Full Protection

Most people would not dream of posting their company's business plan on Facebook. On laptops, however, people often carry their company's business plans around with them and leave them at a coffee shop. In a survey [1], 86 percent of IT security professionals revealed that at least one laptop had been stolen or lost in their company. In 56 percent of these cases, a data security breach occurred. Sixty-one percent of German IT professionals said that data loss is more serious than the material damage; only 13 percent would worry more about losing the hardware.

What Now?

Although conventional Linux laptops use modern filesystems like ext4 or XFS, which ensure the validity of the files, they store the data unencrypted – this is no obstacle to a data thief who has come into the possession of the device. Techniques such as TrueCrypt, however, store data in encrypted containers; in combination with a strong passphrase, this approach is considered safe. However, TrueCrypt cannot encrypt the entire Linux system.

In this article, I'll present a more-or-less fully encrypted system that runs on a heavily encrypted master partition. Only the small /boot partition with the kernel and initramfs remains unencrypted. The filesystem I'll be using is the feature-rich ZFS on Linux (ZoL [2]). The storage space can be distributed dynamically between all ZFS filesystems. ZFS also provides block checksums for data integrity and can compress files transparently, if needed.

Starting from a how-to by Matthew Thode [3], the following steps describe the not-always-intuitive path from the Live DVD to the encrypted production system. My choice of operating system was the 64-bit version of Gentoo Linux. I chose 64-bit because the 128-bit ZFS filesystem comes from the enterprise world of Solaris. Although it's in daily use, its developers still classify ZFS on Linux as a Release Candidate. For production operation, you need to take the usual warning more seriously here: Without regular backups, your data is in danger.

Preparing the System

The Gentoo installation is a manual process using the Live DVD and shell. The process is well documented in the usual style for this distribution [4]. The guide here is therefore limited to the basics. After booting from the Live DVD [5], define the partitions without GPT to keep things simple: a small boot partition (/dev/sda1), then /dev/sda2 for the rest.

Listing 1 shows the next steps. Line 1 formats /boot with ext2; line 2 creates a LUKS-encrypted device on the other partition. The passphrase you are prompted for at this stage should be robust because the security of your system depends on it in the future. The computer prompts you for the passphrase on booting and only opens the ZFS pool if it is correct. Incidentally, LUKS provides the ability to store multiple passphrases – for example, a master passphrase for the administrator and another for daily operation.

At the next step, LUKS opens the encrypted device with the passphrase. Line 4 now creates a ZFS pool on the block device. The options used set the sector size [6], clear the cache file, and provisionally mount the new rpool pool in a Gentoo-compliant way below /mnt/gentoo. The next block in Listing 1 creates a number of individual filesystems with somewhat different properties [7] in the ZFS pool. This works with ZFS features.

Instead of dividing the existing disk into partitions of fixed sizes, this setup uses the functionality of ZFS to manage the space as a pool. The available space on /dev/sda2 is equal to the size of the ZFS pool, rpool. In the pool, the admin then creates individual filesystems for the various directories of Gentoo Linux, partly with different properties (e.g., with transparent compression). Files written here are automatically and transparently compressed by ZFS.

The design and layout of these filesystems is just a suggestion; you will want to adapt this to suit your own needs by considering what ZFS features, in the form of properties, you want to define for the individual areas. It is possible to reserve space for the root user (reservation property) or limit the maximum space available to normal authorized users (quota property). For some areas, such as the compressed tarballs with the Gentoo packages in /usr/portage/distfiles, there is no point wasting processing power on compression, so the compression property is set to off here.

Other properties include sharing filesystems via NFS and space-saving deduplication of blocks; however, this does require RAM and other resources and is therefore not recommended for less powerful machines. Particularly critical data can be kept especially safe with the copies property: ZFS then stores each block several times. If a block no longer has the originally computed checksum during reading, the copies are still available, and it is very likely that at least one will be okay. Redundancy comes at a price of higher space requirements but without having to use multiple physical disks. (ZFS RAID functionality is not used in this article.)

ZFS is not only the filesystem but also the volume manager, like LVM 2. The advantage for the user is that you don't need to plan in advance exactly which directories occupy how much space, because you can change the assignments without repartitioning later.

Enabling ZFS Packages

The next steps are Gentoo standard: the wget and tar commands (Listing 1, lines 21 and 22) unpack a stage3 archive on the new system. A chroot environment is required for the others. The section starting in line 24 provides appropriate ZFS meta-information, and the admin then uses chroot to change to the new system. In this environment, you then install and configure the software.

The Gentoo developers classify ZFS on Linux as unstable. Hence, you must specifically allow several packages (in Gentoo speak, "unmask"). This also applies to the Solaris porting layer (SPL [8]), which is a collection of kernel modules that emulate Solaris APIs on Linux, so that the ZFS code created on Solaris encounters a familiar environment. ZFS on Linux thus works around some kernel functions that native Linux filesystems normally use.

To unmask the required RC packages, you can add the entries listed in Listing 2 to the /etc/portage/package.accept_keywords file.

During the boot process, the kernel automatically opens the LUKS device. To do so, it needs a statically compiled binary cryptsetup in its initramfs. This explains why Listing 3 sets the static use flag for the sys-fs/cryptsetup package and another couple of flags for packages on which cryptsetup depends in the /etc/portage/package.use file.

