Daniel Davidson da-n

Create encrypted Zpool

zpool create -o ashift=12 storage raidz2 /dev/sda /dev/sdb /dev/sdc
zpool set feature@encryption=enabled storage
zfs create -o encryption=on -o keyformat=raw -o keylocation=file:///root/storage-data.zfskey storage/data

Create a LUKS encrypted volume

sudo cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sda1
sudo cryptsetup open --type luks /dev/sda1 backup
sudo mkfs.ext4 /dev/mapper/backup
sudo mount -t ext4 /dev/mapper/backup /mnt/backup
sudo umount /mnt/backup

unlocking rootfs via ssh login in initramfs

You can unlock your rootfs on bootup from remote, using ssh to log in to the booting system while it's running with the initramfs mounted.

Setup

For remote unlocking to work, the following packages have to be installed before building the initramfs: dropbear busybox

The file /etc/initramfs-tools/initramfs.conf holds the configuration options used when building the initramfs. It should contain BUSYBOX=y (this is set as the default when the busybox package is installed) to have busybox installed into the initramfs, and should not contain DROPBEAR=n, which would disable installation of dropbear to initramfs. If set to DROPBEAR=y, dropbear will be installed in any case; if DROPBEAR isn't set at all, then dropbear will only be installed in case of an existing cryptroot setup.

If you wish to run an alternative SSH agent (e.g. ssh-agent or gpg-agent, you need to disable the ssh component of GNOME Keyring. To do so in an account-local way, copy /etc/xdg/autostart/gnome-keyring-ssh.desktop to ~/.config/autostart and then append the line Hidden=true to the copied file. Then log out.

Source: https://wiki.archlinux.org/index.php/GNOME/Keyring#Disable_keyring_daemon_components

Keybase proof

I hereby claim:

I am da-n on github.
I am da_n (https://keybase.io/da_n) on keybase.
I have a public key ASBzedy5JCcCqHuCikt7AetYj9_IjmnW_-h3ftKFk-vqlQo

To claim this, I am signing this object:

Source: mightypile https://askubuntu.com/a/829835

I do this with asymmetric key encryption. That means I have a public key (that I can share with anyone I'd like to send me encrypted packages) which allows me to encrypt the package. I also have a private key (that I do not share) which allows me to decrypt the package.

My commands to encrypt the current working directory: the -e to encrypt, the -r to specify a "recipient" or key to use, the -o to specify the output file.

$ tar -cvz . | gpg -e -r ABCD1234 -o backup.tgz.gpg

And to decrypt to the current working directory:

	openssl req -newkey rsa:4096 \
	-x509 \
	-sha256 \
	-days 3650 \
	-nodes \
	-out example.crt \
	-keyout example.key

	#------------------------------------------------------------------------------
	# slack (slack.com) global notification options

	# multiple recipients can be given like this:
	# "CHANNEL1 CHANNEL2 ..."

	# enable/disable sending slack notifications
	SEND_SLACK="YES"

	# Login to slack.com and create an incoming webhook. You need only one for all

	# This service will unlock all ZFS pools at boot time
	# It should live in
	# /etc/systemd/system/zfs-load-key.service
	# Enable it with
	# systemctl enable zfs-load-key.service

	[Unit]
	Description=Load encryption keys
	DefaultDependencies=no
	Before=zfs-mount.service

	# https://github.com/mthssdrbrg/ddns-route53
	#
	# awcli needs to be installed with valid credentials and should be in PATH e.g. /home/USER/.local/bin
	# ddns-route53 needs to be installed and should be in PATH e.g. /home/USER/.local/bin
	# Add to crontab
	/5 * * * PATH=$PATH:/home/USER/.local/bin /home/USER/.local/bin/ddns-route53 --zone-id XXXXXXXX --record-set www.example.com >> /home/USER/ddns-route53.log 2>&1