Rootfs encryption
Encrypting the root filesystem can enhance privacy, and prevent unauthorized access.
Installation
Emerge
cryptsetup is included in the livecd.
root #emerge --ask sys-fs/cryptsetupSystem preparation
This guide is designed to be followed as part of a fresh Gentoo install, the install procedure can be followed until the following step: AMD64 Handbook: Designing a partition scheme
Disk preparation
Partitioning typically does not involve modification of any of the data in partitions. If a drive is re-partitioned then encrypted, old data may remain in an unencrypted form until it is overwritten.
Modern storage devices may not be securely erased with something like dd if=/dev/urandom of=/dev/sdX. See Secure wipe for more information.
This example will use GPT as disk partition schema. fdisk will be used as the partitioning tool though any partitioning utility will work.
For more information about GPT and EFI, see Disks (AMD64 Handbook).
Create disk partitions
A common setup for a basic system with a single drive may contain a partition for the boot files, and a partition for the system root.
/dev/nvme0n1
├── /dev/nvme0n1p1 [EFI] /boot 1 GB fat32 Bootloader, bootloader support files, kernel and initramfs
└── /dev/nvme0n1p2 [LUKS] (crypt) ->END luks encrypted partition
└── rootfs / ->END btrfs root partition
Create partitions
To create a partition layout using fdisk, start by creating a fresh partition table on the root disk:
root #fdisk /dev/nvme0n1Welcome to fdisk (util-linux 2.38.1). Changes will remain in memory only, until you decide to write them. Be careful before using the write command. Device does not contain a recognized partition table. Created a new DOS disklabel with disk identifier 0x81391dbc.
Command (m for help):gWith a GPT partition table created, the boot partition can be added using n:
Command (m for help):nPartition number (1-128, default 1):
First sector (2048-1953525134, default 2048):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-1953525134, default 1953523711): +1G
Created a new partition 1 of type 'Linux filesystem' and of size 1 GiB.The ESP properties can be set using t:
Command (m for help):tSelected partition 1 Partition type or alias (type L to list all): 1 Changed type of partition 'Linux filesystem' to 'EFI System'.
The root partition can be crated with:
Command (m for help):nPartition number (1-128, default 2):
First sector (1050624-1953525134, default 2048):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (1050624-1953525134, default 1953523711):
Created a new partition 2 of type 'Linux filesystem' and of size 931 GiB.Finally, the changes can be written with w:
Command (m for help):wThe partition table has been altered. Calling ioctl() to re-read partition table. Syncing disks.
Create the LUKS encrypted partition
To prepare the encrypted filesystem, dm-crypt can be used:
To ensure the dm-crypt module is loaded, the following command can be used:
root #modprobe dm-cryptThe status of the module can be checked with:
user $lsmod | grep dm-cryptTo format the root partition using LUKS, secured with a passphrase:
root #cryptsetup luksFormat --key-size 512 /dev/nvme0n1p2WARNING! ======== This will overwrite data on /dev/nvme0n1p2 irrevocably. Are you sure? (Type 'yes' in capital letters): YES Enter passphrase for /dev/nvme0n1p2:
LUKS Header Backup
Do not forget this step, keys/passwords are used to decrypt the LUKS header, if it is destroyed for some reason, the remaining data will only be recoverable with the header file.
The headers can be backed up with:
root #cryptsetup luksHeaderBackup /dev/nvme0n1p2 --header-backup-file crypt_headers.imgOpen the LUKS volume
The encrypted device must be opened and mapped before it can be used, this can be done with:
root #cryptsetup luksOpen /dev/nvme0n1p2 cryptIn this example, the volume is opened and mapped to /dev/mapper/crypt.
