Riktastic/Add_new_disk.sh

## Add_new_disk.sh
# Wipes a drive and converts it to a LUKS encrypted ZFS partition.
# I'm using this for my Debian 11 Proxmox system.
#
# Check out these sources for additional security information:
#    - Information about LUKS and its automatic unlock: https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
#    - Information about ZFS and LUKS on Debian 11: https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.html#step-2-disk-formatting
#

#List all DISK_ID's with: ls -la /dev/disk/by-id
DISK=/dev/disk/by-id/
LUKS_NAME=luks_...

# Create a key with: mkdir -m0700 /etc/keys && ( umask 0077 && dd if=/dev/urandom bs=1 count=64 of=/etc/keys/root.key conv=excl,fsync )
LUKS_KEY_FILE=/etc/keys/root.key
ZFS_NAME=...pool

wipefs -a $DISK # Wipes HDDs.
blkdiscard -f $DISK # Wipes SSDs.
sgdisk --zap-all $DISK # Wipes left over filesystems.
sgdisk     -n1:0:0        -t1:8309 $DISK # Create a new partition for LUKS.

cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha256 ${DISK}-part1 # Encrypt the previously create partition.
cryptsetup luksOpen ${DISK}-part1 ${LUKS_NAME} # Open the previously created partition.

PARTITION=readlink -f readlink -f ${DISK}-part1 # Get the devicename of the previously created partition.
PARTITION_UUID=blkid ${PARTITION} # Get the UUID of the previously created partition.

cryptsetup luksAddKey ${DISK}-part1 ${LUKS_KEY_FILE} # Add our keyfile to the previously created partition. It will be added to key slot 1.

zpool create \
    -o ashift=12 \
    -O acltype=posixacl -O canmount=off -O compression=lz4 \
    -O dnodesize=auto -O normalization=formD -O relatime=on \
    -O xattr=sa \
    ${ZFS_NAME} /dev/mapper/${LUKS_NAME} # Create a new ZFS filesystem.

zfs create -o canmount=off -o mountpoint=none ${ZFS_NAME}/ROOT # Create new ZFS datasets.

echo "
${LUKS_NAME} UUID=${PARTITION_UUID}              /etc/keys/root.key luks,discard,key-slot=1" >> /etc/crypttab
	# Wipes a drive and converts it to a LUKS encrypted ZFS partition.
	# I'm using this for my Debian 11 Proxmox system.
	#
	# Check out these sources for additional security information:
	# - Information about LUKS and its automatic unlock: https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html
	# - Information about ZFS and LUKS on Debian 11: https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/Debian%20Buster%20Root%20on%20ZFS.html#step-2-disk-formatting
	#

	#List all DISK_ID's with: ls -la /dev/disk/by-id
	DISK=/dev/disk/by-id/
	LUKS_NAME=luks_...

	# Create a key with: mkdir -m0700 /etc/keys && ( umask 0077 && dd if=/dev/urandom bs=1 count=64 of=/etc/keys/root.key conv=excl,fsync )
	LUKS_KEY_FILE=/etc/keys/root.key
	ZFS_NAME=...pool

	wipefs -a $DISK # Wipes HDDs.
	blkdiscard -f $DISK # Wipes SSDs.
	sgdisk --zap-all $DISK # Wipes left over filesystems.
	sgdisk -n1:0:0 -t1:8309 $DISK # Create a new partition for LUKS.

	cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha256 ${DISK}-part1 # Encrypt the previously create partition.
	cryptsetup luksOpen ${DISK}-part1 ${LUKS_NAME} # Open the previously created partition.

	PARTITION=readlink -f readlink -f ${DISK}-part1 # Get the devicename of the previously created partition.
	PARTITION_UUID=blkid ${PARTITION} # Get the UUID of the previously created partition.

	cryptsetup luksAddKey ${DISK}-part1 ${LUKS_KEY_FILE} # Add our keyfile to the previously created partition. It will be added to key slot 1.

	zpool create \
	-o ashift=12 \
	-O acltype=posixacl -O canmount=off -O compression=lz4 \
	-O dnodesize=auto -O normalization=formD -O relatime=on \
	-O xattr=sa \
	${ZFS_NAME} /dev/mapper/${LUKS_NAME} # Create a new ZFS filesystem.

	zfs create -o canmount=off -o mountpoint=none ${ZFS_NAME}/ROOT # Create new ZFS datasets.

	echo "
	${LUKS_NAME} UUID=${PARTITION_UUID} /etc/keys/root.key luks,discard,key-slot=1" >> /etc/crypttab
No results found