Posted on by GeorgeL

Encrypted ZFS Install Ubuntu 23.10

Ubuntu 23.10 Mantic Minotaur Encrypted ZFS Walkthrough
/etc/apt/sources.list:
deb http://archive.ubuntu.com/ubuntu/ mantic main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ mantic-proposed main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ mantic-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu/ mantic main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ mantic-updates main restricted universe multiverse
apt update
rm /etc/apt/sources.list.d/extra-ppas.list
apt install zfsutils-linux debootstrap gdisk
source /etc/os-release
export ID=mantic
zgenhostid -f 0x00bab10c
ls -al /dev/disk/by-id
total 0
drwxr-xr-x 2 root root 280 Nov 23 02:01 .
drwxr-xr-x 9 root root 180 Nov 23 02:01 ..
lrwxrwxrwx 1 root root 9 Nov 23 02:01 ata-Dogfish_SSD_256GB_5E5AD76508051633422 -> ../../sda
lrwxrwxrwx 1 root root 10 Nov 23 02:01 ata-Dogfish_SSD_256GB_5E5AD76508051633422-part1 -> ../../sda1
lrwxrwxrwx 1 root root 10 Nov 23 02:01 ata-Dogfish_SSD_256GB_5E5AD76508051633422-part2 -> ../../sda2
lrwxrwxrwx 1 root root 10 Nov 23 02:01 ata-Dogfish_SSD_256GB_5E5AD76508051633422-part3 -> ../../sda3
lrwxrwxrwx 1 root root 10 Nov 23 02:01 ata-Dogfish_SSD_256GB_5E5AD76508051633422-part4 -> ../../sda4
lrwxrwxrwx 1 root root 13 Nov 23 02:01 mmc-Biwin_0x0000029a -> ../../mmcblk0
lrwxrwxrwx 1 root root 15 Nov 23 02:01 mmc-Biwin_0x0000029a-part1 -> ../../mmcblk0p1
lrwxrwxrwx 1 root root 15 Nov 23 02:01 mmc-Biwin_0x0000029a-part2 -> ../../mmcblk0p2
lrwxrwxrwx 1 root root 15 Nov 23 02:01 mmc-Biwin_0x0000029a-part3 -> ../../mmcblk0p3
lrwxrwxrwx 1 root root 15 Nov 23 02:01 mmc-Biwin_0x0000029a-part4 -> ../../mmcblk0p4
lrwxrwxrwx 1 root root 13 Nov 23 02:01 mmc-SR256_0x85b68838 -> ../../mmcblk1
lrwxrwxrwx 1 root root 15 Nov 23 02:01 mmc-SR256_0x85b68838-part1 -> ../../mmcblk1p1
DISK0=/dev/disk/by-id/mmc-Biwin_0x0000029a
DISK1=/dev/disk/by-id/ata-Dogfish_SSD_256GB_5E5AD76508051633422
wipefs -a -f $DISK0
wipefs $DISK1 if needed, in this case no
sgdisk -Z $DISK0
sgdisk -Z $DISK1 if needed, in this case no
Creating new GPT entries in memory.
GPT data structures destroyed! You may now partition the disk using fdisk or other utilities.
sgdisk -n1:1M:+550M -t1:ef00 -c1:homey-efi0 $DISK0
Creating new GPT entries in memory.
The operation has completed sucessfully
