# Void full disk encryption install process

Download the latest [hrmpf](https://github.com/leahneukirchen/hrmpf/releases), write it to USB drive and boot your system in EFI mode. You can confirm you've booted in EFI mode by running `efibootmgr`. 

For this guide, the following assumptions are made:
* `/dev/sda` is the drive dedicated for the ZFS pool
* `/dev/sdb` is the USB drive dedicated for the EFI partition
* You're mildly comfortable with ZFS, EFI and discovering system facts on your own (`lsblk`, `dmesg`, `gdisk`, ...)

# ZFS prep work

* Build and load ZFS modules
```
xbps-reconfigure -a
modprobe zfs
```
* Generate /etc/hostid
```
zgenhostid
```
* Store your pool passphrase in a key file
```
echo "SomeKeyphrase" > /etc/zfs/zroot.key
chmod 000 /etc/zfs/zroot.key
```

# ZFS pool creation

* Create the zpool
```
zpool create -f -o ashift=12 \
 -O compression=lz4 \
 -O acltype=posixacl \
 -O xattr=sa \
 -O relatime=on \
 -O encryption=aes-256-gcm \
 -O keylocation=file:///etc/zfs/zroot.key \
 -O keyformat=passphrase \
 -o autotrim=on \
 -m none zroot /dev/sda
```
It's out of the scope of this guide to cover all of the pool creation options used - feel free to tailor them to suit your system. However, the following options need to be addressed:
* `encryption=aes-256-gcm` - You can adjust the algorithm as you see fit, but this will likely be the most performant on modern x86_64 hardware.
* `keylocation=file:///etc/zfs/zroot.key` - This sets our pool encryption passphrase to the file `/etc/zfs/zroot.key`, which we created in a previous step. This file will live inside your initramfs stored ON the ZFS boot environment.
* `keyformat=passphrase` - By setting the format to `passphrase`, we can now force a prompt for this in `zfsbootmenu`. It's critical that your passphrase be something you can type on your keyboard, since you will need to type it in to unlock the pool on boot.

* Create our initial file systems
```
zfs create -o mountpoint=none zroot/ROOT
zfs create -o mountpoint=/ zroot/ROOT/void.$( date +%Y.%m.%d )
zfs create -o mountpoint=/home zroot/home
```
* Export, then reimport with a temporary mountpoint of /mnt
```
zpool export zroot
zpool import -l -R /mnt zroot
```

* Verify that everything is mounted correctly
```
# mount | grep mnt
zroot/ROOT/void.2020.01.30 on /mnt type zfs (rw,relatime,xattr,posixacl)
zroot/home on /mnt/home type zfs (rw,relatime,xattr,posixacl)
```

# Install Void
* Adjust the mirror / libc / package selection as you see fit
```
xbps-install -S -R https://mirrors.servercentral.com/voidlinux/current -r /mnt base-system zfs vim efibootmgr gptfdisk
```
* Copy our pool key, hostid and resolv.conf into the new install
```
cp /etc/hostid /mnt/etc
cp /etc/resolv.conf /mnt/etc/
cp /etc/zfs/zroot.key /mnt/etc/zfs
```
* Chroot into the new OS
```
mount -t proc proc /mnt/proc
mount -t sysfs sys /mnt/sys
mount -B /dev /mnt/dev
mount -t devpts pts /mnt/dev/pts
chroot /mnt
```
# Basic Void configuration
* Set the keymap, timezone and hardware clock
```
cat << EOF >> /etc/rc.conf
KEYMAP="us"
TIMEZONE="America/Chicago"
HARDWARECLOCK="UTC"
EOF
```
* Configure your glibc locale
```
cat << EOF >> /etc/default/libc-locales
en_US.UTF-8 UTF-8
en_US ISO-8859-1
EOF
xbps-reconfigure -f glibc-locales
```
* Set a root password
```
passwd
```

# ZFS Configuration
* To more quickly discover and import pools on boot, we need to set a pool cachefile
```
zpool set cachefile=/etc/zfs/zpool.cache zroot
```
* Configure our default boot environment
```
zpool set bootfs=zroot/ROOT/void.$( date +%Y.%m.%d ) zroot
```
* Configure Dracut to load ZFS support
```
cat << EOF > /etc/dracut.conf.d/zol.conf
nofsck="yes"
add_dracutmodules+=" zfs "
omit_dracutmodules+=" btrfs "
install_items+=" /etc/zfs/zroot.key "
EOF
```
* Rebuild the initramfs
```
xbps-reconfigure -f linux5.4
```
# Install and configure ZFSBootMenu

