Skip to content

Instantly share code, notes, and snippets.

@eleanxr

eleanxr/gentoo-encryption.md

Last active May 10, 2022 20:53
Show Gist options
  • Save eleanxr/0cdc3f2d6a3d989f3957297929d08557 to your computer and use it in GitHub Desktop.
Save eleanxr/0cdc3f2d6a3d989f3957297929d08557 to your computer and use it in GitHub Desktop.
Download ZIP
Gentoo Encrypted Installation Notes
Raw
gentoo-encryption.md

Boot and Drive Partitioning

  • Start with gentoo-nofb to make the window readable on a VM with a lower resolution host.
  • On VM network just works. Will need to deal with wireless on real install.
  • Follow instructions for default partition layout on handbook, use GPT.
  • Switch to dm-crypt instructions for creating fileystems.
    • `# cryptsetup -s 512 luksFormat /dev/sda4
  • cryptsetup is already available on minimal image, no need to emerge it.
  • Use ext2 for boot partition, follow swap instructions in handbook.
  • After you open the encrypted volume, use mkfs.ext4 to format the volume:
    • cryptsetup luksOpen /dev/sda4 root
    • mkfs.ext4 /dev/mapper/root
    • mount /dev/mapper/root /mnt/gentoo
  • Mount /boot in the filesystem as the handbook says and continue through initial configuration, through chrootc
  • add -march=bdver2 to makeflags for AMD A10 8700P
  • I hate nano. After chroot, emerge --ask app-editors/vim

Kernel Configuration

  • Follow instructions in the Kernel Configuration section of the (Gentoo dm-crypt wiki page)[https://wiki.gentoo.org/wiki/Dm-crypt]
  • If using genkernel, make sure the cryptsetup, luks, and lvm options are used (see initramfs section below). You can edit /etc/genkernel.conf to enable these by adding the following lines:
    • LVM="yes"
    • LUKS="yes"
  • While editing genkernel.conf, set MAKEOPTS="-j"

Initramfs Setup

  • edit /etc/portage/package.use/genkernel:
    • sys-kernel/genkernel -cryptsetup
  • emerge --ask sys-fs/cryptsetup
  • emerge --ask sys-kernel/genkernel
  • emerge --ask app-arch/xz-utils
  • genkernel --luks --lvm --install initramfs
    • Had to edit /etc/genkernel.conf to disable compression. Got a message about none of the compression methods not being supported.
    • emerge app-arch/lzma fixes the above, no need to disable compression.

Filesystem and Boot Configuration

  • blkid | grep /dev/sda4 >> /etc/crypttab
  • edit /etc/crypttab to have line
    • root UUID=uuid-reported-by-blkid none luks,discard
  • Make sure to use UUID of /dev/sda4
  • edit /etc/fstab to have line
    • /dev/mapper/root / ext4 noatime 0 1
  • Before the grub-mkconfig step in the handbook put the following lines in /etc/default/grub:
    • GRUB_CMDLINE_LINUX="crypt_root=UUID=</dev/sda4 uuid from blkid>"
    • GRUB_CRYPTODISK_ENABLE=y

Addendum for Arch Linux

  • Add "encrypt" to hooks in /etc/mkinitcpio.conf and build a new ramdisk
  • Using Grub to boot:
    • Add GRUB_CRYPTODISK_ENABLE=y and GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda4:root" to /etc/default/grub
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment