User:Nathanlkoch/Tutorials/BTRFS Encryped Root On UEFI

The following article should get you up and running with an encrypted luks and btrfs root system for EFI. Typically I follow the handbook and the Full Disk Encryption documentation as I do similar installs.

Partition the drive
We create a bios boot partition and use the remaining space for the root partition.

(After thought)

''I advise you make a third partition. Do the same with 0n1p3 and use cryptsetup to format it. Then use mk.swap on the luks container and auto unlock it with crypttab. Remember you need to enable the "cryptsetup" flag on systemd.''

Encrypt partition
First we'll format the partitions

Format the first partition for /boot as EFI capable

Finally we open the root partition

Create filesystem, mountpoints and subvolumes
Now we format the mapped partition.

Next we create the mountpoints, mount the filesystems and create subvolumes

Stage 3
As per the Gentoo handbook download and install stage3 to your /mnt/newroot directory and extract.

Handbook:AMD64/Installation/Stage

Enter the chroot
We now need to chroot into and do the usual chroot stuff.

Entering the new environment
Now that all partitions are initialized and the base environment installed, it is time to enter the new installation environment by chrooting into it. This means that the session will change its root (most top-level location that can be accessed) from the current installation environment (installation CD or other installation medium) to the installation system (namely the initialized partitions). Hence the name, change root or chroot.

This chrooting is done in three steps:


 * 1) The root location is changed from  (on the installation medium) to  (on the partitions) using chroot
 * 2) Some settings (those in ) are reloaded in memory using the  command
 * 3) The primary prompt is changed to help us remember that this session is inside a chroot environment.

Now follow the install handbook like you normally would. Update world etc...

Required packages
First add the required use flags for the packages.

Set the grub type for your system in /etc/portage/make.conf

Install the required packages

If this installs newer kernel sources, please change the symlink either using or do it manually, build the kernel and reboot. After that proceed from here.

Crypttab
Enable cryptsetup

mtab/fstab
Check that contains the following lines and if not, add them:

Next change to this:

Build kernel and initramfs
Now we'll create the kernel with the required configuration.

Customize grub
We'll change to fit our needs.

You will need to point your grub loader to unlock the UUID of your encrypted luks disk.

You can find the UUID of the disk by:

Now should look like this (i use systemd!):

Generate grub.cfg
We'll use to generate the

Booting from encrypted disk
Make sure you boot from !!

You'll be asked for the password to unlock the boot partition and after that it should boot up as normal (without further password request!)

Reboot
At this point you should have a full encrypted and working system.

You should now reboot. Grub will ask you for the password.

After that you should not be prompted for password input anymore.

Advanced Configurations
I would like to figure out how to make the contents of /boot encrypted while leaving /boot/efi and /boot/grub unencryped and configure grub to unlock the crypto disk before attempting to load the kernel. Leaving the kernel and the initramfs within the encrypted luks disk. Grub theoretically can do it. I just can't get it working. I was following this tutorial Full Encrypted Btrfs/Native System Root Guide but couldn't get a prompt for password. It seems a bit out dated. After tinkering for a bit I opted for this method. https://github.com/duxsco/gentoo-installation Apparently it can be done but there are a bunch of external resources needed and appears to be complicated. I am currently investigating.

__INDEX__