sgdisk -n1:1M:+550M -t1:ef00 -c1:homey-efi1 $DISK1 creates new partition numbered 1 at 1MB sized 550MB, partition type code ef00 EFI, change GPT partition name to homey-efi1
(sgdisk-L shows partition type codes)
sgdisk -n2::+6000M -t2:8200 -c2:linux-swap
sgdisk -n3:: -t3:bf00 -c3:rpool0 $DISK0
The operation completed sucessfully – type bf00 = solaris root -n2:: use all remaining space for partition 2
sgdisk -n2:: -t2:bf00 -c2:rpool1 $DISK1
The operation completed sucessfully
echo ‘super secret passphrase’ > /etc/zfs/rpool.key
chmod 000 /etc/zfs/rpool.key
zpool create -f \
-o ashift=12 \
-o autotrim=on \
-O acltype=posixacl \
-O xattr=sa \
-O relatime=on \
-O compression=zstd \
-O encryption=aes-256-gcm \
-O keylocation=file:///etc/zfs/rpool.key \
-O keyformat=passphrase \
-m none rpool mirror ${DISK0}-part3 ${DISK1}-part2
-m is mountpoint
zpool list
name size alloc free
rpool 54G 708K 54G
root@Homey:/home/luser/Desktop# fdisk -l /dev/mmcblk0
Disk /dev/mmcblk0: 57.66 GiB, 61907927040 bytes, 120913920 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 346E032C-FDE3-4554-90F4-EDAC60B9A54C
Device Start End Sectors Size Type
/dev/mmcblk0p1 2048 2203647 2201600 512M EFI System
/dev/mmcblk0p2 2203648 6397951 4194304 6G Linux filesystem (encrypt?)
/dev/mmcblk0p3 14053376 120911871 106858496 48.7G Linux filesystem
root@Homey:/home/luser/Desktop# fdisk -l /dev/sda
Disk /dev/sda: 238.47 GiB, 256060514304 bytes, 500118192 sectors
Disk model: Dogfish SSD 256G
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 937542CF-0135-4708-90A3-E7AFEA8D06F8
Device Start End Sectors Size Type
/dev/sda1 2048 1050623 1048576 512M EFI System
/
/dev/sda3 108376064 500117503 391741440 186.8G Linux filesystem
/dev/sda4 3147776 105342975 102195200 48.7G Linux filesystem
zfs create -o mountpoint=none rpool/ROOT
zfs create -o mountpoint=/ -o canmount=noauto rpool/ROOT/homey
zfs create -o mountpoint=none rpool/USERDATA
zfs create -o mountpoint=/root rpool/USERDATA/root
zfs create -o mountpoint=/home/luser rpool/USERDATA/luser
zfs create -o mountpoint=/home/luser2 rpool/USERDATA/luser2
zpool set bootfs=rpool/ROOT/homey rpool
zpool export rpool
zpool import -N -R /mnt rpool
zfs load-key -L prompt rpool
Enter passphrase for ‘rpool’:
zfs list
rpool none
rpool/ROOT none
rpool/ROOT/homey /mnt
rpool/USERDATA/root /mnt/root
rpool/USERDATA/luser /mnt/home/luser
rpool/USERDATA/luser2 /mnt/home/luser2
zfs mount -a
zfs mount
rpool/ROOT/homey /mnt
rpool/USERDATA/root /mnt/root
