jacobpascual/openzfs-docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

GRUB: preliminary support for PBKDF2-only LUKS2

Browse Source 
Signed-off-by: Maurice Zhou <jasper@apvc.uk>
This commit is contained in:
Maurice Zhou
2021-11-21 23:34:08 +01:00
committed by George Melikov
parent c2142e05f2
commit 8a396f32f7
6 changed files with 31 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
docs/Getting Started/Arch Linux/Root on ZFS/4-optional-configuration.rst
View File

@@ -20,11 +20,17 @@ states before pacman transactions.
Install an AUR helper of choice then install ``rozb3-pac`` from AUR Install an AUR helper of choice then install ``rozb3-pac`` from AUR
for pacman integration:: for pacman integration::
pacman -S --needed git base-devel pacman -S --needed git base-devel sudo
echo 'nobody ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/00_nobody
su - nobody -s /bin/bash
mkdir /tmp/build
export HOME=/tmp/build
git clone https://aur.archlinux.org/paru-bin.git git clone https://aur.archlinux.org/paru-bin.git
cd paru-bin cd paru-bin
makepkg -si makepkg -si
paru -S rozb3-pac paru -S rozb3-pac
logout
rm /etc/sudoers.d/00_nobody
Supply password with SSH Supply password with SSH
~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~
@@ -107,14 +113,15 @@ root pool will be replaced by keyfile, embedded in initrd.
#. Create LUKS containers:: #. Create LUKS containers::
for i in ${DISK}; do for i in ${DISK}; do
cryptsetup luksFormat -q --type luks1 --key-file /etc/cryptkey.d/bpool_$INST_UUID-key-luks $i-part2 cryptsetup luksFormat -q --type luks2 --key-file /etc/cryptkey.d/bpool_$INST_UUID-key-luks $i-part2
echo $LUKS_PWD | cryptsetup luksAddKey --key-file /etc/cryptkey.d/bpool_$INST_UUID-key-luks $i-part2 echo $LUKS_PWD | cryptsetup luksAddKey --pbkdf pbkdf2 --key-file /etc/cryptkey.d/bpool_$INST_UUID-key-luks $i-part2
cryptsetup open ${i}-part2 ${i##*/}-part2-luks-bpool_$INST_UUID --key-file /etc/cryptkey.d/bpool_$INST_UUID-key-luks cryptsetup open ${i}-part2 ${i##*/}-part2-luks-bpool_$INST_UUID --key-file /etc/cryptkey.d/bpool_$INST_UUID-key-luks
echo ${i##*/}-part2-luks-bpool_$INST_UUID ${i}-part2 /etc/cryptkey.d/bpool_$INST_UUID-key-luks discard >> /etc/crypttab echo ${i##*/}-part2-luks-bpool_$INST_UUID ${i}-part2 /etc/cryptkey.d/bpool_$INST_UUID-key-luks discard >> /etc/crypttab
done done
GRUB 2.06 still does not have complete support for LUKS2, LUKS1 In GRUB 2.06, only the PBKDF2 key derivation function
is used instead. is supported, thus PBKDF2 is used
for passphrase key slot. Other slots are not affected.
#. Embed key file in initrd:: #. Embed key file in initrd::
@@ -187,6 +194,21 @@ root pool will be replaced by keyfile, embedded in initrd.
#. Enable GRUB cryptodisk:: #. Enable GRUB cryptodisk::
echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
#. Let GRUB decrypt all LUKS containers on boot::
tee -a /etc/grub.d/09_bpool_luks2-decryption <<FOE
cat <<EOF
insmod luks2
insmod pbkdf2
insmod part_gpt
insmod gcry_rijndael
insmod gcry_sha256
insmod cryptodisk
cryptomount hd0,gpt2
EOF
FOE
chmod +x /etc/grub.d/09_bpool_luks2-decryption
#. **Important**: Back up root dataset key ``/etc/cryptkey.d/rpool_$INST_UUID-${INST_ID}-key-zfs`` #. **Important**: Back up root dataset key ``/etc/cryptkey.d/rpool_$INST_UUID-${INST_ID}-key-zfs``
to a secure location. to a secure location.

