Full Disk Encryption From Scratch Simplified

This article discusses several aspects of using Dm-crypt for full disk encryption with LVM (with some notes for SSD) for daily usage from scratch.

Most of details you can find on great article here: https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Preparing_the_LUKS-LVM_Filesystem_and_Boot_USB_Key

= Disk Preparation = In this HOWTO used GPT disk partition schema and grub boot loader. Disk schema creates with help of gparted

Create partitions
Partition schema are: /dev/sdX |--> GRUB BIOS                      2   MB       no fs       grub loader itself |--> /boot                boot      512 Mb       fat32       grub and kernel |--> LUKS encrypted                 100%         encrypted   encrypted binary block |--> LVM             lvm       100% |--> /         root      25  Gb       ext4        rootfs |--> /var      var       40  Gb       ext4        var files |--> /home     home      100%         ext4        user files

Create grub BIOS

Setup default units to MegaBits

Create GPT partition table

Create BIOS partition

Create Boot partition. This partition will contain grub files, plain (unencrypted) kernel and kernel initrd

Everything is done, exit from parted

Create boot filesystem
Create filesystem for /dev/sdX2, that will contain grub and kernel files. This partition are read by UEFI bios. Most of motherboards can ready only FAT32 fs

Prepare encrypted partition
In next step configure DM-CRYPT for /dev/sdX3

Crypt LVM partition /dev/sdX3 with LUKS

LVM creation
Open encrypted device

Create lvm structure for partition mapping (/root, /var, /home):

Crypte physical volume group

Create volume group vb0

Create logical volume for /root fs

Create logical volume for /var fs

Create logical volume for /home fs

File Systems
= Gentoo installation =

Create mountpoint for permanent gentoo:

Mount rootfs from encrypted LVM partition

Mount var from encrypted LVM partition

And cd into /mnt/gentoo

Stage 3 install
Download stage3 to /mnt/gentoo from https://www.gentoo.org/downloads/mirrors.

For example:

Unzip downloaded archive

Configuring compile options
Open with nano /mnt/gentoo/etc/portage/make.conf and setup required flags. See https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Stage

Chroot prepare
Copy DNS info

Mount all required fs into chroot

Mount shm fs

Enter chroot

And run: export PS1="(chroot) $PS1"

Mounting the boot partition

Install portage files

Choose and install correct profile

Select profile

Setup correct timezone

Configure locales

Set default locale

Update env

Run export PS1="(chroot) $PS1"

Configure fstab
For correct setup of required partition, will be used UUID technique

Run blkid and see partition IDs:

/dev/sdb1: UUID="4F20-B9DB" TYPE="vfat" PARTLABEL="grub" PARTUUID="70b1627b-57e7-4559-877a-355184f0ab9d" /dev/sdb2: UUID="DB1D-89C5" TYPE="vfat" PARTLABEL="boot" PARTUUID="b2a61809-4c19-4685-8875-e7fdf645eec5" /dev/sdb3: UUID="6a7a642a-3262-4f87-9540-bcd53969343b" TYPE="crypto_LUKS" PARTLABEL="lvm" PARTUUID="be8e6694-b39c-4d2f-9f42-7ca455fdd64f" /dev/mapper/lvm: UUID="HL32bg-ZjrZ-RBo9-PcFM-DmaQ-QbrC-9HkNMk" TYPE="LVM2_member" /dev/mapper/vg0-root: UUID="6bedbbd8-cea9-4734-9c49-8e985c61c120" TYPE="ext4" /dev/mapper/vg0-var: UUID="61e4cc83-a1ee-4190-914b-4b62b49ac77f" TYPE="ext4" /dev/mapper/vg0-home: UUID="5d6ff087-50ce-400f-91c4-e3378be23c00" TYPE="ext4"

Edit /etc/fstab and setup correct filesystem

UUID=DB1D-89C5                                 /boot           vfat            noauto,noatime  1 2 UUID=6bedbbd8-cea9-4734-9c49-8e985c61c120      /               ext4            defaults        0 1 UUID=61e4cc83-a1ee-4190-914b-4b62b49ac77f      /var            ext4            defaults        0 1 UUID=5d6ff087-50ce-400f-91c4-e3378be23c00      /home           ext4            defaults        0 1 tmpfs                                          /tmp            tmpfs           size=4Gb        0 0 tmpfs                                          /run            tmpfs           size=100M       0 0 shm                                            /dev/shm        tmpfs           nodev,nosuid,noexec 0 0
 * 1)                                                                
 * 1) tmps
 * 1) shm

Configuring the Linux kernel
Install kernel, genkernel and cryptsetup packages

Build genkernel

install grub2
GRUB_CMDLINE_LINUX="dolvm crypt_root=UUID=6a7a642a-3262-4f87-9540-bcd53969343b root=/dev/mapper/vg0-root"

Mount boot

Install grub with efi

Generate grub configuration file

initscripts
lvm and dmcrypt initscripts need to be loaded at boot. For openrc:

= SSD tricks =

Add to /etc/default/grub trim command GRUB_CMDLINE_LINUX="...root_trim=yes"

edit /etc/lvm/lvm.conf LVM issue_discards = 1