nomad
/
wiki-system
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

...

Michel Le Cocq 2020-06-23 14:18:54 +02:00
parent bde59ea303
commit 60e43d7fd2
3 changed files with 142 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

153
Unbuntu-20.04-encrypt-ZFS-install.md

@ -1,76 +1,77 @@
source : [Linsomniac's Articles - Encrypting ZFS on Ubuntu 20.04](https://linsomniac.gitlab.io/post/2020-04-09-ubuntu-2004-encrypted-zfs/)
# encrypt - Unbuntu 20.04 full ZFS install
Here we are going to install Ubuntu 20.04 in **almost** full zfs updating **zsys-setup** to permit **zfs encryption**. Read bellow articles to understand why 2 differerent pools and full implementation.
* [ZFS focus on Ubuntu 20.04 LTS: whats new?](https://didrocks.fr/2020/05/21/zfs-focus-on-ubuntu-20.04-lts-whats-new/)
* [ZFS focus on Ubuntu 20.04 LTS: ZSys general presentation](https://didrocks.fr/2020/05/26/zfs-focus-on-ubuntu-20.04-lts-zsys-general-presentation/)
* [ZFS focus on Ubuntu 20.04 LTS: ZSys sate management](https://didrocks.fr/2020/05/28/zfs-focus-on-ubuntu-20.04-lts-zsys-general-principle-on-state-management/)
* [ZFS focus on Ubuntu 20.04 LTS: ZSys commands for state management](https://didrocks.fr/2020/06/02/zfs-focus-on-ubuntu-20.04-lts-zsys-commands-for-state-management/)
* [ZFS focus on Ubuntu 20.04 LTS: ZSys state collection](https://didrocks.fr/2020/06/04/zfs-focus-on-ubuntu-20.04-lts-zsys-state-collection/)
* [ZFS focus on Ubuntu 20.04 LTS: ZSys for system administrators](https://didrocks.fr/2020/06/09/zfs-focus-on-ubuntu-20.04-lts-zsys-for-system-administrators/)
* [ZFS focus on Ubuntu 20.04 LTS: ZSys partition layout](https://didrocks.fr/2020/06/11/zfs-focus-on-ubuntu-20.04-lts-zsys-partition-layout/)
* [ZFS focus on Ubuntu 20.04 LTS: ZSys dataset layout](https://didrocks.fr/2020/06/16/zfs-focus-on-ubuntu-20.04-lts-zsys-dataset-layout/)
* [ZFS focus on Ubuntu 20.04 LTS: ZSys properties on ZFS datasets](https://didrocks.fr/2020/06/19/zfs-focus-on-ubuntu-20.04-lts-zsys-properties-on-zfs-datasets/)
## initial boot and ssh
Boot the Ubuntu 20.04 Desktop installer/live CD.
Click the “Try Ubuntu” button.
launch a terminal.
set a passwd to root to permit remote ssh
~~~
$ sudo su
## passwd
New password :
Retype new passord :
passwd: password updated successfully
~~~
Install ssh to simplfy configuration edit.
~~~
## apt install ssh
~~~
Edit **/etc/ssh/sshd_config** to **Enable PermitRootLogin** change *prohibit-password* to *yes* like bellow.
~~~{.shell}
#PermitRootLogin prohibit-password
PermitRootLogin yes
~~~
~~~
service ssh restart
~~~
find yout IP with : *ip a*
then connect remotely with : *ssh*
## update zsys-setup to enable zfs encyption on rpool
bpool remain unencrypt.
Search for “zpool create”, and make sure you have found the create command that has “rpool” on the last line.
Before the “zpool create” insert: echo MYPASSWORD |
Before the last line of the command insert these lines:
~~~{.cpp}
-O recordsize=1M \
-O encryption=aes-256-gcm \
-O keylocation=prompt \
-O keyformat=passphrase \
~~~
## swap
you may be interrested if you are on a laptop in : [right fit swap for laptop hibernation Ubuntu 20.04 full ZFS install](right-fit-swap-for-laptop-hibernation-Ubuntu-20.04-full-ZFS-install)
## start installation
Run ubiquity to start the installer and install as normal, selecting “Use entire disk” and the option to use ZFS.
## questions to be solves
* what happen if zpool passwd is not given at boot shutdown ?
source : [Linsomniac's Articles - Encrypting ZFS on Ubuntu 20.04](https://linsomniac.gitlab.io/post/2020-04-09-ubuntu-2004-encrypted-zfs/)
# encrypt - Unbuntu 20.04 full ZFS install
Here we are going to install Ubuntu 20.04 in **almost** full zfs updating **zsys-setup** to permit **zfs encryption**. Read bellow articles to understand why 2 differerent pools and full implementation.
* [ZFS focus on Ubuntu 20.04 LTS: whats new?](https://didrocks.fr/2020/05/21/zfs-focus-on-ubuntu-20.04-lts-whats-new/)
* [ZFS focus on Ubuntu 20.04 LTS: ZSys general presentation](https://didrocks.fr/2020/05/26/zfs-focus-on-ubuntu-20.04-lts-zsys-general-presentation/)
* [ZFS focus on Ubuntu 20.04 LTS: ZSys sate management](https://didrocks.fr/2020/05/28/zfs-focus-on-ubuntu-20.04-lts-zsys-general-principle-on-state-management/)
* [ZFS focus on Ubuntu 20.04 LTS: ZSys commands for state management](https://didrocks.fr/2020/06/02/zfs-focus-on-ubuntu-20.04-lts-zsys-commands-for-state-management/)
* [ZFS focus on Ubuntu 20.04 LTS: ZSys state collection](https://didrocks.fr/2020/06/04/zfs-focus-on-ubuntu-20.04-lts-zsys-state-collection/)
* [ZFS focus on Ubuntu 20.04 LTS: ZSys for system administrators](https://didrocks.fr/2020/06/09/zfs-focus-on-ubuntu-20.04-lts-zsys-for-system-administrators/)
* [ZFS focus on Ubuntu 20.04 LTS: ZSys partition layout](https://didrocks.fr/2020/06/11/zfs-focus-on-ubuntu-20.04-lts-zsys-partition-layout/)
* [ZFS focus on Ubuntu 20.04 LTS: ZSys dataset layout](https://didrocks.fr/2020/06/16/zfs-focus-on-ubuntu-20.04-lts-zsys-dataset-layout/)
* [ZFS focus on Ubuntu 20.04 LTS: ZSys properties on ZFS datasets](https://didrocks.fr/2020/06/19/zfs-focus-on-ubuntu-20.04-lts-zsys-properties-on-zfs-datasets/)
## initial boot and ssh
Boot the Ubuntu 20.04 Desktop installer/live CD.
Click the “Try Ubuntu” button.
launch a terminal.
set a passwd to root to permit remote ssh
~~~
$ sudo su
## passwd
New password :
Retype new passord :
passwd: password updated successfully
~~~
Install ssh to simplfy configuration edit.
~~~
## apt install ssh
~~~
Edit **/etc/ssh/sshd_config** to **Enable PermitRootLogin** change *prohibit-password* to *yes* like bellow.
~~~{.shell}
#PermitRootLogin prohibit-password
PermitRootLogin yes
~~~
~~~
service ssh restart
~~~
find yout IP with : *ip a*
then connect remotely with : *ssh*
## update zsys-setup to enable zfs encyption on rpool
bpool remain unencrypt.
Search for “zpool create”, and make sure you have found the create command that has “rpool” on the last line.
Before the “zpool create” insert: echo MYPASSWORD |
Before the last line of the command insert these lines:
~~~{.cpp}
-O recordsize=1M \
-O encryption=aes-256-gcm \
-O keylocation=prompt \
-O keyformat=passphrase \
~~~
## swap
you may be interrested if you are on a laptop in : [right fit swap for laptop hibernation Ubuntu 20.04 full ZFS install](right-fit-swap-for-laptop-hibernation-Ubuntu-20.04-full-ZFS-install)
## start installation
Run ubiquity to start the installer and install as normal, selecting “Use entire disk” and the option to use ZFS.
## questions to be solves
* what happen if zpool passwd is not given at boot shutdown ?
* find a way to shut it down pass a delay