rpool/USERDATA/luser /mnt/home/luser
rpool/USERDATA/luser2 /mnt/home/luser2
udevadm trigger
debootstrap mantic /mnt
base system installed sucessfully
cp /etc/hostid /mnt/etc/hostid
cp /etc/resolv.conf /mnt/etc/
mkdir /mnt/etc/zfs
cp /etc/zfs/rpool.key /mnt/etc/zfs/
cp /etc/apt/sources.list /mnt/etc/apt/sources.list
cp /etc/apt/sources.list /mnt/etc/apt/sources.list.MANTICdev
vi /mnt/etc/hostname
Change to homey
add following /etc/host
127.0.1.1 homey
create /mnt/etc/apt/preferences.d/snapdfix
Package: snapd
Pin: release a=*
Pin-Priority: -10
create /mnt/etc/netplan/01-netcfg.yaml
network:
version: 2
ethernets:
enx00e04d711639:
dhcp6: true
dhcp4: true
mount -t proc proc /mnt/proc
mount -t sysfs sys /mnt/sys
mount -B /dev /mnt/dev
mount -t devpts pts /mnt/dev/pts
chroot /mnt /bin/bash
passwd
Set new root password
apt update && apt upgrade
apt install –no-install-recommends linux-generic locales keyboard-configuration console-setup
apt install fdutils linux-tools initramfs-tools dracut tiny-initramfs initramfs-tools firmware-sof-signed grub-pc grub-efi-amd64 grub-efi-ia32 grub lilo initramfs-tools linux-initramfs-tool thermald
dpkg-reconfigure locales tzdata keyboard-configuration console-setup
let system choose suitable font. size 8×16 , UTF-8 en.us
apt install dosfstools mtools zfs-initramfs zfsutils-linux zfs-dkms acpid cpufrequtils cpufreqd pciutils usbutils zsh mc openssh-server tmux molly-guard btop htop powertop radeontop nvtop s-tui stress-ng lm-sensors linux-libc-dev
apt install rsync git fakeroot build-essential libncurses-dev xz-utils libssl-dev bc flex libelf-dev bison
systemctl enable zfs.target
systemctl enable zfs-import-cache
systemctl enable zfs-mount
systemctl enable zfs-import.target
echo “UMASK=0077” > /etc/initramfs-tools/conf.d/umask.conf
update-initramfs -u -k all
update-initramfs -c -k all
zfs set org.zfsbootmenu:commandline=”quiet loglevel=4 amd_iommu=on” rpool/ROOT
zfs set org.zfsbootmenu:keysource=”rpool/ROOT/homey” rpool
mkfs.vfat -F32 /dev/mmcblk0p1
mkdir -p /boot/efi
echo “/dev/mmcblk0p1 /boot/efi vfat defaults 0 0” > /etc/fstab
mount /boot/efi
apt install curl
mkdir -p /boot/efi/EFI/ZBM
curl -o /boot/efi/EFI/ZBM/VMLINUZ.EFI -L https://get.zfsbootmenu.org/efi
cp /boot/efi/EFI/ZBM/VMLINUZ.EFI /boot/efi/EFI/ZBM/VMLINUZ-BACKUP.EFI
mount -t efivarfs efivarfs /sys/firmware/efi/efivars
apt install refind
refind-install
exit
umount -n -R /mnt
zpool export rpool
reboot

