Installing Gentoo with full disk encryption

The purpose of this exercise - install Gentoo where all disk partitions are encrypted.

  1. Boot from a system rescue disk and partition the disk - use GPT partition table where the first partition is reserved, second is the boot, and the third one is for the rest of the data.

    Device Start End Sectors Size Type /dev/sda1 2048 32767 30720 15M BIOS boot /dev/sda2 32768 442367 409600 200M Linux filesystem /dev/sda3 442368 375093902 374651535 178.7G Linux filesystem

  2. Encrypt partitions number 2 and 3, and open them

    cryptsetup luksFormat /dev/sda2 cryptsetup luksFormat /dev/sda3 cryptsetup luksOpen /dev/sda2 crypt_boot cryptsetup luksOpen /dev/sda3 crypt_data

  3. Format the boot partition

    mkfs.btrfs /dev/mapper/crypt_boot

  4. Prepare LVM for the rest, and format the top level

    vgcreate vg0 /dev/mapper/crypt_data lvcreate -l 100%FREE -n data vg0 mkfs.btrfs /dev/vg0/data

  5. Mount and set up any subvolumes

    mount /dev/vg0/data /mnt/gentoo btrfs subvol create /mnt/gentoo/@ /mnt/gentoo/@home umount /mnt/gentoo

  6. Now mount the chroot

    mount /dev/vg0/data -o subvol=@ /mnt/gentoo install -d -m 01000 /mnt/gentoo/home mount /dev/vg0/data -o subvol=@home /mnt/gentoo/home

  7. Install Gentoo as usual (unpack the stage)

  8. Add a file-based key so you can autodecrypt on boot

    mkdir /mnt/gentoo/etc/luks dd bs=2048 if=/dev/urandom count=1 of=/mnt/gentoo/etc/luks/data.key dd bs=2048 if=/dev/urandom count=1 of=/mnt/gentoo/etc/luks/boot.key cryptsetup luksAddKey /dev/sda2 /mnt/gentoo/etc/luks/boot.key cryptsetup luksAddKey /dev/sda3 /mnt/gentoo/etc/luks/data.key

  9. Fix the configuration files

  • /etc/fstab

  1. Enable crypto grub

    echo GRUB_ENABLE_CRYPTODISK=y >> /etc/default/grub

  2. Automount the crypto disks on boot:

    cat > /etc/dracut.conf.d/crypto.conf <<EOF install_items+=" /etc/luks/boot.key" install_items+=" /etc/luks/data.key" EOF dracut -f '' 4.4.1-generic


Popular posts from this blog

Google webmaster tools refuse to verify a Wordpress blog

LVM metadata corruption