From 60e43d7fd222973d8da74a1c536e0bbe67c47693 Mon Sep 17 00:00:00 2001 From: Michel Le Cocq Date: Tue, 23 Jun 2020 14:18:54 +0200 Subject: [PATCH] ... --- Unbuntu-20.04-encrypt-ZFS-install.md | 153 ++++++++++++++------------- disable-encrypt-swap-partition.md | 4 +- encrypt-swap-Ubuntu-20.04.md | 120 +++++++++++---------- 3 files changed, 142 insertions(+), 135 deletions(-) diff --git a/Unbuntu-20.04-encrypt-ZFS-install.md b/Unbuntu-20.04-encrypt-ZFS-install.md index 6da010a..22f8102 100644 --- a/Unbuntu-20.04-encrypt-ZFS-install.md +++ b/Unbuntu-20.04-encrypt-ZFS-install.md @@ -1,76 +1,77 @@ -source : [Linsomniac's Articles - Encrypting ZFS on Ubuntu 20.04](https://linsomniac.gitlab.io/post/2020-04-09-ubuntu-2004-encrypted-zfs/) -# encrypt - Unbuntu 20.04 full ZFS install -Here we are going to install Ubuntu 20.04 in **almost** full zfs updating **zsys-setup** to permit **zfs encryption**. Read bellow articles to understand why 2 differerent pools and full implementation. - -* [ZFS focus on Ubuntu 20.04 LTS: what’s new?](https://didrocks.fr/2020/05/21/zfs-focus-on-ubuntu-20.04-lts-whats-new/) -* [ZFS focus on Ubuntu 20.04 LTS: ZSys general presentation](https://didrocks.fr/2020/05/26/zfs-focus-on-ubuntu-20.04-lts-zsys-general-presentation/) -* [ZFS focus on Ubuntu 20.04 LTS: ZSys sate management](https://didrocks.fr/2020/05/28/zfs-focus-on-ubuntu-20.04-lts-zsys-general-principle-on-state-management/) -* [ZFS focus on Ubuntu 20.04 LTS: ZSys commands for state management](https://didrocks.fr/2020/06/02/zfs-focus-on-ubuntu-20.04-lts-zsys-commands-for-state-management/) -* [ZFS focus on Ubuntu 20.04 LTS: ZSys state collection](https://didrocks.fr/2020/06/04/zfs-focus-on-ubuntu-20.04-lts-zsys-state-collection/) -* [ZFS focus on Ubuntu 20.04 LTS: ZSys for system administrators](https://didrocks.fr/2020/06/09/zfs-focus-on-ubuntu-20.04-lts-zsys-for-system-administrators/) -* [ZFS focus on Ubuntu 20.04 LTS: ZSys partition layout](https://didrocks.fr/2020/06/11/zfs-focus-on-ubuntu-20.04-lts-zsys-partition-layout/) -* [ZFS focus on Ubuntu 20.04 LTS: ZSys dataset layout](https://didrocks.fr/2020/06/16/zfs-focus-on-ubuntu-20.04-lts-zsys-dataset-layout/) -* [ZFS focus on Ubuntu 20.04 LTS: ZSys properties on ZFS datasets](https://didrocks.fr/2020/06/19/zfs-focus-on-ubuntu-20.04-lts-zsys-properties-on-zfs-datasets/) - -## initial boot and ssh -Boot the Ubuntu 20.04 Desktop installer/live CD. -Click the “Try Ubuntu” button. -launch a terminal. - -set a passwd to root to permit remote ssh - -~~~ -$ sudo su -## passwd -New password : -Retype new passord : -passwd: password updated successfully -~~~ - -Install ssh to simplfy configuration edit. - -~~~ -## apt install ssh -~~~ - -Edit **/etc/ssh/sshd_config** to **Enable PermitRootLogin** change *prohibit-password* to *yes* like bellow. - -~~~{.shell} -#PermitRootLogin prohibit-password -PermitRootLogin yes -~~~ - -~~~ -service ssh restart -~~~ - -find yout IP with : *ip a* - -then connect remotely with : *ssh* - -## update zsys-setup to enable zfs encyption on rpool - -bpool remain unencrypt. - -Search for “zpool create”, and make sure you have found the create command that has “rpool” on the last line. -Before the “zpool create” insert: echo MYPASSWORD | -Before the last line of the command insert these lines: - -~~~{.cpp} --O recordsize=1M \ --O encryption=aes-256-gcm \ --O keylocation=prompt \ --O keyformat=passphrase \ -~~~ - -## swap - -you may be interrested if you are on a laptop in : [right fit swap for laptop hibernation Ubuntu 20.04 