Encrypting your Linux system with LUKS and ZFS
Troubleshooting and Dealing with Updates
In a complex installation like this, mistakes can happen. Repairing an encrypted system via Live media is somewhat more complicated than with a conventional Linux. The first step is to boot the from the Gentoo Live DVD or some other 64-bit Live medium that includes ZFS, then you can use
cryptsetup to access the LUKS device:
cryptsetup luksOpen /dev/sda2 cryptroot
Opening the ZFS pool is known in ZFS speak as "importing," and I will do this with the
-fN options, which ignore the host ID and prevent the automount, respectively:
zpool import -fN rpool
The following commands mount the system in
/mnt/gentoo (as during the installation) and mount the remaining ZFS filesystems below this hierarchy:
zfs set mountpoint=/mnt/gentoo rpool zfs mount rpool/ROOT zfs mount -a
From here, you can go through the familiar chroot steps and then fix the system. Before making a fresh attempt to boot, be sure to adjust the mountpoints by using the
zfs set mountpoint=/ rpool command.
Because of what are, in part, irregular SPL and ZFS kernel patches, future updates or upgrades require some attention. When a new kernel version arrives, just patch and compile on the active system. As with any other distribution, it is advisable to keep a working kernel on the system until the new one has proven its reliability.
Performance and Conclusions
Users of TrueCrypt and the like know that end-to-end encryption can affect performance if you need to read and write many small files. Thus, it makes sense to look at the data rates of the test system for this article. Like previous performance tests in Linux Magazine , the benchmark call here is:
iozone -r 4k -s 4g -i0 -i1
The total size of 4GB is adapted to the size of the test environment on the virtual machine. Figure 2 shows a direct comparison between ZoL and ZoL+LUKS.
Do not overinterpret the performance advantages and disadvantages measured in the different disciplines: First, measurements are prone to errors on virtual machines; second, many modern laptops use high-performance SSDs; third, desktop operations involve significantly more read actions than writes.
All told, the experience gained from this article indicates that any computer threatened by loss can be well encrypted with a little effort. This very modern setup works transparently for the user and the admin. Whether or not you want to invest in this amount of work should be measured against the risk of having your data fall into the hands of stranger.
- "Business Risk of a Lost Laptop: A Study of IT Practitioners in the US, UK, Germany, France, Mexico and Brazil" by the Ponemon Institute, April 2009: http://www.ponemon.org/data-security
- ZFS on Linux: http://zfsonlinux.org
- "Gentoo Hardened ZFS rootfs with dm-crypt/luks" by Matthew Thode: https://mthode.org/posts/2012/Dec/gentoo-hardened-zfs-rootfs-with-dm-cryptluks-updated-2012-12-12/
- Instructions for installing Gentoo: http://www.gentoo.org/doc/en/?catid=install#doc_chap2
- Gentoo Live DVD: http://www.gentoo.org/news/20120401-livedvd.xml, http://bouncer.gentoo.org/fetch/gentoo-12.1-livedvd/amd64/
- How does ZFS on Linux handle advanced format disks?: http://zfsonlinux.org/faq.html#HowDoes-ZFSonLinuxHandlesAdvacedFormatDrives
- Instructions for installing Gentoo directly to a ZFS root filesystem: https://github.com/pendor/gentoo-zfs-install/blob/master/install/GentooInstall.mdown
- Solaris Porting Layer: https://github.com/zfsonlinux/spl
- "ZFS with Linux" by Hans-Peter Merkel and Markus Feilner, Linux Magazine, June 2011, pg. 24.
Buy this article as PDF
Report from the X-Force group says attackers are using TOR to hide their crimes
Future Firefox extensions will be compatible with Chrome.
Better read this if you bought your computer before 2011
Users should upgrade to the new version as soon as possible
Xen project announces a privilege escalation problem for Qemu host systems
Attackers can compromise an Android phone just by sending a text message
PC vendor will pre-install Ubuntu on portables in India.
More embarrassment for Adobe's embattled multimedia tool
Mozilla’s script blocker add-on could be putting malware sites on the whitelist.
The Internet community officially banishes the notoriously unsafe Secure Sockets Layer protocol.