Full Disk Encryption From Scratch Simplified

This article discusses several aspects of using Dm-crypt for full disk encryption with LVM (with some notes for SSD) for daily usage from scratch.

Most of details can also be found in the LUKS-LVM filesystem (Sakaki's Unofficial Install Guide).

Disk preparation
This example will use GPT as disk partition schema and grub as boot loader. Parted will be used as the partitioning tool though any valid tool will work.

Create partitions
Partition schema for a common desktop system is as following. Non-UI systems get along with a smaller root partition, e.g. 20-30GByte. /dev/sdX |--> GRUB BIOS                      2   MB       no fs       grub loader itself |--> /boot                boot      512 Mb       fat32       grub and kernel |--> LUKS encrypted                 100%         encrypted   encrypted binary block |--> LVM             lvm       100% |--> /         root      40  Gb       ext4        rootfs |--> /var      var       40  Gb       ext4        var files |--> /home     home      100%         ext4        user files

To create GRUB BIOS, issue the following command:

Set the default units to mebibytes:

Create a GPT partition table:

Create the BIOS partition:

Create boot partition. This partition will contain grub files, plain (unencrypted) kernel and kernel initrd:

Everything is done, exit from parted:

Create boot filesystem
Create filesystem for /dev/sdX2, that will contain grub and kernel files. This partition is read by UEFI bios. Most of motherboards can ready only FAT32 filesystems:

Prepare encrypted partition
In the next step, configure DM-CRYPT for /dev/sdX3:

Crypt LVM partition /dev/sdX3 with LUKS:

LVM creation
Open encrypted device:

Create lvm structure for partition mapping (/root, /var, /home):

Crypt physical volume group:

Create volume group vg0:

Create logical volume for /root fs:

Create logical volume for /var fs:

Create logical volume for /home fs

Gentoo installation
Create mount point for permanent Gentoo:

Mount rootfs from encrypted LVM partition:

Create mount point for permanent Gentoo Var:

Mount var from encrypted LVM partition:

And cd into :

Stage 3 install
Download stage3 to from https://www.gentoo.org/downloads/mirrors

For example:

Unzip the downloaded archive:

Configuring compile options
Open with nano and setup required flags. See Stages (AMD64 Handbook) article.

Chroot prepare
Copy DNS info:

Mount all required fs into chroot:

Mount shm fs:

Enter chroot:

And run: export PS1="(chroot) $PS1"

Mounting the boot partition:

Install Portage files:

Choose and install correct profile:

Select profile:

Setup correct timezone:

Configure locales:

Set default locale:

Update env:

Configure fstab
For consistent setup of the required partition, use the UUID identifyer.

Run and see partition IDs:

Edit and setup correct filesystem:

Configuring the Linux kernel
Install kernel, genkernel and cryptsetup packages:

Build genkernel:

All modern CPU's like Intel i7, Ryzen and even old Xen support AES-NI instruction set. AES-NI significantly improve encryption/decryption performance. To enable AES-NI support in Linux kernel, in Cryptographic API select AES-NI as build-in

Optionally:

Install GRUB2
Don't forget to change "(REPLACE ME WITH sdb3 UUID from above)" to the actual value.

Mount boot:

Install GRUB with EFI:

Make sure that is configured currectly. Especially with UEFI Grub and Kernel might use different framebuffer drivers. Generate grub configuration file:

Finalizing
While in the chroot setup, it is important to remember to set the root password before rebooting:

After the install is complete, add the lvm service to boot. If this is not done, at the very least grub-mkconfig will throw "WARNING: Failed to connect to lvmetad. Falling back to internal scanning."

More steps to take: * Handbook:AMD64/Installation/Tools * Handbook:AMD64/Installation/Finalizing

SSD tricks
SSD trim allows an operating system to inform a solid-state drive (SSD) which blocks of data are no longer considered in use and can be wiped internally. Because low-level operation of SSDs differs significantly from hard drives, the typical way in which operating systems handle operations like deletes and formats resulted in unanticipated progressive performance degradation of write operations on SSDs. Trimming enables the SSD to more efficiently handle garbage collection, which would otherwise slow future write operations to the involved blocks. To enable ssd trim of encrypted root fs on LVM, edit to file:

This will notify kernel to enable trim on roots

Edit configuration file:

This will notify LVM layer to enable SSD trim

When using SSDs and UEFI-boot the boot sequence might be too fast. When entering the correct passphrase Kernel complains about missing modules or no root device. Try  added with   in  or directly append it in edit mode of Grub menu when booting.

Simple disk encryption without lvm
Encryption are works in such scenario:

OS makes I/O request to mapped filesystem on device. As internal layer in OS knows, that this mapped device are encrypted, it asks for Encryption OS layer to encrypted I/O data on myname, and after that encrypted data goes to physical device, associated with myname.

Creating partition
Fire up parted against the disk (in this example, /dev/sdX is used). It is recommended to ask parted to use optimal partition alignment:

Now parted will be used to create the partitions. See Handbook:AMD64/Installation/Disks for information, how to create partition.

Just create partition with expected partition size, don't set partition type or format it. See next section for steps.

Create encryption layer for partition
After creating partition, encrypt this partition (where sdX are name of created device at prev. step)

Enter YES in uppercase, Enter password for encrypting disk and Vuallya - encrypted part of disk are ready.

Create file system on encrypted layer
Open encrypted part of disk:

myname - it is a name of mapped device

Create ext4 FS on encrypted device

Final mount
Now encrypted device ready for final mount into system

Mount encrypted luks device
And mount of this device into system

Automatic mount of encrypted disk at boot
At boot service dmcrypt service reads configuration file /etc/conf.d/dmcrypt and get list of targets (disks) that should be mapped. After success map and create mapped device at /dev/mapped/*, fstab will mount device from /dev/mapped/* to some mount point.

First, create directrory, that will contain keys for encrypting/decryption devices

Create 4k keyfile with name main

Add main keyfile to list of keys, that can decrypt disk (technically: add keyfile to LUKS slot)

Find UUID of encrypted disk with command. For example, blkid return such output:

Note: See filesystem with type **crypto_LUKS**

In this example, /dev/sda1 are encrypted with /etc/keys/main key.

Configure dmcrypt service. Dmcrypt service open LUKS encrypted device with /etc/keys/main key and map them with some name. For example:

Edit file

In example, dmcrypt will open block device with UUID 91d7fd8f-fa64-42f3-8491-ba9464c0c064 with key /etc/keyfiles/main and create mapped point at /dev/mapper/data.

Check, that dmcrypt works fine. Start service manually

If dmcrypt started without problems, no errors in /var/log/messages and exists mapped device /dev/mapper/data, then everything is fine and dmcrypt may be added to be started at boot step

Add dmcrypt to be started at boot

Add to fstab, where and how mapped device should be mounted.

Find UUID of mapped devices. Execute blkid command and find UUID of mapped device /dev/mapper/data.

In example below, UUID of mapped device /dev/mappper/data are 4be7f323-3f7e-47c7-91a3-b37d04e951aa (don't forget to start dmcrypt before this step).

Add to /etc/fstab this mapped devices. Edit /etc/fstab and add row with UUID of mapped device, mountpoint and fstype at mapped device. For example:

Where UUID are ID of mapped device /dev/mapper/data, /mnt/data are mount point and ext4 are fstype on mapped device.