full ZFS install](right-fit-swap-for-laptop-hibernation-Ubuntu-20.04-full-ZFS-install) - -## start installation - -Run ubiquity to start the installer and install as normal, selecting “Use entire disk” and the option to use ZFS. - -## questions to be solves - -* what happen if zpool passwd is not given at boot shutdown ? \ No newline at end of file +source : [Linsomniac's Articles - Encrypting ZFS on Ubuntu 20.04](https://linsomniac.gitlab.io/post/2020-04-09-ubuntu-2004-encrypted-zfs/) +# encrypt - Unbuntu 20.04 full ZFS install +Here we are going to install Ubuntu 20.04 in **almost** full zfs updating **zsys-setup** to permit **zfs encryption**. Read bellow articles to understand why 2 differerent pools and full implementation. + +* [ZFS focus on Ubuntu 20.04 LTS: what’s new?](https://didrocks.fr/2020/05/21/zfs-focus-on-ubuntu-20.04-lts-whats-new/) +* [ZFS focus on Ubuntu 20.04 LTS: ZSys general presentation](https://didrocks.fr/2020/05/26/zfs-focus-on-ubuntu-20.04-lts-zsys-general-presentation/) +* [ZFS focus on Ubuntu 20.04 LTS: ZSys sate management](https://didrocks.fr/2020/05/28/zfs-focus-on-ubuntu-20.04-lts-zsys-general-principle-on-state-management/) +* [ZFS focus on Ubuntu 20.04 LTS: ZSys commands for state management](https://didrocks.fr/2020/06/02/zfs-focus-on-ubuntu-20.04-lts-zsys-commands-for-state-management/) +* [ZFS focus on Ubuntu 20.04 LTS: ZSys state collection](https://didrocks.fr/2020/06/04/zfs-focus-on-ubuntu-20.04-lts-zsys-state-collection/) +* [ZFS focus on Ubuntu 20.04 LTS: ZSys for system administrators](https://didrocks.fr/2020/06/09/zfs-focus-on-ubuntu-20.04-lts-zsys-for-system-administrators/) +* [ZFS focus on Ubuntu 20.04 LTS: ZSys partition layout](https://didrocks.fr/2020/06/11/zfs-focus-on-ubuntu-20.04-lts-zsys-partition-layout/) +* [ZFS focus on Ubuntu 20.04 LTS: ZSys dataset layout](https://didrocks.fr/2020/06/16/zfs-focus-on-ubuntu-20.04-lts-zsys-dataset-layout/) +* [ZFS focus on Ubuntu 20.04 LTS: ZSys properties on ZFS datasets](https://didrocks.fr/2020/06/19/zfs-focus-on-ubuntu-20.04-lts-zsys-properties-on-zfs-datasets/) + +## initial boot and ssh +Boot the Ubuntu 20.04 Desktop installer/live CD. +Click the “Try Ubuntu” button. +launch a terminal. + +set a passwd to root to permit remote ssh + +~~~ +$ sudo su +## passwd +New password : +Retype new passord : +passwd: password updated successfully +~~~ + +Install ssh to simplfy configuration edit. + +~~~ +## apt install ssh +~~~ + +Edit **/etc/ssh/sshd_config** to **Enable PermitRootLogin** change *prohibit-password* to *yes* like bellow. + +~~~{.shell} +#PermitRootLogin prohibit-password +PermitRootLogin yes +~~~ + +~~~ +service ssh restart +~~~ + +find yout IP with : *ip a* + +then connect remotely with : *ssh* + +## update zsys-setup to enable zfs encyption on rpool + +bpool remain unencrypt. + +Search for “zpool create”, and make sure you have found the create command that has “rpool” on the last line. +Before the “zpool create” insert: echo MYPASSWORD | +Before the last line of the command insert these lines: + +~~~{.cpp} +-O recordsize=1M \ +-O encryption=aes-256-gcm \ +-O keylocation=prompt \ +-O keyformat=passphrase \ +~~~ + +## swap + +you may be interrested if you are on a laptop in : [right fit swap for laptop hibernation Ubuntu 20.04 full ZFS install](right-fit-swap-for-laptop-hibernation-Ubuntu-20.04-full-ZFS-install) + +## start installation + +Run ubiquity to start the installer and install as normal, selecting “Use entire disk” and the option to use ZFS. + +## questions to be