Full Disk Encryption From Scratch Simplified

This article discusses several aspects of using dm-crypt for full disk encryption with LVM (with some notes for SSD) for daily usage from scratch.

Most of details can also be found in the LUKS-LVM filesystem (Sakaki's Unofficial Install Guide).

Disk preparation
This example will use GPT as disk partition schema and GRUB as boot loader. will be used as the partitioning tool though any valid tool will work.

Create partitions
Partition schema for a common desktop system is as following. Headless systems get along with a smaller root partition, e.g. 20-30GiB. /dev/sdX |--> GRUB BIOS                      2   MB       no fs       GRUB loader itself |--> /boot                boot      512 MB       fat32       GRUB and kernel |--> LUKS encrypted                 100%         encrypted   encrypted block device |--> LVM             lvm       100% |--> /         root      40  GB       ext4        root filesystem |--> /var      var       40  GB       ext4        var files |--> /home     home      100%         ext4        user files

To create GRUB BIOS, issue the following command:

Set the default units to mebibytes:

Create a GPT partition table:

Create the BIOS partition:

Create boot partition. This partition will contain GRUB files, the plain (unencrypted) kernel and the kernel initrd:

Everything is done, exit :

Create boot filesystem
Create a filesystem for, that will contain GRUB and kernel files. This partition is read by UEFI BIOS. Most motherboards can read only a FAT32 filesystem:

Prepare encrypted partition
In the next step, configure dm-crypt for :

Encrypt LVM partition with LUKS:

LVM creation
Open the encrypted device:

Create the LVM structure for partition mapping (,, and ):

Crypt physical volume group:

Create volume group :

Create logical volume for filesystem:

Create logical volume for filesystem:

Create logical volume for filesystem:

File Systems
Build ext4 filesystem on each logical volume:

Gentoo installation
Create mount point for permanent Gentoo:

Mount the root filesystem from the encrypted LVM partition:

Create mount point for permanent Gentoo :

Mount var from encrypted LVM partition:

And switch into :

Stage 3 install
Download the stage3 to from Gentoo mirrors.

For example:

Extract the downloaded archive:

Or for the currently used (2022) xz compression use:

Configuring compile options
Open with Nano and setup required flags. See Stages (AMD64 Handbook) article.

Chroot prepare
Copy DNS info:

Mount all required filesystems into chroot:

Mount shm filesystem:

Enter chroot:

And run:

Mounting the boot partition:

Synchronize ebuild repository:

Choose and install correct profile:

Select profile:

Setup the correct timezone:

Configure locales:

Set default locale:

Update the environment:

Configure fstab
For consistent setup of the required partition, use the UUID identifier.

Run and see partition IDs:

Edit /etc/fstab and setup correct filesystem:

Configuring the Linux kernel
Make sure to enable for :

Install kernel, genkernel, and cryptsetup packages:

Build genkernel:

Modern processors, like Intel Core or AMD Ryzen, support AES-NI instruction set. AES-NI significantly improves encryption/decryption performance. To enable AES-NI support in the kernel:

Optionally:

Install GRUB2
Don't forget to change "(REPLACE ME WITH sdb3 UUID from above)" to the actual value.

Unlock LUKS encrypted root partition with key file stored on usb device:

Mount boot:

Install GRUB with EFI:

Make sure that is configured correctly. Especially with UEFI GRUB and kernel might use different framebuffer drivers. Generate GRUB configuration file:

Finalizing
While in the chroot setup, it is important to remember to set the root password before rebooting:

After the install is complete, add the LVM service to boot. If this is not done, at the very least will throw "WARNING: Failed to connect to lvmetad. Falling back to internal scanning."

More steps to take:
 * Handbook:AMD64/Installation/Tools
 * Handbook:AMD64/Installation/Finalizing

SSD tricks
SSD trim allows an operating system to inform a solid-state drive (SSD) which blocks of data are no longer considered in use and can be wiped internally. Because low-level operation of SSDs differs significantly from hard drives, the typical way in which operating systems handle operations like deletes and formats resulted in unanticipated progressive performance degradation of write operations on SSDs. Trimming enables the SSD to more efficiently handle garbage collection, which would otherwise slow future write operations to the involved blocks. To enable SSD trim of encrypted root filesystem on LVM, edit the file if using genkernel:

If using dracut to generate the intiramfs the use:

If using systemd-based initramfs the use:

This will notify the kernel to enable trim on roots.

Edit the configuration file:

This will notify LVM layer to enable SSD trim.

When using SSDs and UEFI-boot the boot sequence might be too fast. When entering the correct passphrase, the kernel will complain about missing modules or no root device. Try to add  to   in, or directly append it in edit mode of the GRUB menu when booting.

Simple disk encryption without LVM
Encryption are works in such scenario:

OS makes I/O request to mapped filesystem on device. As internal layer in OS knows, that this mapped device are encrypted, it asks for Encryption OS layer to encrypted I/O data on "myname", and after that encrypted data goes to physical device, associated with "myname".

Creating partition
Start against the physical device (in this example,  is used). It is recommended to ask to use optimal partition alignment:

Now will be used to create the partitions. See Handbook:AMD64/Installation/Disks for information, how to create partition.

Just create partition with expected partition size, don't set partition type or format it. See next section for steps.

Create encryption layer for partition
After creating partition, encrypt this partition (where is name of the device created at previous step):

Enter YES in uppercase. Enter password for encrypting disk. Now the encrypted disk is ready.

Create file system on encrypted layer
Open encrypted part of disk:

Where "myname" is name of the mapped device.

Create ext4 filesystem on the encrypted device:

Final mount
Now encrypted device ready for final mount into system:

Mount encrypted LUKS device
And mount of this device into system:

Automatic mount of encrypted disk at boot
At boot, the service reads the configuration file  and gets a list of targets (devices) that should be mapped. After succesfully mapping and creating a mapped device at, fstab will mount the device from to some mount point.

First, create the directory that will contain the keys for encryption and decryption of the devices:

Create 4KiB keyfile with name :

Add the keyfile to the list of keys, that can decrypt the disk (technically: add the keyfile to the LUKS slot):

Find the UUID of the encrypted disk with the command. For example, can return the following output:

Note the filesystem labeled as  type.

In this example, is encrypted with the  key.

Configure the service. The service opens the LUKS encrypted device with  key and maps it with some name. For example:

Edit file :

In this example, will open the block device with UUID 91d7fd8f-fa64-42f3-8491-ba9464c0c064 with key  and create a mapped mount point at.

Check that works fine. Start the service manually:

If started without problems, there are no errors in, and the mapped device  exists, then everything is fine and the  service may be added to be started at the boot step.

Add to be started at boot:

Add to fstab where and how the mapped device should be mounted.

Find the UUID of the mapped devices. Execute the command and find the UUID of mapped device :

In the example below, the UUID of the mapped device is 4be7f323-3f7e-47c7-91a3-b37d04e951aa.

Add those mapped devices to. Edit and add a row with the UUID, mount point, and filesystem type of the mapped device. For example:

Here UUID is the identifyer of the mapped device, is the mount point, and ext4 is the filesystem type of the mapped device.