4
disable-encrypt-swap-partition.md

@ -12,7 +12,7 @@
* Turn off swap
~~~
swapoff /dev/mapper/cryptswap1
swapoff /dev/mapper/cryptswap
~~~
* Undo the existing mapping.
@ -64,3 +64,5 @@ mkswap /dev/nvme0n1p2
~~~
swapon -a
~~~
Next you need to reboot to enable everything and test it.

120
encrypt-swap-Ubuntu-20.04.md

@ -1,58 +1,62 @@
## encrypt swap partition
sources :
* [wiki.archlinux.org - dm-crypt/Swap encryption](https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption#LVM_on_LUKS)
* [help.ubuntu.com - Enable Hibernate With Encrypted Swap](https://help.ubuntu.com/community/EnableHibernateWithEncryptedSwap)
~~~
apt-get install ecryptfs-utils
swapoff -a
cryptsetup luksFormat --cipher aes-xts-plain64 --verify-passphrase --key-size 256 /dev/nvme0n1p2
cryptsetup open /dev/<device> cryptswap
mkswap /dev/mapper/cryptswap
~~~
/!\ le point ci-dessous est sans doute inutile
* Change your /etc/default/grub GRUB_CMDLINE_LINUX_DEFAULT to remove resume part wich is now manage by initramfs
~~~
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
~~~
~~~
update-grub
~~~
Now ajust /etc/fstab to use your mapper, replace your encrypt swap device like bellow :
~~~
/dev/mapper/cryptswap none swap discard 0 0
~~~
add your encrypt swap device define in /etc/crypttab
~~~
cryptswap /dev/nvme0n1p2 none luks
~~~
~~~
swapon -a
~~~
~~~
printf "RESUME=UUID=/dev/mapper/cryptswap" | tee /etc/initramfs-tools/conf.d/resume
~~~
Register these changes.
~~~
update-initramfs -u -k all
~~~
### to be solve
~~~
cryptsetup: ERROR: Couln't resolve device rpool/ROOT/ubuntu_...
cryptsetup: WARNING: Couln't determine root device
~~~
## prerequisite
* all command bellow are run has root
## encrypt swap partition
sources :
* [wiki.archlinux.org - dm-crypt/Swap encryption](https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption#LVM_on_LUKS)
* [help.ubuntu.com - Enable Hibernate With Encrypted Swap](https://help.ubuntu.com/community/EnableHibernateWithEncryptedSwap)
~~~
apt-get install ecryptfs-utils
swapoff -a
cryptsetup luksFormat --cipher aes-xts-plain64 --verify-passphrase --key-size 256 /dev/nvme0n1p2
cryptsetup open /dev/nvme0n1p2 cryptswap
mkswap /dev/mapper/cryptswap
~~~
/!\ le point ci-dessous est sans doute inutile
* Change your /etc/default/grub GRUB_CMDLINE_LINUX_DEFAULT to remove resume part wich is now manage by initramfs
~~~
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
~~~
~~~
update-grub
~~~
Now ajust /etc/fstab to use your mapper, replace your encrypt swap device like bellow :
~~~
/dev/mapper/cryptswap none swap discard 0 0
~~~
add your encrypt swap device define in /etc/crypttab
~~~
cryptswap /dev/nvme0n1p2 none luks
~~~
~~~
swapon -a
~~~
~~~
printf "RESUME=UUID=/dev/mapper/cryptswap" | tee /etc/initramfs-tools/conf.d/resume
~~~
Register these changes.
~~~
update-initramfs -u -k all
~~~
### to be solve
~~~
cryptsetup: ERROR: Couln't resolve device rpool/ROOT/ubuntu_...
cryptsetup: WARNING: Couln't determine root device
~~~