2
docs/Getting Started/Arch Linux/Root on ZFS/6-recovery.rst
View File

@@ -28,7 +28,7 @@ This section is also applicable if you are in
Boot computer from the rescue media. Boot computer from the rescue media.
Both legacy and EFI mode are supported. Both legacy and EFI mode are supported.
Or `download generated GRUB rescue image <https://gitlab.com/m_zhou/bieaz/uploads/4a1b7cefb42723de6eb04f9dc485be3b/grub-rescue.img.7z>`__. Or `download generated GRUB rescue image <https://nu8.org/pages/projects/bieaz/#grub-rescue-images>`__.
#. List available disks with ``ls`` command:: #. List available disks with ``ls`` command::

2
docs/Getting Started/Fedora/Root on ZFS/6-recovery.rst
View File

@@ -28,7 +28,7 @@ This section is also applicable if you are in
Boot computer from the rescue media. Boot computer from the rescue media.
Both legacy and EFI mode are supported. Both legacy and EFI mode are supported.
Or `download generated GRUB rescue image <https://gitlab.com/m_zhou/bieaz/uploads/4a1b7cefb42723de6eb04f9dc485be3b/grub-rescue.img.7z>`__. Or `download generated GRUB rescue image <https://nu8.org/pages/projects/bieaz/#grub-rescue-images>`__.
#. List available disks with ``ls`` command:: #. List available disks with ``ls`` command::

2
docs/Getting Started/NixOS/Root on ZFS/2-system-configuration.rst
View File

@@ -212,8 +212,6 @@ System Configuration
zfs create -o canmount=on -o mountpoint=/$i rpool_$INST_UUID/$INST_ID/DATA/local/$i zfs create -o canmount=on -o mountpoint=/$i rpool_$INST_UUID/$INST_ID/DATA/local/$i
done done
Datasets for immutable root filesystem::
zfs create -o canmount=on rpool_$INST_UUID/$INST_ID/DATA/default/state zfs create -o canmount=on rpool_$INST_UUID/$INST_ID/DATA/default/state
for i in {/etc/nixos,/etc/cryptkey.d}; do for i in {/etc/nixos,/etc/cryptkey.d}; do
mkdir -p /mnt/state/$i /mnt/$i mkdir -p /mnt/state/$i /mnt/$i

2
docs/Getting Started/NixOS/Root on ZFS/6-recovery.rst
View File

@@ -28,7 +28,7 @@ This section is also applicable if you are in
Boot computer from the rescue media. Boot computer from the rescue media.
Both legacy and EFI mode are supported. Both legacy and EFI mode are supported.
Or `download generated GRUB rescue image <https://gitlab.com/m_zhou/bieaz/uploads/4a1b7cefb42723de6eb04f9dc485be3b/grub-rescue.img.7z>`__. Or `download generated GRUB rescue image <https://nu8.org/pages/projects/bieaz/#grub-rescue-images>`__.
#. List available disks with ``ls`` command:: #. List available disks with ``ls`` command::

2
docs/Getting Started/RHEL-based distro/RHEL 8-based distro Root on ZFS/6-recovery.rst
View File

@@ -28,7 +28,7 @@ This section is also applicable if you are in
Boot computer from the rescue media. Boot computer from the rescue media.
Both legacy and EFI mode are supported. Both legacy and EFI mode are supported.
Or `download generated GRUB rescue image <https://gitlab.com/m_zhou/bieaz/uploads/4a1b7cefb42723de6eb04f9dc485be3b/grub-rescue.img.7z>`__. Or `download generated GRUB rescue image <https://nu8.org/pages/projects/bieaz/#grub-rescue-images>`__.
#. List available disks with ``ls`` command:: #. List available disks with ``ls`` command::