Gentoo install with full disk encryption
This guide serves my use case but can easily be adapted.
I use 1 disk for boot and root partitions and another one for /home and will be encrypting both disks with luks2 only (no lvm)
Start with creating the partitions on the first disk with parted,
~ # parted -a optimal /dev/nvme0n1
Set the default units to mebibytes:
(parted) unit mib
Create a GPT partition table:
(parted) mklabel gpt
Create a boot partition:
(parted) mkpart primary fat32 1 769
(parted) name 1 boot
(parted) set 1 BOOT on
Create the root partition using the remaining space on the disk:
(parted) mkpart primary 769 -1
(parted) name 2 root
(parted) quit
Creating the following schema
~ # lsblk
nvme0n1 disk
├─nvme0n1p1 768M part
└─nvme0n1p2 110G part
Create boot filesystem:
~ # mkfs.vfat -F32 /dev/nvme0n1p1
Prepare encrypted partition:
~ # cryptsetup --type luks2 -v -c aes-xts-plain64 -s 256 --hash sha256 --iter-time 2000 --pbkdf argon2id --use-urandom --verify-passphrase luksFormat /dev/nvme0n1p2
Open the encrypted partition:
~ # cryptsetup luksOpen /dev/nvme0n1p2 root
And format the filesystem (Yes I still use ext4):
~ # mkfs.ext4 -L "root" /dev/mapper/root
Create mount point and mount the root partition:
~ # mkdir -p /mnt/gentoo
~ # mount /dev/mapper/root /mnt/gentoo
~ # cd /mnt/gentoo
Stage 3 install
Download the stage 3 to /mnt/gentoo from Gentoo mirrors.
Extract the archive:
/mnt/gentoo # tar xvJpf stage3-*.tar.xz --xattrs --numeric-owner
Chroot:
/mnt/gentoo # cp /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
/mnt/gentoo # mount -t proc /proc /mnt/gentoo/proc && mount --rbind /sys /mnt/gentoo/sys && mount --make-rslave /mnt/gentoo/sys && mount --rbind /dev /mnt/gentoo/dev && mount --make-rslave /mnt/gentoo/dev
/mnt/gentoo # test -L /dev/shm && rm /dev/shm && mkdir /dev/shm && mount -t tmpfs -o nosuid,nodev,noexec shm /dev/shm && chmod 1777 /dev/shm
/mnt/gentoo # chroot /mnt/gentoo /bin/bash
root # source /etc/profile
Mount the boot partition
root # mount /dev/nvme0n1p1 /boot
Disk layout should look similar to this
root # lsblk
nvme0n1 disk
├─nvme0n1p1 768M part /boot
└─nvme0n1p2 110G part
└─root 110G crypt /
Configure system files, choose profile and emerge @world
Partition and encrypt a second drive for /home
Firstly create a key file that will be used to unencrypt the drive at boot so I don't need to enter a password twice
root # touch /root/home.key
root # chmod 400 /root/home.key
root # dd if=/dev/urandom of=/root/home.key bs=512 count=1
I will use the whole drive for the home partition
root # parted -a optimal /dev/nvme1n1
Set the default units to mebibytes:
(parted) unit mib
Create a GPT partition table:
(parted) mklabel gpt
Create the partition using all the disk:
(parted) mkpart primary 1 -1
(parted) name 1 home
(parted) quit
...or just use gparted....
Encrypt the partition
root # cryptsetup --type luks2 -v -c aes-xts-plain64 -s 256 --hash sha256 --iter-time 2000 --pbkdf argon2id --use-urandom --key-file /root/home.key luksFormat /dev/nvme1n1p1
Open the encrypted partition
root # cryptsetup luksOpen --key-file /root/home.key /dev/nvme1n1p1 home
Format the filesystem
root # mkfs.ext4 -m 0 -L "home" /dev/mapper/home
Find the device uuid and edit /etc/crypttab
root # lsblk /dev/nvmen1p1
/dev/nvme1n1p1: UUID="7h1515n0-74r3-4luu-idd0-n7u5317n0w4y" TYPE="crypto_LUKS" PARTLABEL="primary" PARTUUID="7h1515n0-74r3-lp4r-7uu1-dd0n7u5317n0"
root # vim /etc/crypttab
home UUID=7h1515n0-74r3-4luu-idd0-n7u5317n0w4y /root/home.key luks,discard
Edit /etc/fstab accordingly and done!!!
Comments
Post a Comment