* Assign command-line arguments to be used when booting the final kernel. Because ZFS properties are inherited, assign the common properties to the `ROOT` dataset so all children will inherit common arguments by default.
```
zfs set org.zfsbootmenu:commandline="spl_hostid=$( hostid ) ro quiet" zroot/ROOT
```

* Create an EFI partition on `/dev/sdb`
```
bash-5.0# gdisk /dev/sdb
GPT fdisk (gdisk) version 1.0.4

Partition table scan:
  MBR: protective
  BSD: not present
  APM: not present
  GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): o
This option deletes all partitions and creates a new protective MBR.
Proceed? (Y/N): y

Command (? for help): p
Disk /dev/sdb: 62656641 sectors, 29.9 GiB
Model: Flash Drive FIT 
Sector size (logical/physical): 512/512 bytes
Disk identifier (GUID): 0803CB07-D712-4839-BA5D-FB52EF4E88BB
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 62656607
Partitions will be aligned on 2048-sector boundaries
Total free space is 62656574 sectors (29.9 GiB)

Number  Start (sector)    End (sector)  Size       Code  Name

Command (? for help): n
Partition number (1-128, default 1): 1
First sector (34-62656607, default = 2048) or {+-}size{KMGTP}: 
Last sector (2048-62656607, default = 62656607) or {+-}size{KMGTP}: +512M
Current type is 'Linux filesystem'
Hex code or GUID (L to show codes, Enter = 8300): EF00
Changed type of partition to 'EFI System'

Command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): y
OK; writing new GUID partition table (GPT) to /dev/sdb.
The operation has completed successfully.
```

* Create a vfat filesystem
```
mkfs.vfat -F32 /dev/sdb1
```

* Create an fstab entry and mount
```
cat << EOF >> /etc/fstab
$( blkid | grep /dev/sdb1 | cut -d ' ' -f 2 ) /boot/efi vfat defaults,noauto 0 0
EOF
mkdir /boot/efi
mount /boot/efi
```

* Install rEFInd

This should find /boot/efi as your EFI partition and install itself accordingly. 
```
xbps-install -S
xbps-install -Rs refind
refind-install
rm /boot/refind_linux.conf
```

* Install the bootmenu package
```
xbps-install -Rs zfsbootmenu
```
* Enable zfsbootmenu image creation
Edit /etc/zfsbootmenu/config.ini and set:
 * ManageImages=1 under [Global] section
 * Copies=3 under [Components] section
 * See [Configuration options](https://github.com/zdykstra/zfsbootmenu#installation) for more details.
```
[Global]
ManageImages=1
DracutConfDir=/etc/zfsbootmenu/dracut.conf.d
BootMountPoint=/boot/efi

[Kernel]
CommandLine=ro quiet loglevel=0

[Components]
ImageDir=/boot/efi/EFI/void
Versioned=1
Copies=3

[EFI]
ImageDir=/boot/efi/EFI/void
Versioned=1
Copies=0

[syslinux]
CreateConfig=0
Config=/boot/efi/syslinux/syslinux.cfg
```
* Generate the initial bootmenu initramfs
```
xbps-reconfigure -f zfsbootmenu
zfsbootmenu: configuring ...
Creating ZFS Boot Menu 0.8.1_1, with vmlinuz 5.4.15_1
Found 0 existing images, allowed to have a total of 3
Created /boot/efi/EFI/void/vmlinuz-0.8.1_1, /boot/efi/EFI/void/initramfs-0.8.1_1.img
```
* Create /boot/efi/EFI/void/refind_linux.conf
```
cat << EOF > /boot/efi/EFI/void/refind_linux.conf
"Boot default"  "zfsbootmenu:ROOT=zroot spl_hostid=$( hostid ) timeout=0 ro quiet loglevel=0"
"Boot to menu"  "zfsbootmenu:ROOT=zroot spl_hostid=$( hostid ) timeout=-1 ro quiet loglevel=0"
EOF
```
* Exit the chroot, unmount everything
```
exit
umount -n /mnt/{dev/pts,dev,sys,proc}
umount /mnt/boot/efi
```
* Export the zpool and reboot
```
zpool export zroot
reboot
```