Full Disk Encryption From Scratch Simplified

This article discusses several aspects of using Dm-crypt for full disk encryption with LVM (with some notes for SSD) for daily usage from scratch.

Most of details can also be found in the LUKS-LVM filesystem (Sakaki's Install Guide).

Disk preparation
In this example, we will use GPT as disk partition schema and grub as boot loader. You can create disk schema with gparted.

.

Create partitions
Partition schema is as following: /dev/sdX |--> GRUB BIOS                      2   MB       no fs       grub loader itself |--> /boot                boot      512 Mb       fat32       grub and kernel |--> LUKS encrypted                 100%         encrypted   encrypted binary block |--> LVM             lvm       100% |--> /         root      25  Gb       ext4        rootfs |--> /var      var       40  Gb       ext4        var files |--> /home     home      100%         ext4        user files

To create GRUB BIOS, issue the following command:

Set the default units to mebibytes:

Create a GPT partition table:

Create the BIOS partition:

Create boot partition. This partition will contain grub files, plain (unencrypted) kernel and kernel initrd:

Everything is done, exit from parted:

Create boot filesystem
Create filesystem for /dev/sdX2, that will contain grub and kernel files. This partition is read by UEFI bios. Most of motherboards can ready only FAT32 filesystems:

Prepare encrypted partition
In the next step, we configure DM-CRYPT for /dev/sdX3:

Crypt LVM partition /dev/sdX3 with LUKS:

LVM creation
Open encrypted device:

Create lvm structure for partition mapping (/root, /var, /home):

Crypt physical volume group:

Create volume group vg0:

Create logical volume for /root fs:

Create logical volume for /var fs:

Create logical volume for /home fs

Gentoo installation
Create mount point for permanent Gentoo:

Mount rootfs from encrypted LVM partition:

Mount var from encrypted LVM partition:

And cd into /mnt/gentoo:

Stage 3 install
Download stage3 to /mnt/gentoo from https://www.gentoo.org/downloads/mirrors

For example:

Unzip the downloaded archive:

Configuring compile options
Open /mnt/gentoo/etc/portage/make.conf with nano and setup required flags. See Stages (AMD64 Handbook) article.

Chroot prepare
Copy DNS info:

Mount all required fs into chroot:

Mount shm fs:

Enter chroot:

And run: export PS1="(chroot) $PS1"

Mounting the boot partition:

Install Portage files:

Choose and install correct profile:

Select profile:

Setup correct timezone:

Configure locales:

Set default locale:

Update env:

Run export PS1="(chroot) $PS1"

Configure fstab
For correct setup of required partition, will be used UUID technique.

Run blkid and see partition IDs:

/dev/sdb1: UUID="4F20-B9DB" TYPE="vfat" PARTLABEL="grub" PARTUUID="70b1627b-57e7-4559-877a-355184f0ab9d" /dev/sdb2: UUID="DB1D-89C5" TYPE="vfat" PARTLABEL="boot" PARTUUID="b2a61809-4c19-4685-8875-e7fdf645eec5" /dev/sdb3: UUID="6a7a642a-3262-4f87-9540-bcd53969343b" TYPE="crypto_LUKS" PARTLABEL="lvm" PARTUUID="be8e6694-b39c-4d2f-9f42-7ca455fdd64f" /dev/mapper/lvm: UUID="HL32bg-ZjrZ-RBo9-PcFM-DmaQ-QbrC-9HkNMk" TYPE="LVM2_member" /dev/mapper/vg0-root: UUID="6bedbbd8-cea9-4734-9c49-8e985c61c120" TYPE="ext4" /dev/mapper/vg0-var: UUID="61e4cc83-a1ee-4190-914b-4b62b49ac77f" TYPE="ext4" /dev/mapper/vg0-home: UUID="5d6ff087-50ce-400f-91c4-e3378be23c00" TYPE="ext4"

Edit /etc/fstab and setup correct filesystem:

UUID=DB1D-89C5                                 /boot           vfat            noauto,noatime  1 2 UUID=6bedbbd8-cea9-4734-9c49-8e985c61c120      /               ext4            defaults        0 1 UUID=61e4cc83-a1ee-4190-914b-4b62b49ac77f      /var            ext4            defaults        0 1 UUID=5d6ff087-50ce-400f-91c4-e3378be23c00      /home           ext4            defaults        0 1 tmpfs                                          /tmp            tmpfs           size=4Gb        0 0 tmpfs                                          /run            tmpfs           size=100M       0 0 shm                                            /dev/shm        tmpfs           nodev,nosuid,noexec 0 0
 * 1)                                                                
 * 1) tmps
 * 1) shm

Configuring the Linux kernel
Install kernel, genkernel and cryptsetup packages:

Build genkernel:

install GRUB2
GRUB_CMDLINE_LINUX="dolvm crypt_root=UUID=6a7a642a-3262-4f87-9540-bcd53969343b root=/dev/mapper/vg0-root"

Mount boot:

Install GRUB with EFI:

Generate grub configuration file:

SSD tricks
Add to /etc/default/grub trim command:

GRUB_CMDLINE_LINUX="...root_trim=yes"

edit /etc/lvm/lvm.conf LVM issue_discards = 1