Change "zpool create" to more feature rich set with improved encryption algorithm

Ubuntu 18.04.1 Rpool Encryption Trial.sh

# Run as root
# sudo -i

# Prepare LiveCD Environment

add-apt-repository -y ppa:jonathonf/zfs
apt install -y zfs-dkms
systemctl stop zfs-zed.service
modprobe -r zfs
modprobe zfs

# Manually Partition Disk
sgdisk     -n2:1M:+2G -t2:8300 /dev/vda
mkfs /dev/vda2
sgdisk     -n3:0:0      -t3:BF07 /dev/vda

# Create pool
zpool create -o ashift=12 -O compression=lz4 -O relatime=on -O dnodesize=auto -O recordsize=1M -O xattr=sa -O normalization=formD -O acltype=posixacl -O encryption=aes-256-gcm -O keylocation=prompt -O keyformat=passphrase rpool /dev/vda3

# Create temp ZVOL, and run ubiquity installer
zfs create -V 10G rpool/ubuntu-temp
ubiquity --no-bootloader  #(install to /dev/zd0)

# Create root dataset and boot mountpoint, mount /boot and rsync
zfs create rpool/ROOT
zfs create rpool/ROOT/ubuntu-1
mkdir /rpool/ROOT/ubuntu-1/boot
mount /dev/vda2 /rpool/ROOT/ubuntu-1/boot
rsync -avPX --exclude '/swapfile' /target/. /rpool/ROOT/ubuntu-1/.

# Turn off swap and destroy temp ZVOL, set up chroot and enter chroot

swapoff -a
umount /target
zfs destroy rpool/ubuntu-temp
for d in proc sys dev; do mount --bind /$d /rpool/ROOT/ubuntu-1/$d; done
cp /etc/resolv.conf /rpool/ROOT/ubuntu-1/etc/resolv.conf

# Inside chroot, install zfs

chroot /rpool/ROOT/ubuntu-1 add-apt-repository -y ppa:jonathonf/zfs
chroot /rpool/ROOT/ubuntu-1 apt install -y zfs-dkms zfs-initramfs

# Fix fstab and grub defaults
sed -e '/\s\/\s/ s/^#*/#/' -i /rpool/ROOT/ubuntu-1/etc/fstab   #Comment out / line
sed -e '/\sswap\s/ s/^#*/#/' -i /rpool/ROOT/ubuntu-1/etc/fstab    #Comment out /swap line
echo UUID=$(blkid -s UUID -o value /dev/vda2) /boot ext4 noatime 0 2 >> /rpool/ROOT/ubuntu-1/etc/fstab   # Add /boot line
echo 'GRUB_DISABLE_OS_PROBER=true' >> /rpool/ROOT/ubuntu-1/etc/default/grub   # Silent an error during grub-probe
     # In my case, vt_handoff kernel option sometimes blocks TTY prompt
     # # Change vt_handoff="1" to "0" in /etc/default/grub  
sed -i '/vt_handoff/ s/="[^"][^"]*"/="0"/' /rpool/ROOT/ubuntu-1/etc/grub.d/10_linux
     #grub-probe doesn't work to produce poolname with encryption enabled.  Replaced with "zdb -l" command
sed -i 's/.*fs_label*/\trpool=\`zdb -l ${GRUB_DEVICE} \| grep \" name\"\| grep -o \"\x27.*\x27\"\| sed \"s\/\x27\/\/g\"/' /rpool/ROOT/ubuntu-1/etc/grub.d/10_linux

# Make grub.cfg and fix grub.cfg, make init, make bios_grub partition, install grub
chroot /rpool/ROOT/ubuntu-1 update-grub
chroot /rpool/ROOT/ubuntu-1 update-initramfs -u
chroot /rpool/ROOT/ubuntu-1 sgdisk -a1 -n1:512:2047 -t1:EF02 /dev/vda
chroot /rpool/ROOT/ubuntu-1 grub-install /dev/vda 

# Unmount everything, set mountpoint, export pool and reboot
umount -R /rpool/ROOT/ubuntu-1
zfs set mountpoint=/ rpool/ROOT/ubuntu-1
zpool export rpool

# Restart computer
# shutdown -r 0

what about replacing line 7 with this?

add-apt-repository ppa:jonathonf/zfs
apt update
apt install -y zfsutils zfs-dkms

what about replacing line 7 with this?

add-apt-repository ppa:jonathonf/zfs
apt update
apt install -y zfsutils zfs-dkms

I switched to using that repo. The trick is to use "systemctl stop zfs-zed.service" in order to "modprobe -r zfs"

I've been trying to adapt this to the 20.04 Beta, and there are some changes required for it, but I'll admit that my end result is that it boots memtest and that's all I've gotten to.

Changes:

• Lines 6-10 not needed.

• After line 22, the installer, the zpool is exported. you need to reimport it and mount /target:

  zpool import rpool
  zfs load-key -a
  mount /dev/zd0 /target

• Don't need line 41.

• Only need zfs-initramfs in line 42, not the dkms one.

I'll keep poking at it a bit and update if I get it working, but I wanted to give some updates just in case it helps someone else.

@linsomniac 20.04 beta should include ZFS root support out of the box. Were you attempting to script that via some automated install, or?

@ideologysec: I'm wanting to use encrypted ZFS, which, sadly, is not supported by the installer.

@linsomniac You could try to modify the Ubiquity zsys installer to make it create an encrypted pool. I did this to 19.10, but here is my gist:
https://gist.github.com/ghfields/b9d070e4e4a3f9e29f03634ac05b5b36
You modify the /usr/share/ubiquity/zsys-setup on the livecd before running the installer. Use it for inspiration since it is for 19.10.

@ghfelds: That's an interesting idea, I'll try giving that a shot in a bit. I'm currently doing a "zfs recv" on an encrypted pool after dumping from a normal install, then I was going to try some of your changes above (vt_handoff, prober), to see if that would work. But I'll take a look at your gist a bit later.

I do still want to try @ghfields installer mod, but I was able to get an encrypted setup going using the roundabout method of: install, "zfs send" the rpool/ROOT and rpool/USERDATA, re-create the rpool with encryption, then "zfs recv", and use part of the above workflow. Annoying, but seems to work. I do get an os-prober error during update-grub, but the result seems to work.

Notes for future-me or someone else:

• Do normal install using zfs.
• Boot live CD.
• Recursive snapshot of ROOT and USERDATA: zfs snapshot -r rpool/ROOT@copy; zfs snapshot -r rpool/USERDATA
• Send dumps to another system: zfs send -R rpool/ROOT | gzip | nc REMOTEIP:PORT ; and same for rpool/USERDATA
• "zfs export rpool" and reformat using encryption from line 18 above.
• "zfs load-key rpool"
• Load ROOT and USERDATA from dumps: "nc -l PORT | gunzip | zfs recv -x encryption rpool/ROOT" and same for USERDATA.
• "zfs set mountpoint=/mnt" for the root filesystem and "/mnt/boot" for the /boot.
• zfs mount -a
• Steps 36-37, 45-57 above, but using /mnt instead. I just "chroot /mnt" and modify files as absolute path. I also commented out the swap entry from /etc/fstab.
• Then unmount -R /mnt; change the mountpoints back to absolute; zpool export bpool; zpool export rpool; reboot

@ghfields: Ok, that Ubiquity hack worked totally brilliantly! Thanks!