Encrypting your Linux system with LUKS and ZFS
Troubleshooting and Dealing with Updates
In a complex installation like this, mistakes can happen. Repairing an encrypted system via Live media is somewhat more complicated than with a conventional Linux. The first step is to boot the from the Gentoo Live DVD or some other 64-bit Live medium that includes ZFS, then you can use
cryptsetup to access the LUKS device:
cryptsetup luksOpen /dev/sda2 cryptroot
Opening the ZFS pool is known in ZFS speak as "importing," and I will do this with the
-fN options, which ignore the host ID and prevent the automount, respectively:
zpool import -fN rpool
The following commands mount the system in
/mnt/gentoo (as during the installation) and mount the remaining ZFS filesystems below this hierarchy:
zfs set mountpoint=/mnt/gentoo rpool zfs mount rpool/ROOT zfs mount -a
From here, you can go through the familiar chroot steps and then fix the system. Before making a fresh attempt to boot, be sure to adjust the mountpoints by using the
zfs set mountpoint=/ rpool command.
Because of what are, in part, irregular SPL and ZFS kernel patches, future updates or upgrades require some attention. When a new kernel version arrives, just patch and compile on the active system. As with any other distribution, it is advisable to keep a working kernel on the system until the new one has proven its reliability.
Performance and Conclusions
Users of TrueCrypt and the like know that end-to-end encryption can affect performance if you need to read and write many small files. Thus, it makes sense to look at the data rates of the test system for this article. Like previous performance tests in Linux Magazine , the benchmark call here is:
iozone -r 4k -s 4g -i0 -i1
The total size of 4GB is adapted to the size of the test environment on the virtual machine. Figure 2 shows a direct comparison between ZoL and ZoL+LUKS.
Do not overinterpret the performance advantages and disadvantages measured in the different disciplines: First, measurements are prone to errors on virtual machines; second, many modern laptops use high-performance SSDs; third, desktop operations involve significantly more read actions than writes.
All told, the experience gained from this article indicates that any computer threatened by loss can be well encrypted with a little effort. This very modern setup works transparently for the user and the admin. Whether or not you want to invest in this amount of work should be measured against the risk of having your data fall into the hands of stranger.
- "Business Risk of a Lost Laptop: A Study of IT Practitioners in the US, UK, Germany, France, Mexico and Brazil" by the Ponemon Institute, April 2009: http://www.ponemon.org/data-security
- ZFS on Linux: http://zfsonlinux.org
- "Gentoo Hardened ZFS rootfs with dm-crypt/luks" by Matthew Thode: https://mthode.org/posts/2012/Dec/gentoo-hardened-zfs-rootfs-with-dm-cryptluks-updated-2012-12-12/
- Instructions for installing Gentoo: http://www.gentoo.org/doc/en/?catid=install#doc_chap2
- Gentoo Live DVD: http://www.gentoo.org/news/20120401-livedvd.xml, http://bouncer.gentoo.org/fetch/gentoo-12.1-livedvd/amd64/
- How does ZFS on Linux handle advanced format disks?: http://zfsonlinux.org/faq.html#HowDoes-ZFSonLinuxHandlesAdvacedFormatDrives
- Instructions for installing Gentoo directly to a ZFS root filesystem: https://github.com/pendor/gentoo-zfs-install/blob/master/install/GentooInstall.mdown
- Solaris Porting Layer: https://github.com/zfsonlinux/spl
- "ZFS with Linux" by Hans-Peter Merkel and Markus Feilner, Linux Magazine, June 2011, pg. 24.
Buy this article as PDF
VMware bids for a stake in the container industry with a bold effort to integrate containers with its classic virtualization system.
3ROS attack tool lowers the technical bar so anyone can be an intruder.
Mozilla's latest browser offers powerful new privacy feature
If attackers are on your system, saving your passwords in a password vault is no protection.
Faulty hash algorithm persists, despite efforts by experts to raise awareness.
Powerful man-in-the-middle attack is now targeting online shopping.
Another high-profile coder says the kernel team needs a kinder, gentler culture.
Bug database has a bug of its own that could allow an intruder to create an unauthorized account.
Report focuses federal resources on achieving universal Internet access.
Leading browser makers say “no” to porous encryption algorithm