home | lab | find me | science | publications | software | toolbox | site map

Ubuntu 22.04 with encrypted ZFS on the Framework laptop

Until now, since 2004 or so (4.10, Warty Warthog: it's been a while!), I have always run Ubuntu on an ext file system. First ext3, and as of Ubuntu 6.06 LTS or so, ext4. I have never lost a single file, has always run rock solid through a number of incidents (water spilled on the keyboard; strong static electricity; dropping the laptop to the floor; running out of battery and not shutting down properly). So if you want a tested-and-true solution, install with ext4 as the file system format and move on.

But ZFS offers a number of advantages such as encryption, compression, copy on write, and trivial built-in commands for backups. ZFS has been around for some years now and we use it on our laboratory servers, so the time had arrived to setup a laptop with ZFS to benefit from these capabilities.

So why the Framework laptop? Since 2016 I have been using a Thinkpad X1 yoga with a touchscreen, and frankly it continues to work excellently. Except it has always been a tad too wide (I like small laptops), even if lightweight, and more importantly, its CPU and RAM are quite dated. While these could perhaps be updated, doing so is frankly not trivial. The Thinkpad X1 has an unmatched, outstanding keyboard; in my opinion, the best in the industry. One hopes the Framework laptop will someday offer an equivalently good keyboard, rather than the present offer which is nothing other than a clickety-clackety rubbery keyboard that reminds me a lot of my first macbooks. What the Framework laptop offers, though, is complete repairability and upgradability (e.g., a better keyboard soon?), at a modest price (about 1/3rd of the equivalent Thinkpad X1), plus enormous versatility with its hot-swappable bays. The latter lets you configure the ports at will (I have an HDMI, a USB-C, a USB-3 and a card reader), as well as host additional hard drives if needed. Also, it's fairly thin yet robust, and feels lightweight, with a bright and high-resolution screen (2256x1504 pixels). It's fantastic, a complete and absolute game changer. Do check it out.

Start by creating a bootable USB pen with Ubuntu 22.04 LTS and plug it in, then turn on the Framework laptop and hold down F12 to enter the boot menu. Boot from the USB pen and, once prompted, choose "Try Ubuntu" to run it live from the pen.

To setup encrypted ZFS partitions for both boot and home, some editing is necessary, as Ubuntu presently doesn't support encrypted ZFS from the provided installer wizard. But it is possible and quite straightforward. Here I will follow these instructions, which worked flawlessly; also copied below.

To install Ubuntu on an encrypted ZFS file system, do the following. Once the live Ubuntu 22.04 desktop is running from the USB pen, open a terminal and edit this file /usr/share/ubiquity/zsys-setup with your favorite text editor; gedit, vi, nano, anything will do. You can even "sudo apt install vim" or whichever editor if you like.

In the zsys-setup file, search for "zpool create", and make sure you have found the create command that has "rpool" on the last line. Before the "zpool create", insert this (edit "mypassword", of course, to your actual desired password):

echo mypassword |

And before the last line of the command, insert these lines:

-O encryption=aes-256-gcm \
-O keylocation=prompt \
-O keyformat=passphrase \

Then run ubiquity from the terminal to start the installer, and proceed to install as normal, selecting the "Use entire disk" option, and of course the option to format the file system as ZFS. Two ZFS partitions will be created: bpool (for booting; about 2G) and rpool (for everything else), with the latter taking up the remainder of the disk space.

On the swap partition, I suggest requesting one be created for the same size as your laptop's RAM, to enable suspend with deep sleep, which is a great battery saver. My Framework laptop has 64G of RAM, yet I chose to create a small 2G swap partition, which was a mistake, because later one can't shrink the ZFS partition (as the saying goes, ZFS partitions can only grow). Below is how I worked around it. The reason being, a swap partition is needed to support a form of hibernate, for a very good battery-saving suspend mode nicknamed "deep".

Before anything else, though, see the Ubuntu installation through and reboot the laptop, removing the USB media so that it will boot from disk.

Now is a good moment to update the BIOS to the latest (see the Framework laptop BIOS installation page). Namely, download a zip file, extract it into a bootable USB pen, and boot from it using F12 to choose the boot device. Remember to unplug the laptop from AC power prior to booting from the USB pen (to workaround a bug whereby the BIOS update doesn't work with a 100% charged battery), and, when the menu shows, reconnect to the AC power prior to starting the BIOS update. When done it will simply reboot.

So now onto addressing deep suspend and the swap partition, following this instructions on using a zvol as a swap. The swap will be a ZFS pool named "rpool/swap".

Create the rpool/swap: (ignore the warning message)

$ sudo zfs create -V 64G -b $(getconf PAGESIZE) \
    -o compression=zle -o logbias=throughput \
    -o sync=standard -o primarycache=metadata \
    -o secondarycache=none -o com.sun:auto-snapshot=false \
    rpool/swap

Warning: volblocksize (4096) is less than the default minimum block size (8192).
To reduce wasted space a volblocksize of 8192 is recommended.