Format the Filesystems
Create a filesystem for /dev/nvme0n1p1, the boot partition which will contain bootloader and kernel files. This partition is read by UEFI. Most motherboards can read only a FAT32 filesystem:
root #mkfs.vfat -F32 /dev/nvme0n1p1Next create root filesystem (in this example btrfs is used):
root #mkfs.btrfs -L rootfs /dev/mapper/cryptGentoo installation
If this procedure is being followed during a Gentoo install (in place of Handbook:AMD64/Full/Installation through Handbook:AMD64/Full/Installation), the following steps can be used to mount the created partition, to continue with the install.
Mount the root partition
The root file system can be mounted at this created location with:
root #mount LABEL=rootfs /mnt/gentooFinalizing the Gentoo install
The general install guide should apply. A few considerations must be made, the initial RAM filesystem must be built with support for decrypting the root partition, and the bootloader must be installed and configured.
At this point, the Gentoo install can be continued normally: Installing a stage tarball with a few considerations, listed below.
fstab configuration
The correct /etc/fstab file must be edited, if this is being done before chrooting, ensure the correct path is being used. More information exists in the filesystem portion of the install guide.
For consistent volume mounting, labels and UUIDs must be used.
Block devices and their associated partition IDs can be viewed with:
root #lsblk -o name,uuidNAME UUID sdb ├─nvme0n1p1 BDF2-0139 └─nvme0n1p2 4bb45bd6-9ed9-44b3-b547-b411079f043b └─crypt cb070f9e-da0e-4bc5-825c-b01bb2707704
With the partition UUIDs and labels identified, /etc/fstab can be edited to add relevant mounts:
/mnt/gentoo/etc/fstab# <fs> <mountpoint> <type> <opts> <dump/pass>
UUID=BDF2-0139 /boot vfat noauto,noatime 1 2
LABEL=rootfs / btrfs defaults 0 1
Initramfs configuration
An initramfs must be used to decrypt and mount the root partition. This can be accomplished using Dracut, using parameters passed in the kernel command line.
This configuration should be done while chrooted, or on a live system.
The following modules must be added to the add_dracutmodules directive in /etc/dracut.conf:
/etc/dracut.confMinimum required components to decrypt LUKS volumes using dracutadd_dracutmodules+=" crypt dm rootfs-block "
The spacing for Dracut configuration directives is very important. Ensure there are no spaces between add_dracutmodules and +=", parameters in add_dracutmodules must be padded with spaces.
Dracut can be configured to build with configuration for LUKS hardcoded, first disk information must be obtained:
root #lsblk -o name,uuidNAME UUID sda └─sda1 BDF2-0139 nvme0n1 └─nvme0n1p1 4bb45bd6-9ed9-44b3-b547-b411079f043b └─crypt cb070f9e-da0e-4bc5-825c-b01bb2707704
/etc/dracut.confEmbed cmdline parameters for rootfs decryptionkernel_cmdline+=" root=UUID=cb070f9e-da0e-4bc5-825c-b01bb2707704 rd.luks.uuid=4bb45bd6-9ed9-44b3-b547-b411079f043b "
Embedding the
root= option into the kernel commandline is required when using sys-boot/systemd-boot, but redundant when using GRUB's grub-mkconfig, which will automatically add that parameter.If systemd is used as init-system, it should be compiled with cryptsetup USE-flag:
/etc/portage/package.use/systemdsys-apps/systemd cryptsetup
And rebuild systemd:
root #emerge --ask sys-apps/systemdOnce Dracut is configured, a new initramfs can be generated by running:
root #dracutDracut writes the file to /boot by default, this must be mounted.
If the initramfs is being generated for a kernel other than the currently active one, --kver must be used:
root #dracut --kver 6.1.28-gentoo
This can happen in a situation when the kernel version in the Gentoo Live CD differs from the emerged sys-kernel/gentoo-sources in the kernel compilation process.
Possible kernel versions can be found by using ls /lib/modules.
See also
- Dm-crypt — a disk encryption system using the kernels crypto API framework and device mapper subsystem.
- Dm-crypt full disk encryption — discusses several aspects of using dm-crypt for (full) disk encryption.