login as root. ping 8.8.8.8 to insure network up.
apt update && apt upgrade
username=luser
UUID=rpool
ROOT_DS=$(zfs list o name | awk ‘/ROOT\/ubuntu_/{print $1;exit}’)
adduser luser
adduser luser2
cp -a /etc/skel/. /home/luser
chown -R luser:luser /home/luser
cp -a /etc/skel/. /home/luser2
chown -R luser2:luser2 /home/luser2
usermod -aG adm,cdrom,sudo,dip,plugdev,users,lpadmin luser
usermod -aG adm,cdrom,sudo,dip,plugdev,users,lpadmin luser2
sudo zfs snap rpool/ROOT/homey@prototype0
apt install gnome-core sakura gnome-tweaks gnome-shell-extension-manager gparted yaru-theme-icon yaru-theme-sound yaru-theme-gtk yaru-theme-gnome-shell flatpak qemu-system-x86 qemu-utils vde2 virt-manager virt-top libvirt-daemon-driver-storage-zfs remmina-plugin-rdp krita gimp audacity obs-studio vlc kdenlive kleopatra vlc sshfs
apt install nvidia-driver-525 nvidia-dkms-525

Install Text 2

login as root. ping 8.8.8.8 to insure network up.
apt update && apt upgrade
username=luser
UUID=rpool
ROOT_DS=$(zfs list o name | awk ‘/ROOT\/ubuntu_/{print $1;exit}’)
adduser luser
adduser luser2
cp -a /etc/skel/. /home/luser
chown -R luser:luser /home/luser
cp -a /etc/skel/. /home/luser2
chown -R luser2:luser2 /home/luser2
usermod -aG adm,cdrom,sudo,dip,plugdev,users,lpadmin luser
usermod -aG adm,cdrom,sudo,dip,plugdev,users,lpadmin luser2
sudo zfs snap rpool/ROOT/homey@prototype0
apt install gnome-core sakura gnome-tweaks gnome-shell-extension-manager gparted yaru-theme-icon yaru-theme-sound yaru-theme-gtk yaru-theme-gnome-shell flatpak qemu-system-x86 qemu-utils vde2 virt-manager virt-top libvirt-daemon-driver-storage-zfs remmina-plugin-rdp krita gimp audacity obs-studio vlc kdenlive kleopatra vlc sshfs
apt install nvidia-driver-525 nvidia-dkms-525

Ubuntu 23.10 Mantic Minotaur Encrypted ZFS Walkthrough

/etc/apt/sources.list:
deb http://archive.ubuntu.com/ubuntu/ mantic main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ mantic-proposed main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ mantic-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu/ mantic main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ mantic-updates main restricted universe multiverse

apt update

rm /etc/apt/sources.list.d/extra-ppas.list

apt install zfsutils-linux debootstrap gdisk

source /etc/os-release
export ID=mantic
zgenhostid -f 0x00bab10c

ls -al /dev/disk/by-id
total 0
drwxr-xr-x 2 root root 280 Nov 23 02:01 .
drwxr-xr-x 9 root root 180 Nov 23 02:01 ..
lrwxrwxrwx 1 root root 9 Nov 23 02:01 ata-Dogfish_SSD_256GB_5E5AD76508051633422 -> ../../sda
lrwxrwxrwx 1 root root 10 Nov 23 02:01 ata-Dogfish_SSD_256GB_5E5AD76508051633422-part1 -> ../../sda1
lrwxrwxrwx 1 root root 10 Nov 23 02:01 ata-Dogfish_SSD_256GB_5E5AD76508051633422-part2 -> ../../sda2
lrwxrwxrwx 1 root root 10 Nov 23 02:01 ata-Dogfish_SSD_256GB_5E5AD76508051633422-part3 -> ../../sda3
lrwxrwxrwx 1 root root 10 Nov 23 02:01 ata-Dogfish_SSD_256GB_5E5AD76508051633422-part4 -> ../../sda4
lrwxrwxrwx 1 root root 13 Nov 23 02:01 mmc-Biwin_0x0000029a -> ../../mmcblk0
lrwxrwxrwx 1 root root 15 Nov 23 02:01 mmc-Biwin_0x0000029a-part1 -> ../../mmcblk0p1
lrwxrwxrwx 1 root root 15 Nov 23 02:01 mmc-Biwin_0x0000029a-part2 -> ../../mmcblk0p2
lrwxrwxrwx 1 root root 15 Nov 23 02:01 mmc-Biwin_0x0000029a-part3 -> ../../mmcblk0p3
lrwxrwxrwx 1 root root 15 Nov 23 02:01 mmc-Biwin_0x0000029a-part4 -> ../../mmcblk0p4
lrwxrwxrwx 1 root root 13 Nov 23 02:01 mmc-SR256_0x85b68838 -> ../../mmcblk1
lrwxrwxrwx 1 root root 15 Nov 23 02:01 mmc-SR256_0x85b68838-part1 -> ../../mmcblk1p1

DISK0=/dev/disk/by-id/mmc-Biwin_0x0000029a
DISK1=/dev/disk/by-id/ata-Dogfish_SSD_256GB_5E5AD76508051633422

wipefs -a -f $DISK0

wipefs $DISK1 if needed, in this case no

sgdisk -Z $DISK0

sgdisk -Z $DISK1 if needed, in this case no

Creating new GPT entries in memory.

GPT data structures destroyed! You may now partition the disk using fdisk or other utilities.

sgdisk -n1:1M:+550M -t1:ef00 -c1:homey-efi0 $DISK0

Creating new GPT entries in memory.