Then mark the rpool/swap as an actual swap space, and add it to the file system table or "/etc/fstab", like this:

$ sudo mkswap -f /dev/zvol/rpool/swap
Setting up swapspace version 1, size = 64 GiB (68719472640 bytes)
no label, UUID=1b9d61be-d1c7-4ef3-a66a-f68343ge994f

$ sudo -i
password:

# echo /dev/zvol/rpool/swap none swap defaults 0 0 >> /etc/fstab
# swapon -av

Now that the swap space has been created, made available as swap and added to the fstab, we can change the suspend mode. By default, Ubuntu 22.04 uses a suspend mode nicknamed "s2idle". Notoriously, "s2idle" consumes a lot of battery (about 30% in a couple of hours, for example), and your framework laptop will get hot inside its protective sleeve. Fortunately there is a much better suspend mode, nicknamed "deep". Here is how to activate it: edit the file /etc/default/grub and modify the GRUB_CMDLINE_LINUX_DEFAULT variable to read like:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash nvme.noacpi=1 mem_sleep_default=deep"

And update grub, which is the boot loader:

$ sudo update-grub

The above makes the choice of "deep" for suspend permanent. To merely enable it momentarily, do the following instead:

$ sudo -i
# echo "deep" > /sys/power/mem_sleep

To check that the change happened, do:

$ cat /sys/power/mem_sleep 
s2idle [deep]

Above, notice how "[deep]" is in square brackets, indicating it's the selected suspend mode. With the "deep" suspend mode, several hours can pass and your Framework laptop will only have used a small fraction of power, for example less than 1% in over 2 hours. It's very much worth it. The only caveat: it takes 4 to 10 seconds to resume from suspend, depending on how full your RAM was. My RAM is large (64g) so it takes often up to 7 seconds.

Be mindful though of a ZFS bug that only occurs in high memory pressure conditions, that is, when all available RAM is in use. So far, with my 64G, I have never exhausted it yet. The whole point of switching to the Framework laptop was to have a lot of RAM and, importantly, the possibility of trivially increasing the size of the internal RAM memory cards in the future.

After completing all the above you will have a fully functioning Framework laptop running Ubuntu 22.04 on an encrypted ZFS partition and with deep sleep enabled, with an also encrypted home and swap. What's not to like!

Now, specifically for the Framework laptop, I had to fix the arrangement of the control (ctrl), function (fn), meta (windows) and alt keys, as well as the caps which I turned into an additional escape key.

The function (fn) key can only be swapped for ctrl in the BIOS. So reboot, find the BIOS menu entry, and enable swapping them. This will put the seldom used fn key at the bottom left of the keyboard (the most inaccessible key), and ctrl where fn used to be (to the right of where fn is now.)

Now, to swap the ctrl and win keys, and potentially others, first skim this manual page:

man 7 xkeyboard-config

See where it says:

Caps Lock Behavior
...
caps:escape     Make Caps Lock an additional Esc                       
...
ctrl:swap_lwin_lctl     Swap Left Win with Left Ctrl

There are many such options, pick the one you like. To set them up, open dconf-editor by pushing the win key and typing it, or from a terminal. Then search for "/org/gnome/desktop/input-sources/xkb-options", click on the toggle that protects using the default value, and type into the "Custom value" field:

['caps:escape', 'ctrl:swap_lwin_lctl']

From now on, the sequence of modifier keys will be, from left to right: fn, meta (or win), ctrl and alt. Which is exactly what I wanted.

The properties and configuration of most Ubuntu desktop software is accessible via the dconf-editor, which is in itself merely a UI reader/writer for what is otherwise done via gsettings at the command line, but much easier. There you can choose how you want your desktop background to be (see "/org/gnome/desktop/background/"), with the image scaled, stretched, centred, etc. This same page enables you to disable desktop icons (I never want them myself) and more.

Likewise, with dconf-editor we can edit properties of all built-in UI software. For example for evince (the document viewer, or default PDF reader) browse to "/org/gnome/evince", which is the properties page that will let you setup auto-reload (useful when compiling PDFs from LaTeX), and critically, change the cache size from 50 to 2,000 (2G) so that one can zoom far more deeply. And many more, particularly under "/org/gnome/evince/default/" such as "show-sidebar" on opening a PDF (which I set to false). These are the default evince properties when opening a PDF file, so it's important to get these right.

While on the subject of customizing Ubuntu, notice that everything can be edited. Everything. For example, the new Ubuntu 22.04 look and feel is somewhat too bright for my eyes, and the dark mode available in the settings too dark. So instead, I created the file "~/.config/gtk-3.0/gtk.css" with these entries:

headerbar {
  background-image: none;
  background-color: #e8c46a;
}

headerbar:backdrop {
  background-image: none;
  background-color: #e9d1ad;
}

Now, upon logout and login, or upon launching an application anew, the color of the title bar (the "headerbar") will be set as described. Yes, quite orange/honey-like, that's how I like my desktop. To find out the names of all other editable properties via this CSS file, well, just search for it online.

And if LibreOffice looks dead ugly, like a gray monstrosity from the early days of desktop computing (can happen if you install only, say, libreffice-writer instead of the whole suite), fix it up by installing these additional packages:

$ sudo apt install libreoffice-gtk3 libreoffice-gnome

Now LibreOffice (formerly OpenOffice) look and feel will be that of the rest of the Ubuntu desktop: pleasant, with properly scaled menus and icons.



Last updated: 2022-08-31 22:08 London time. Copyright Albert Cardona.