Installing Gentoo with full disk encryption

The purpose of this exercise - install Gentoo where all disk partitions are encrypted.




  1. Boot from a system rescue disk and partition the disk - use GPT partition table where the first partition is reserved, second is the boot, and the third one is for the rest of the data.



    Device Start End Sectors Size Type
    /dev/sda1 2048 32767 30720 15M BIOS boot
    /dev/sda2 32768 442367 409600 200M Linux filesystem
    /dev/sda3 442368 375093902 374651535 178.7G Linux filesystem


  2. Encrypt partitions number 2 and 3, and open them



    cryptsetup luksFormat /dev/sda2
    cryptsetup luksFormat /dev/sda3
    cryptsetup luksOpen /dev/sda2 crypt_boot
    cryptsetup luksOpen /dev/sda3 crypt_data


  3. Format the boot partition



    mkfs.btrfs /dev/mapper/crypt_boot


  4. Prepare LVM for the rest, and format the top level



    vgcreate vg0 /dev/mapper/crypt_data
    lvcreate -l 100%FREE -n data vg0
    mkfs.btrfs /dev/vg0/data


  5. Mount and set up any subvolumes



    mount /dev/vg0/data /mnt/gentoo
    btrfs subvol create /mnt/gentoo/@ /mnt/gentoo/@home
    umount /mnt/gentoo


  6. Now mount the chroot



    mount /dev/vg0/data -o subvol=@ /mnt/gentoo
    install -d -m 01000 /mnt/gentoo/home
    mount /dev/vg0/data -o subvol=@home /mnt/gentoo/home


  7. Install Gentoo as usual (unpack the stage)


  8. Add a file-based key so you can autodecrypt on boot



    mkdir /mnt/gentoo/etc/luks
    dd bs=2048 if=/dev/urandom count=1 of=/mnt/gentoo/etc/luks/data.key
    dd bs=2048 if=/dev/urandom count=1 of=/mnt/gentoo/etc/luks/boot.key
    cryptsetup luksAddKey /dev/sda2 /mnt/gentoo/etc/luks/boot.key
    cryptsetup luksAddKey /dev/sda3 /mnt/gentoo/etc/luks/data.key


  9. Fix the configuration files





  • /etc/fstab




  1. Enable crypto grub



    echo GRUB_ENABLE_CRYPTODISK=y >> /etc/default/grub


  2. Automount the crypto disks on boot:



    cat > /etc/dracut.conf.d/crypto.conf <<EOF
    install_items+=" /etc/luks/boot.key"
    install_items+=" /etc/luks/data.key"
    EOF
    dracut -f '' 4.4.1-generic


Comments

Post a Comment

Popular posts from this blog

Remotely connect to Windows 11 PC using a "passwordless" account

Remotely connecting to a Windows PC with a Microsoft "passwordless" is possible and I finally found a simple workaround at https://cmdrkeene.com/remote-desktop-with-microsoft-account-sign-in/ Copying it here is it does not get lost: On the PC hosting the remote desktop session (running Windows Pro or better), run the following command, replacing the example email address with your Microsoft Account email address that you use to login to the computer. runas /u:MicrosoftAccount\username@example.com winver This command runs the “winver” program under the credentials of the user account specified. It sounds (and is) pretty simple, but what it does in the background is caches your Microsoft Account credentials. Since your local user account had no password, it wasn’t eligible for RDP use even if it has appropriate permissions otherwise. After supplying the password and pressing Enter, you’ll know it worked if you see the About Windows dialog box open. Go ahead and close it and the...
Read more

FreeIPA cluster with containers

Notes on how to install a FreeIPA cluster on Ubuntu. Mostly following the instructions on https://github.com/freeipa/freeipa-container Start with what would be the primary host. If you install a third replica you would want to review the replica agreements to ensure you have a two-way replication between all pairs of nodes.
Read more