The operation has completed sucessfully

sgdisk -n1:1M:+550M -t1:ef00 -c1:homey-efi1 $DISK1 creates new partition numbered 1 at 1MB sized 550MB, partition type code ef00 EFI, change GPT partition name to homey-efi1

(sgdisk-L shows partition type codes)
sgdisk -n2::+6000M -t2:8200 -c2:linux-swap
sgdisk -n3:: -t3:bf00 -c3:rpool0 $DISK0

The operation completed sucessfully – type bf00 = solaris root -n2:: use all remaining space for partition 2

sgdisk -n2:: -t2:bf00 -c2:rpool1 $DISK1

The operation completed sucessfully

echo ‘super secret passphrase’ > /etc/zfs/rpool.key
chmod 000 /etc/zfs/rpool.key

zpool create -f \
-o ashift=12 \
-o autotrim=on \
-O acltype=posixacl \
-O xattr=sa \
-O relatime=on \
-O compression=zstd \
-O encryption=aes-256-gcm \
-O keylocation=file:///etc/zfs/rpool.key \
-O keyformat=passphrase \
-m none rpool mirror ${DISK0}-part3 ${DISK1}-part2

-m is mountpoint

zpool list

name size alloc free

rpool 54G 708K 54G

root@Homey:/home/luser/Desktop# fdisk -l /dev/mmcblk0
Disk /dev/mmcblk0: 57.66 GiB, 61907927040 bytes, 120913920 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 346E032C-FDE3-4554-90F4-EDAC60B9A54C

Device Start End Sectors Size Type
/dev/mmcblk0p1 2048 2203647 2201600 512M EFI System
/dev/mmcblk0p2 2203648 6397951 4194304 6G Linux filesystem (encrypt?)
/dev/mmcblk0p3 14053376 120911871 106858496 48.7G Linux filesystem

root@Homey:/home/luser/Desktop# fdisk -l /dev/sda
Disk /dev/sda: 238.47 GiB, 256060514304 bytes, 500118192 sectors
Disk model: Dogfish SSD 256G
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 937542CF-0135-4708-90A3-E7AFEA8D06F8

Device Start End Sectors Size Type
/dev/sda1 2048 1050623 1048576 512M EFI System
/
/dev/sda3 108376064 500117503 391741440 186.8G Linux filesystem
/dev/sda4 3147776 105342975 102195200 48.7G Linux filesystem

zfs create -o mountpoint=none rpool/ROOT
zfs create -o mountpoint=/ -o canmount=noauto rpool/ROOT/homey
zfs create -o mountpoint=none rpool/USERDATA
zfs create -o mountpoint=/root rpool/USERDATA/root
zfs create -o mountpoint=/home/luser rpool/USERDATA/luser
zfs create -o mountpoint=/home/luser2 rpool/USERDATA/luser2

zpool set bootfs=rpool/ROOT/homey rpool

zpool export rpool
zpool import -N -R /mnt rpool

zfs load-key -L prompt rpool

Enter passphrase for ‘rpool’:

zfs list

rpool none
rpool/ROOT none
rpool/ROOT/homey /mnt
rpool/USERDATA/root /mnt/root
rpool/USERDATA/luser /mnt/home/luser
rpool/USERDATA/luser2 /mnt/home/luser2

zfs mount -a

zfs mount

rpool/ROOT/homey /mnt

rpool/USERDATA/root /mnt/root

rpool/USERDATA/luser /mnt/home/luser

rpool/USERDATA/luser2 /mnt/home/luser2

udevadm trigger

debootstrap mantic /mnt

base system installed sucessfully

cp /etc/hostid /mnt/etc/hostid

cp /etc/resolv.conf /mnt/etc/

mkdir /mnt/etc/zfs

cp /etc/zfs/rpool.key /mnt/etc/zfs/
cp /etc/apt/sources.list /mnt/etc/apt/sources.list
cp /etc/apt/sources.list /mnt/etc/apt/sources.list.MANTICdev

