Encrypting your Linux system with LUKS and ZFS
Troubleshooting and Dealing with Updates
In a complex installation like this, mistakes can happen. Repairing an encrypted system via Live media is somewhat more complicated than with a conventional Linux. The first step is to boot the from the Gentoo Live DVD or some other 64-bit Live medium that includes ZFS, then you can use
cryptsetup to access the LUKS device:
cryptsetup luksOpen /dev/sda2 cryptroot
Opening the ZFS pool is known in ZFS speak as "importing," and I will do this with the
-fN options, which ignore the host ID and prevent the automount, respectively:
zpool import -fN rpool
The following commands mount the system in
/mnt/gentoo (as during the installation) and mount the remaining ZFS filesystems below this hierarchy:
zfs set mountpoint=/mnt/gentoo rpool zfs mount rpool/ROOT zfs mount -a
From here, you can go through the familiar chroot steps and then fix the system. Before making a fresh attempt to boot, be sure to adjust the mountpoints by using the
zfs set mountpoint=/ rpool command.
Because of what are, in part, irregular SPL and ZFS kernel patches, future updates or upgrades require some attention. When a new kernel version arrives, just patch and compile on the active system. As with any other distribution, it is advisable to keep a working kernel on the system until the new one has proven its reliability.
Performance and Conclusions
Users of TrueCrypt and the like know that end-to-end encryption can affect performance if you need to read and write many small files. Thus, it makes sense to look at the data rates of the test system for this article. Like previous performance tests in Linux Magazine , the benchmark call here is:
iozone -r 4k -s 4g -i0 -i1
The total size of 4GB is adapted to the size of the test environment on the virtual machine. Figure 2 shows a direct comparison between ZoL and ZoL+LUKS.
Do not overinterpret the performance advantages and disadvantages measured in the different disciplines: First, measurements are prone to errors on virtual machines; second, many modern laptops use high-performance SSDs; third, desktop operations involve significantly more read actions than writes.
All told, the experience gained from this article indicates that any computer threatened by loss can be well encrypted with a little effort. This very modern setup works transparently for the user and the admin. Whether or not you want to invest in this amount of work should be measured against the risk of having your data fall into the hands of stranger.
- "Business Risk of a Lost Laptop: A Study of IT Practitioners in the US, UK, Germany, France, Mexico and Brazil" by the Ponemon Institute, April 2009: http://www.ponemon.org/data-security
- ZFS on Linux: http://zfsonlinux.org
- "Gentoo Hardened ZFS rootfs with dm-crypt/luks" by Matthew Thode: https://mthode.org/posts/2012/Dec/gentoo-hardened-zfs-rootfs-with-dm-cryptluks-updated-2012-12-12/
- Instructions for installing Gentoo: http://www.gentoo.org/doc/en/?catid=install#doc_chap2
- Gentoo Live DVD: http://www.gentoo.org/news/20120401-livedvd.xml, http://bouncer.gentoo.org/fetch/gentoo-12.1-livedvd/amd64/
- How does ZFS on Linux handle advanced format disks?: http://zfsonlinux.org/faq.html#HowDoes-ZFSonLinuxHandlesAdvacedFormatDrives
- Instructions for installing Gentoo directly to a ZFS root filesystem: https://github.com/pendor/gentoo-zfs-install/blob/master/install/GentooInstall.mdown
- Solaris Porting Layer: https://github.com/zfsonlinux/spl
- "ZFS with Linux" by Hans-Peter Merkel and Markus Feilner, Linux Magazine, June 2011, pg. 24.
Buy this article as PDF
HP's annual Cyber Risk report offers a bleak look at the state of IT.
But what do the big numbers really mean?
.NET Core execution engine is the basis for cross-platform .NET implementations.
The Xnote trojan hides itself on the target system and will launch a variety of attacks on command.
Spammers go low-volume, and 90% of IE browsers are unpatched.
Adobe scrambles to release patches for vulnerable Flash Player.
Four-inch-long computer on a stick lets you boot a full Linux system from any HDMI display device.
New statute would require companies to report break-ins to consumers.
Weird data transfer technique avoids all standard security measures.
FIDO alliance declares the beginning of the end for old-style login authentication.