User:Fearedbliss/Installing Gentoo Linux On Encrypted ZFS

From Gentoo Wiki
Jump to: navigation, search

This page serves as an overlay of steps that can be applied in addition to or in place of some steps from my main installation guide.

The overlay will enable you to install a Gentoo Linux system completely on a single encrypted partition on ZFS. This means that your /boot, /, /home, and swap will all be housed inside of this encrypted partition/pool.


/dev/sda1 = Whole Disk  | LUKS Container  | Everything on ZFS    | Code: BF00
/dev/sda2 = First 1 MB  | GRUB 2 - GPT    | BIOS Boot Partition  | Code: EF02

Format your drives

We will first create our LUKS container with just a passphrase. This is the passphrase that we will use to unlock the system when the bootloader starts up. However, in order to prevent the initramfs from also asking us for the passphrase again, we will add an embedded keyfile that will be inside of the initramfs. I will discuss how to add this embedded keyfile to this container and how to include this file in the initramfs later on. For now let's get our encrypted container ready:

cryptsetup luksFormat /dev/sda1
cryptsetup luksOpen /dev/sda1 system

Your zpool will be created using this encrypted container:

zpool create -f -o ashift=12 -o cachefile= -O compression=lz4 -m none -R /mnt/gentoo tank /dev/mapper/system

Install required applications

USE Flags

Add the following USE flags to your /etc/portage/make.conf:

USE="udev device-mapper"


When you install GRUB, the following applications should be pulled in:

spl, zfs, zfs-kmod (These three are pulled in because of 'libzfs' use flag)
lvm2 (Pulled in because of 'device-mapper')
udev (Pulled in because of 'udev' use flag on GRUB).
bliss-kernel (Pulled in because a kernel is needed to compile against for spl/zfs-kmod).


You can also install the following application which contains our encryption tools:

emerge cryptsetup

Enabling Bootloader encryption hooks

Since our /boot is inside of an encrypted /, GRUB 2 will need to perform a few additional steps in order to decrypt the drive. You can append the following line to the end of your /etc/default/grub file before running grub2-install.

echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub

Creating and Embedding a Keyfile

We will now create the keyfile that will allow us to prevent a second passphrase decryption question from appearing when the initramfs is decrypting our drive after the bootloader transferred control to it:

Generate and add the keyfile

dd if=/dev/urandom of=/crypto_keyfile.bin bs=4096 count=1
chmod 000 /crypto_keyfile.bin
cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin

Enable keyfile support in 'bliss-initramfs'

# Enable embedded keyfile support and add keyfile path to bliss-initramfs
open /opt/bliss-initramfs/pkg/hooks/

_use_keyfile = 1
_keyfile_path = "/crypto_keyfile.bin"

Make GRUB 2 configuration file

The following configuration file specifies the information needed to boot our system. The 'enc_drives' tells bliss-initramfs what drives it should decrypt and the 'enc_type' tells it to use a keyfile (For our case, it will use the embedded keyfile without any further information).

nano /boot/grub/grub.cfg

# Place the following inside the grub.cfg file
set timeout=1
set default=0

insmod part_gpt
insmod zfs

menuentry "Gentoo - 4.4.2-FC.01" {
    linux /gentoo/root/@/boot/kernels/4.4.2-FC.01/vmlinuz root=tank/gentoo/root enc_drives=/dev/sda2 enc_type=key by=id elevator=noop quiet
    initrd /gentoo/root/@/boot/kernels/4.4.2-FC.01/initrd