vi /mnt/etc/hostname

Change to homey

add following /etc/host

127.0.1.1 homey

create /mnt/etc/apt/preferences.d/snapdfix

Package: snapd
Pin: release a=*
Pin-Priority: -10

create /mnt/etc/netplan/01-netcfg.yaml

network:
version: 2
ethernets:
enx00e04d711639:
dhcp6: true
dhcp4: true
mount -t proc proc /mnt/proc
mount -t sysfs sys /mnt/sys
mount -B /dev /mnt/dev
mount -t devpts pts /mnt/dev/pts

chroot /mnt /bin/bash

passwd

Set new root password

apt update && apt upgrade

apt install –no-install-recommends linux-generic locales keyboard-configuration console-setup

apt install fdutils linux-tools initramfs-tools dracut tiny-initramfs initramfs-tools firmware-sof-signed grub-pc grub-efi-amd64 grub-efi-ia32 grub lilo initramfs-tools linux-initramfs-tool thermald

dpkg-reconfigure locales tzdata keyboard-configuration console-setup

let system choose suitable font. size 8×16 , UTF-8 en.us

apt install dosfstools mtools zfs-initramfs zfsutils-linux zfs-dkms acpid cpufrequtils cpufreqd pciutils usbutils zsh mc openssh-server tmux molly-guard btop htop powertop radeontop nvtop s-tui stress-ng lm-sensors linux-libc-dev

apt install rsync git fakeroot build-essential libncurses-dev xz-utils libssl-dev bc flex libelf-dev bison

systemctl enable zfs.target
systemctl enable zfs-import-cache
systemctl enable zfs-mount
systemctl enable zfs-import.target

echo “UMASK=0077” > /etc/initramfs-tools/conf.d/umask.conf

update-initramfs -u -k all

update-initramfs -c -k all

zfs set org.zfsbootmenu:commandline=”quiet loglevel=4 amd_iommu=on” rpool/ROOT

zfs set org.zfsbootmenu:keysource=”rpool/ROOT/homey” rpool

mkfs.vfat -F32 /dev/mmcblk0p1

mkdir -p /boot/efi
echo “/dev/mmcblk0p1 /boot/efi vfat defaults 0 0” > /etc/fstab
mount /boot/efi

apt install curl

mkdir -p /boot/efi/EFI/ZBM

curl -o /boot/efi/EFI/ZBM/VMLINUZ.EFI -L https://get.zfsbootmenu.org/efi

cp /boot/efi/EFI/ZBM/VMLINUZ.EFI /boot/efi/EFI/ZBM/VMLINUZ-BACKUP.EFI

mount -t efivarfs efivarfs /sys/firmware/efi/efivars

apt install refind

refind-install

exit

umount -n -R /mnt

zpool export rpool

reboot

login as root. ping 8.8.8.8 to insure network up.

apt update && apt upgrade
username=luser
UUID=rpool
ROOT_DS=$(zfs list o name | awk ‘/ROOT\/ubuntu_/{print $1;exit}’)
adduser luser
adduser luser2
cp -a /etc/skel/. /home/luser
chown -R luser:luser /home/luser
cp -a /etc/skel/. /home/luser2
chown -R luser2:luser2 /home/luser2
usermod -aG adm,cdrom,sudo,dip,plugdev,users,lpadmin luser
usermod -aG adm,cdrom,sudo,dip,plugdev,users,lpadmin luser2
sudo zfs snap rpool/ROOT/homey@prototype0
apt install gnome-core sakura gnome-tweaks gnome-shell-extension-manager gparted yaru-theme-icon yaru-theme-sound yaru-theme-gtk yaru-theme-gnome-shell flatpak qemu-system-x86 qemu-utils vde2 virt-manager virt-top libvirt-daemon-driver-storage-zfs remmina-plugin-rdp krita gimp audacity obs-studio vlc kdenlive kleopatra vlc sshfs

apt install nvidia-driver-525 nvidia-dkms-525

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.