View previous topic :: View next topic |
Author |
Message |
dustfinger Guru
Joined: 15 Aug 2004 Posts: 449
|
Posted: Tue Jun 06, 2017 8:01 am Post subject: luks zfs initramfs and crypt_root |
|
|
I use genkernel to create an initramfs that supports luks and zfs
Code: | genkernel --install --luks --zfs initramfs |
The --luks parameter provides support for a kernel parameter called crypt_root and real_root. The problem is that I have more then one encrypted device that makes up the root. How can I express this fact with the crypt_root and real_root kernel params?
I have two drives that are luks encrypted using the same passphrase. /dev/sda1 and /dev/nvme0n1p2.
Code: |
livecd / # lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 931.5G 0 disk
└─sda1 8:1 0 931.5G 0 part
└─crypt2 252:1 0 931.5G 0 crypt
sdb 8:16 1 7.2G 0 disk
└─sdb1 8:17 1 7.2G 0 part
loop0 7:0 0 2G 0 loop
nvme0n1 259:0 0 477G 0 disk
├─nvme0n1p1 259:1 0 512M 0 part /boot
└─nvme0n1p2 259:2 0 476.4G 0 part
└─crypt1 252:0 0 476.4G 0 crypt |
Once decrypted the devices are striped vdevs and can be imported into a zpool called tank.
Code: | livecd / # zpool status
pool: tank
state: ONLINE
scan: none requested
config:
NAME STATE READ WRITE CKSUM
tank ONLINE 0 0 0
crypt1 ONLINE 0 0 0
crypt2 ONLINE 0 0 0
errors: No known data errors |
I would like to be able to configure grub2 so that the fact that there are multiple encrypted root devices is properly expressed and handled. For example:
Code: | linux /vmlinuz-4.9.16-gentoo dozfs crypt_root=/dev/nvme0n1p2 real_root=/dev/mapper/crypt1 crypt_root=/dev/sda2 real_root=/dev/mapper/crypt2 root=ZFS=tank/root ro |
I don't think that passing crypt_root twice is the answer of course. How can this be achieved?
-- EDIT #1 --
Is it possible to do what I want to do with device mapper multipath? I did not know about device mapper multipath when I wrote the above, but if I could somehow pass to the initramfs the multipath device then maybe it would know to scan the increments of the device.
Given that I have the following multi path device mapped
/dev/mapper/crypt1 and /dev/mapper/crypt2
would it be possible to set crypt_root=/dev/mapper/crypt perhaps? Or maybe even crypt_root=/dev/mapper/crypt{1,2}
I was told by someone on irc that with zfs I do not want to use real_root, just crypt_root and root params. So by using device mapper I might end up with something like this:
Code: | linux /vmlinuz-4.9.16-gentoo dozfs crypt_root=/dev/mapper/crypt{1,2} root=ZFS=tank/root ro |
But the above does not actually work, but I am wondering if something similar to that might be supported. There is no documentation on this that I can find.
--------------- _________________ Unanswered Post Initiative:
https://forums.gentoo.org/viewtopic.php?t=119906 |
|
Back to top |
|
|
zino n00b
Joined: 14 Jan 2016 Posts: 21 Location: Switzerland
|
Posted: Thu Aug 03, 2017 4:17 pm Post subject: |
|
|
If you don't insist on using genkernel to create the initramfs you could use sys-kernel/bliss-initramfs. An initramfs created with it is capable of decrypting multiple devices.
For instance, the cmdline for my raidz2 with 6 LUKS encrypted hard drives looks like this:
Code: | BOOT_IMAGE=/bzImage-zfs triggers=luks,zfs enc_drives=ID=ata-TOSHIBA_DT01ACA100_24E0V05MS,ID=ata-TOSHIBA_DT01ACA100_24E0A5YMS,ID=ata-TOSHIBA_DT01ACA100_24E0TBAMS,ID=ata-TOSHIBA_DT01ACA100_24E0KJLMS,ID=ata-Hitachi_HDT721010SLA360_STF607MH1HH7MW,ID=ata-TOSHIBA_DT01ACA100_24E0UE1MS enc_type=pass root=tresor/OS/rootvol usr=tresor/OS/usr initrd=/initrd-zfs |
When the system boots up bliss-initramfs asks for your LUKS passphrase and then applies it to all drives indicated by the enc_drives option. |
|
Back to top |
|
|
gentoo_dude l33t
Joined: 08 May 2004 Posts: 645 Location: Washington, DC
|
Posted: Thu Nov 09, 2017 2:28 pm Post subject: |
|
|
If you use genkernel or genkernel-next then instead of passing crypt_root use crypt_roots as follows:
Code: | crypt_roots=/dev/sda2 crypt_roots=/dev/sdb2 |
You can have only one real_root, but if you use software raid, then the two partitions will be opened and ready to be assembled by the raid software. |
|
Back to top |
|
|
msst Apprentice
Joined: 07 Jun 2011 Posts: 259
|
Posted: Fri Nov 10, 2017 8:24 pm Post subject: |
|
|
You could also use btrfs - nowadays a pretty reasonable replacement for zfs - and then multi disk root is possible by including the btrfs utility and running a btrfs device scan in the initramfs.
After that you don't need to pass multiple devices any more by kernel command line.
I personally have better experiences with better-initramfs than with genkernel. |
|
Back to top |
|
|
|