Setting up Encrypted Ubuntu 18.10 ZFS Desktop

Josip Medved Linux

I have already explained how I deal with ZFS mirror setup on Ubuntu 18.10. But what about laptops that generally come with a single drive?

Well, as before basic instructions are available from ZFS-on-Linux project. However, they do have a certain way of doing things I don't necessarily subscribe to. Here is my way of setting this up. As always, it's best to setup remote access so you can copy/paste as steps are numerous.

As before, we first need to get into root prompt:

Terminal 
sudo -i

Followed by getting a few basic packages ready:

Terminal 
apt-add-repository universe
apt update
apt install --yes debootstrap gdisk zfs-initramfs

We setup disks essentially the same way as in previous guide:

Terminal 
sgdisk --zap-all                 /dev/disk/by-id/ata_disk

sgdisk -a1 -n3:34:2047  -t3:EF02 /dev/disk/by-id/ata_disk
sgdisk     -n2:1M:+511M -t2:8300 /dev/disk/by-id/ata_disk
sgdisk     -n1:0:0      -t1:8300 /dev/disk/by-id/ata_disk

sgdisk --print                   /dev/disk/by-id/ata_disk

Number  Start (sector)    End (sector)  Size       Code  Name
   1         1050624        67108830   31.5 GiB    8300
   2            2048         1050623   512.0 MiB   8300
   3              34            2047   1007.0 KiB  EF02

Because we want encryption, we need to setup LUKS:

Terminal 
cryptsetup luksFormat -qc aes-xts-plain64 -s 512 -h sha256 /dev/disk/by-id/ata_disk-part1
cryptsetup luksOpen /dev/disk/by-id/ata_disk-part1 luks1

Unlike in the last guide, this time I want to have a bit of separation. Dataset system will contain the whole system, while data will contain only the home directories. Again, if you want to split it all, follow the original guide:

Terminal 
zpool create -o ashift=12 -O atime=off -O canmount=off -O compression=lz4 -O normalization=formD \
    -O xattr=sa -O mountpoint=none rpool /dev/mapper/luks1
zfs create -o canmount=noauto -o mountpoint=/mnt/rpool/ rpool/system
zfs mount rpool/system

We should also setup the boot partition:

Terminal 
mke2fs -Ft ext2 /dev/disk/by-id/ata_disk-part2
mkdir /mnt/rpool/boot/
mount /dev/disk/by-id/ata_disk-part2 /mnt/rpool/boot/

Now we can get basic installation onto our disks:

Terminal 
debootstrap cosmic /mnt/rpool/
zfs set devices=off rpool
zfs list

Before we start using it, we prepare few necessary files:

Terminal 
cp /etc/hostname /mnt/rpool/etc/hostname
cp /etc/hosts /mnt/rpool/etc/hosts
cp /etc/netplan/*.yaml /mnt/rpool/etc/netplan/
sed '/cdrom/d' /etc/apt/sources.list > /mnt/rpool/etc/apt/sources.list

With chroot we can get the first taste of our new system:

Terminal 
mount --rbind /dev  /mnt/rpool/dev
mount --rbind /proc /mnt/rpool/proc
mount --rbind /sys  /mnt/rpool/sys
chroot /mnt/rpool/ /bin/bash --login

Now we can update our software and perform locale and time zone setup:

Terminal 
apt update

locale-gen --purge "en_US.UTF-8"
update-locale LANG=en_US.UTF-8 LANGUAGE=en_US
dpkg-reconfigure --frontend noninteractive locales

dpkg-reconfigure tzdata

Now we install Linux image and basic ZFS boot packages:

Terminal 
apt install --yes --no-install-recommends linux-image-generic
apt install --yes zfs-initramfs

Since we're dealing with encrypted data, our cryptsetup should be also auto mounted:

Terminal 
apt install --yes cryptsetup

echo "luks1 UUID=$(blkid -s UUID -o value /dev/disk/by-id/ata_disk-part1) none luks,discard,initramfs" >> /etc/crypttab
cat /etc/crypttab

And of course, we need to auto-mount our boot partition too:

Terminal 
echo "UUID=$(blkid -s UUID -o value /dev/disk/by-id/ata_disk-part2) /boot ext2 noatime 0 2" >> /etc/fstab
cat /etc/fstab

Now we get grub started (do select the WHOLE disk):

Terminal 
apt install --yes grub-pc

And update our boot environment again (seeing errors is nothing unusual):

Terminal 
update-initramfs -u -k all

And then we finalize our grup setup:

Terminal 
update-grub
grub-install /dev/disk/by-id/ata_disk

Finally we get the rest of desktop system:

Terminal 
apt-get install --yes ubuntu-desktop samba linux-headers-generic
apt dist-upgrade --yes

We can omit creation of the swap dataset but I always find it handy:

Terminal 
zfs create -V 4G -b $(getconf PAGESIZE) -o compression=off -o logbias=throughput -o sync=always \
    -o primarycache=metadata -o secondarycache=none rpool/swap
mkswap -f /dev/zvol/rpool/swap
echo "/dev/zvol/rpool/swap none swap defaults 0 0" >> /etc/fstab
echo RESUME=none > /etc/initramfs-tools/conf.d/resume

And now is good time to swap our /home directory too:

Terminal 
rmdir /home
zfs create -o mountpoint=/home rpool/data

Now we are ready to create the user:

Terminal 
adduser -u 1002 user
usermod -a -G adm,cdrom,dip,lpadmin,plugdev,sambashare,sudo user
chown -R user:user /home/user

Lastly we exit our chroot environment and reboot:

Terminal 
exit
reboot

You will get stuck after the password prompt as our mountpoint for system dataset is wrong. That's easy to correct:

Terminal 
zfs set mountpoint=/ rpool/system
exit
reboot

Assuming nothing went wrong, your system is now ready.

Leave a Reply

Your email address will not be published. Required fields are marked *