The command in line 1 of Listing 4 compiles and installs cryptsetup. When this article was written, Linux kernel version 3.5.7 was stable, and the patches by Matthew Thode, which he created for 3.5.0, could still be applied (see lines 2-6).

Universal Kernel to Start

At the first attempt, a kernel with many features is recommended to ensure an operational system. (Having a generic kernel is also worthwhile to be able to boot with other hardware in case of defects.) If the first tests of your future production system are positive, you can remove unused drivers from the kernel.

The code shown in this article was created on a virtual machine. To make it as versatile as possible, lines 8 to 10 (Listing 4) use the kernel config from the Live DVD.

Now it's time to configure the kernel (e.g., with make menuconfig). Here it is important to enable SPL and ZFS (Figure 1).

Figure 1: In the kernel configuration, the admin needs to enable SPL and ZFS.

Compiling and linking can take some time. Experienced Gentoo users can reduce the time by setting the MAKEOPTS variable in /etc/genkernel.conf to reflect the number of CPU cores:

MAKEOPTS="-j3"   # for two cores

The genkernel all command now triggers the compiler run. It is equally essential to build the initramfs:

genkernel --luks --zfs --disklabel initramfs

With its help, the kernel can open the LUKS device at boot time and subsequently access the ZFS pool and the filesystems it houses, such as /, /usr, /var, and so on.

The following command installs the sys-fs/zfs package:

emerge sys-fs/zfs

Because of the defined dependencies, the Gentoo Portage system knows that ZFS needs sys-kernel/spl and automatically installs the dependency. The next lines ensure that the zfs service is active in the relevant runlevels – the first one tells it to start at boot time, the second exports the pool at shutdown:

rc-update add zfs boot
rc-update add zfs-shutdown shutdown

Do not forget to set the root password using passwd.

Completing the System Setup

The rest of the installation follows the path of a classic Gentoo setup; in other words, it sets system parameters and installs basic services such as cron and syslog-ng.

The bootloader can be the modern GRUB version 2.00 or the legacy GRUB. For simplicity's sake, I will use GRUB 0.97 here:

emerge grub
mount /dev/sda1 /boot
grub-install /dev/sda

The configuration file, /boot/grub/grub.conf in Listing 5, contains the kernel options that open the encrypted ZoL pool correctly.

To prepare the system for the first standalone boot, you need to edit the /etc/fstab. Contrary to usual conventions, you'll be commenting out the lines for BOOT, ROOT, and SWAP here, because the ZFS pool will handle these assignments. The following commands

exit
cd
zfs umount-a

exit the chroot environment and unmount the filesystems.

Mountpoint Preparation

The final step of this fairly extensive guide adapts the property of the pool mountpoint. In the installation environment, the pool was mounted at /mnt/gentoo; on the production system, you will naturally want to use /:

zfs set mountpoint=/ rpool

Finally, unmount the other filesystems and export the ZFS pool:

umount -l /mnt/gentoo/dev{/shm,/pts}
umount -l /mnt/gentoo{/boot,/proc}
zpool export rpool

A reboot of the PC or laptop without the Live DVD shows that everything was successful. If you followed all of these steps correctly, the booted Gentoo will prompt you for the passphrase for the LUKS device. And, if you provide this, the computer will then boot from the decrypted ZFS pool. You can now check out the new environment with zfs list.

Troubleshooting and Dealing with Updates

In a complex installation like this, mistakes can happen. Repairing an encrypted system via Live media is somewhat more complicated than with a conventional Linux. The first step is to boot the from the Gentoo Live DVD or some other 64-bit Live medium that includes ZFS, then you can use cryptsetup to access the LUKS device:

cryptsetup luksOpen /dev/sda2 cryptroot

Opening the ZFS pool is known in ZFS speak as "importing," and I will do this with the -fN options, which ignore the host ID and prevent the automount, respectively:

zpool import -fN rpool

The following commands mount the system in /mnt/gentoo (as during the installation) and mount the remaining ZFS filesystems below this hierarchy:

zfs set mountpoint=/mnt/gentoo rpool
zfs mount rpool/ROOT
zfs mount -a

From here, you can go through the familiar chroot steps and then fix the system. Before making a fresh attempt to boot, be sure to adjust the mountpoints by using the zfs set mountpoint=/ rpool command.

Because of what are, in part, irregular SPL and ZFS kernel patches, future updates or upgrades require some attention. When a new kernel version arrives, just patch and compile on the active system. As with any other distribution, it is advisable to keep a working kernel on the system until the new one has proven its reliability.

Performance and Conclusions

Users of TrueCrypt and the like know that end-to-end encryption can affect performance if you need to read and write many small files. Thus, it makes sense to look at the data rates of the test system for this article. Like previous performance tests in Linux Magazine [9], the benchmark call here is:

iozone -r 4k -s 4g -i0 -i1

The total size of 4GB is adapted to the size of the test environment on the virtual machine. Figure  2 shows a direct comparison between ZoL and ZoL+LUKS.

Figure 2: Iozone benchmark comparison between a ZFS system with and without encryption.

Do not overinterpret the performance advantages and disadvantages measured in the different disciplines: First, measurements are prone to errors on virtual machines; second, many modern laptops use high-performance SSDs; third, desktop operations involve significantly more read actions than writes.

All told, the experience gained from this article indicates that any computer threatened by loss can be well encrypted with a little effort. This very modern setup works transparently for the user and the admin. Whether or not you want to invest in this amount of work should be measured against the risk of having your data fall into the hands of stranger.