solves + +* what happen if zpool passwd is not given at boot shutdown ? +* find a way to shut it down pass a delay diff --git a/disable-encrypt-swap-partition.md b/disable-encrypt-swap-partition.md index 05bab7a..fa12bee 100644 --- a/disable-encrypt-swap-partition.md +++ b/disable-encrypt-swap-partition.md @@ -12,7 +12,7 @@ * Turn off swap ~~~ -swapoff /dev/mapper/cryptswap1 +swapoff /dev/mapper/cryptswap ~~~ * Undo the existing mapping. @@ -64,3 +64,5 @@ mkswap /dev/nvme0n1p2 ~~~ swapon -a ~~~ + +Next you need to reboot to enable everything and test it. diff --git a/encrypt-swap-Ubuntu-20.04.md b/encrypt-swap-Ubuntu-20.04.md index 851b762..022cffb 100644 --- a/encrypt-swap-Ubuntu-20.04.md +++ b/encrypt-swap-Ubuntu-20.04.md @@ -1,58 +1,62 @@ -## encrypt swap partition - -sources : -* [wiki.archlinux.org - dm-crypt/Swap encryption](https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption#LVM_on_LUKS) -* [help.ubuntu.com - Enable Hibernate With Encrypted Swap](https://help.ubuntu.com/community/EnableHibernateWithEncryptedSwap) - -~~~ -apt-get install ecryptfs-utils -swapoff -a -cryptsetup luksFormat --cipher aes-xts-plain64 --verify-passphrase --key-size 256 /dev/nvme0n1p2 -cryptsetup open /dev/ cryptswap -mkswap /dev/mapper/cryptswap -~~~ - -/!\ le point ci-dessous est sans doute inutile - -* Change your /etc/default/grub GRUB_CMDLINE_LINUX_DEFAULT to remove resume part wich is now manage by initramfs - -~~~ -GRUB_CMDLINE_LINUX_DEFAULT="quiet splash" -~~~ - -~~~ -update-grub -~~~ - -Now ajust /etc/fstab to use your mapper, replace your encrypt swap device like bellow : - -~~~ -/dev/mapper/cryptswap none swap discard 0 0 -~~~ - -add your encrypt swap device define in /etc/crypttab - -~~~ -cryptswap /dev/nvme0n1p2 none luks -~~~ - -~~~ -swapon -a -~~~ - -~~~ -printf "RESUME=UUID=/dev/mapper/cryptswap" | tee /etc/initramfs-tools/conf.d/resume -~~~ - -Register these changes. - -~~~ -update-initramfs -u -k all -~~~ - -### to be solve - -~~~ -cryptsetup: ERROR: Couln't resolve device rpool/ROOT/ubuntu_... -cryptsetup: WARNING: Couln't determine root device -~~~ \ No newline at end of file +## prerequisite + +* all command bellow are run has root + +## encrypt swap partition + +sources : +* [wiki.archlinux.org - dm-crypt/Swap encryption](https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption#LVM_on_LUKS) +* [help.ubuntu.com - Enable Hibernate With Encrypted Swap](https://help.ubuntu.com/community/EnableHibernateWithEncryptedSwap) + +~~~ +apt-get install ecryptfs-utils +swapoff -a +cryptsetup luksFormat --cipher aes-xts-plain64 --verify-passphrase --key-size 256 /dev/nvme0n1p2 +cryptsetup open /dev/nvme0n1p2 cryptswap +mkswap /dev/mapper/cryptswap +~~~ + +/!\ le point ci-dessous est sans doute inutile + +* Change your /etc/default/grub GRUB_CMDLINE_LINUX_DEFAULT to remove resume part wich is now manage by initramfs + +~~~ +GRUB_CMDLINE_LINUX_DEFAULT="quiet splash" +~~~ + +~~~ +update-grub +~~~ + +Now ajust /etc/fstab to use your mapper, replace your encrypt swap device like bellow : + +~~~ +/dev/mapper/cryptswap none swap discard 0 0 +~~~ + +add your encrypt swap device define in /etc/crypttab + +~~~ +cryptswap /dev/nvme0n1p2 none luks +~~~ + +~~~ +swapon -a +~~~ + +~~~ +printf "RESUME=UUID=/dev/mapper/cryptswap" | tee /etc/initramfs-tools/conf.d/resume +~~~ + +Register these changes. + +~~~ +update-initramfs -u -k all +~~~ + +### to be solve + +~~~ +cryptsetup: ERROR: Couln't resolve device rpool/ROOT/ubuntu_... +cryptsetup: WARNING: Couln't determine root device +~~~