grep -v zfs | tac | grep $MOUNTPOINT | awk '{print $3}' | \<br />
xargs -i{} umount -lf {}<br />
zpool export bpool_$poolUUID<br />
zpool export rpool_$poolUUID<br />
<br />
= Reboot =<br />
As of this writing, the initramfs lacks support for entering ZFS password at boot. When booting the system, root dataset will simply fail to mount and drop into emergency shell.<br />
<br />
We need to manually load the key and mount root dataset with<br />
zfs load-key -a<br />
# enter password<br />
mount -t zfs rpool_$poolUUID/ROOT/default /sysroot<br />
ArchZFS project solved this with a sh script, available [https://github.com/archzfs/archzfs/blob/master/src/zfs-utils/zfs-utils.initcpio.hook here].</div>R2