Markus Heberling Coding == Relaxing

7Nov/134

Ubuntu 13.10 LUKS Encypted ZFS Root on HP N54L

This guide installs a ZFS mirror on LUKs encrypted containers. This leads to a performance hit, since writing requires each block of data to be encrypted twice. Addituionally the HP N54L has no AES CPU instruction. All IO is very CPU bound after this. I get a write throughput of about 8M/s. I am using the system to receive ZFS backups via zfs send/receive over a DSL connection. This is working fine since the connection speed is much slower than the writing speed. This setup is not for you if you need faster write speeds.

I used the Ubuntu 13.10 64bit Desktop Live CD and copied it to an USB stick with dd. Creating the USB stick with tools like unetbootin will not work, since the HP N54L will think it is a floppy and halt at the syslinux stage.

Install the ZFS native repository for Ubuntu:

I have 2 WD Red 4 TB disks in the system. We need a small partition for grub and a small RAID for the unencrypted /boot partition. I create an additional very small raid, with a LUKS container inside, so that all keys can be derived from that. The rest of the space is for the LUKS container with a ZFS pool and the root filesystem inside.

Next we create the raid

And then create the LUKS containers

Create the zpool

install the base system

The HP N54L needs the uhci-hcd module in the initramfs. The release version of initramfs-tools is broken. There is an update in the proposed section, that fixes this. Without you won't be able to enter your password on boot.

Change into the new system

You are inside the new system now.

You are back in the host system now

 Rescue Mode

Boot the lived again and then:

To leave the system again:

 

Optionally unlock your server via SSH

Add the file /etc/initramfs-tools/hooks/unlock with the following contents:

 

You can now log into your initramfs during boot via shh with the root user and unlock the disks by calling:

Final remarks

You should probably backup your LUKs headers and store them in a safe place:

If you have sugustions on how to improve this setup, feel free to post them in the comments.

Sources

http://www.larsko.org/ZfsUbuntu

http://blog.neutrino.es/2011/unlocking-a-luks-encrypted-root-partition-remotely-via-ssh/

http://wiki.ubuntuusers.de/LUKS