Encrypting your Linux system with LUKS and ZFS
Troubleshooting and Dealing with Updates
In a complex installation like this, mistakes can happen. Repairing an encrypted system via Live media is somewhat more complicated than with a conventional Linux. The first step is to boot the from the Gentoo Live DVD or some other 64-bit Live medium that includes ZFS, then you can use
cryptsetup to access the LUKS device:
cryptsetup luksOpen /dev/sda2 cryptroot
Opening the ZFS pool is known in ZFS speak as "importing," and I will do this with the
-fN options, which ignore the host ID and prevent the automount, respectively:
zpool import -fN rpool
The following commands mount the system in
/mnt/gentoo (as during the installation) and mount the remaining ZFS filesystems below this hierarchy:
zfs set mountpoint=/mnt/gentoo rpool zfs mount rpool/ROOT zfs mount -a
From here, you can go through the familiar chroot steps and then fix the system. Before making a fresh attempt to boot, be sure to adjust the mountpoints by using the
zfs set mountpoint=/ rpool command.
Because of what are, in part, irregular SPL and ZFS kernel patches, future updates or upgrades require some attention. When a new kernel version arrives, just patch and compile on the active system. As with any other distribution, it is advisable to keep a working kernel on the system until the new one has proven its reliability.
Performance and Conclusions
Users of TrueCrypt and the like know that end-to-end encryption can affect performance if you need to read and write many small files. Thus, it makes sense to look at the data rates of the test system for this article. Like previous performance tests in Linux Magazine , the benchmark call here is:
iozone -r 4k -s 4g -i0 -i1
The total size of 4GB is adapted to the size of the test environment on the virtual machine. Figure 2 shows a direct comparison between ZoL and ZoL+LUKS.
Do not overinterpret the performance advantages and disadvantages measured in the different disciplines: First, measurements are prone to errors on virtual machines; second, many modern laptops use high-performance SSDs; third, desktop operations involve significantly more read actions than writes.
All told, the experience gained from this article indicates that any computer threatened by loss can be well encrypted with a little effort. This very modern setup works transparently for the user and the admin. Whether or not you want to invest in this amount of work should be measured against the risk of having your data fall into the hands of stranger.
- "Business Risk of a Lost Laptop: A Study of IT Practitioners in the US, UK, Germany, France, Mexico and Brazil" by the Ponemon Institute, April 2009: http://www.ponemon.org/data-security
- ZFS on Linux: http://zfsonlinux.org
- "Gentoo Hardened ZFS rootfs with dm-crypt/luks" by Matthew Thode: https://mthode.org/posts/2012/Dec/gentoo-hardened-zfs-rootfs-with-dm-cryptluks-updated-2012-12-12/
- Instructions for installing Gentoo: http://www.gentoo.org/doc/en/?catid=install#doc_chap2
- Gentoo Live DVD: http://www.gentoo.org/news/20120401-livedvd.xml, http://bouncer.gentoo.org/fetch/gentoo-12.1-livedvd/amd64/
- How does ZFS on Linux handle advanced format disks?: http://zfsonlinux.org/faq.html#HowDoes-ZFSonLinuxHandlesAdvacedFormatDrives
- Instructions for installing Gentoo directly to a ZFS root filesystem: https://github.com/pendor/gentoo-zfs-install/blob/master/install/GentooInstall.mdown
- Solaris Porting Layer: https://github.com/zfsonlinux/spl
- "ZFS with Linux" by Hans-Peter Merkel and Markus Feilner, Linux Magazine, June 2011, pg. 24.
Buy this article as PDF
New flaw in an old encryption scheme leaves the experts scrambling to disable SSL 3
Lennart Poettering wants to change the way Linux developers talk to each other.
Enterprise giant frees itself from ink and home PCs (and visa versa).
Mozilla’s product think tank sinks silently into history.
TODO group will focus on open source tools in large-scale environments.
New tool will look like GParted but support a wider range of storage technologies.
New public key pinning feature will help prevent man-in-the-middle attacks.
Carnegie Mellon researchers say 3 million pages could fall down the phishing hole in the next year.
The US government rolls new best-practice rules for protecting SSH.