User:Den4ikRus/Rootfs encryption
Disk preparation
Partitions layout
In this example root volume takes 9GiB and swap volume takes 1GiB. However in real life scenario it would be wise to give root volume at least 50-100Gib. Following guidelines can be used to choose swap size.
/dev/vda
├── /dev/vda1 [EFI] /boot 512M vfat Kernel, initramfs
└── /dev/vda2 [luks] (crypt) ->END luks Encrypted root device, mapped to the name 'crypt'
└── /dev/mapper/crypt (volg) ->END lvm LVM volume group
├─volg-root [root] / 9G xfs Logical volume created for the root directory
├─volg-swap [SWAP] 1G swap Logical volume created for swap
└─volg-home /home 100%free xfs Logical volume created for the home directory
Create new GPT table
Create new GPT partition table using fdisk command.
root #fdisk /dev/vdaWelcome to fdisk (util-linux 2.39.3). Changes will remain in memory only, until you decide to write them. Be careful before using the write command. Device does not contain a recognized partition table. Created a new DOS (MBR) disklabel with disk identifier 0xf04c8fac.
Command (m for help):gCreated a new GPT disklabel (GUID: 2DAC3F52-EE02-4378-9F27-1F0C26103046).
Create EFI partition
Add new partition with the size of 512MiB.
Command (m for help):nPartition number (1-128, default 1):
First sector (2048-31457246, default 2048):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-31457246, default 31455231): +512M
Created a new partition 1 of type 'Linux filesystem' and of size 512 MiB.
Set partition type to EFI System
Command (m for help):tSelected partition 1 Partition type or alias (type L to list all): 1 Changed type of partition 'Linux filesystem' to 'EFI System'.
Create LUKS partition
Add another partition that takes all leftover space.
Command (m for help):n
Partition number (2-128, default 2):
First sector (1050624-31457246, default 1050624):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (1050624-31457246, default 31455231):
Created a new partition 2 of type 'Linux filesystem' and of size 14.5 GiB.
Save partition table
Command (m for help):wThe partition table has been altered. Calling ioctl() to re-read partition table. Syncing disks.
Create encrypted LUKS volume
Create encrypted LUKS volume with specified label that will be used later to simplify setting kernel parameters.
root #cryptsetup luksFormat /dev/vda2 --label luks
WARNING!
========
This will overwrite data on /dev/vda2 irrevocably.
Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/vda2:
Verify passphrase:
Open LUKS volume
root #cryptsetup luksOpen /dev/vda2 cryptEnter passphrase for /dev/vda2:
Create LVM Paritions
Create LVM volume group
root #vgcreate volg /dev/mapper/cryptPhysical volume "/dev/mapper/crypt" successfully created. Volume group "volg" successfully created
Create LVM logical volumes
First we create logical volume for root partition and limit its size to 9G (as an example). However in real life situations 50-100G would be more appropriate.
root #lvcreate --name root -L 9G volgThen we create logical volume for swap partition and again we limit its size using 1G (as an example).
root #lvcreate --name swap -L 1G volgLast logical volume will be used for home partition. We give it all the remaining space.
root #lvcreate --name home -l 100%free volgA good idea to give the home partition around 80% of the remaining space instead of 100%. That way you have 20% of the space remaining unused and in the future you can easily grow one of the logical volumes if needed.
Format the filesystems
Use vfat for EFI partition because UEFI implementations on most motherboards can only read vfat filesystem.
root #mkfs.vfat /dev/vda1Use xfs for / and /home partitions because its a simple to use and robust filesystem like ext4. However unlike ext4 it has COW (Copy-on-write) that speeds up IO.
root #mkfs.xfs /dev/volg/rootroot #mkfs.xfs /dev/volg/homeJust a regular old swap partition.
root #mkswap /dev/volg/swapGentoo installation
Kernel
/etc/portage/package.usesys-kernel/installkernel dracut
root #emerge --ask sys-kernel/gentoo-kernel-binLVM
/etc/portage/package.usesys-fs/lvm2 lvm
root #emerge --ask sys-fs/lvm2OpenRC
root #rc-update add lvm bootSystemd
root #systemctl enable lvm2-monitor.serviceCryptsetup
OpenRC
root #emerge --ask sys-fs/cryptsetupSystemd
/etc/portage/package.usesys-apps/systemd cryptsetup
root #emerge --ask --oneshot sys-fs/systemdInitramfs
OpenRC
/etc/dracut.confhostonly="yes"
add_dracutmodules=" crypt lvm "
kernel_cmdline="root=LABEL=root rd.luks.name=LABEL=luks"
Systemd
/etc/dracut.confhostonly="yes"
add_dracutmodules=" crypt lvm "
kernel_cmdline="root=LABEL=root"
After changing dracut.conf file it is required to generate new initramfs. This can be done with the following command.
root #emerge --config gentoo-kernel-binfstab
/etc/fstabLABEL=EFI /boot vfat umask=0077 0 2
/dev/volg/root / xfs defaults,noatime 0 1
/dev/volg/home /home xfs defaults,noatime 0 2
/dev/volg/swap none swap sw 0 0
Booting with efibootmgr
OpenRC
root #efibootmgr --create --disk /dev/vda --label "Gentoo" --loader vmlinuz-6.6.41-gentoo-dist --unicode 'initrd=initramfs-6.6.41-gentoo-dist.img'SystemD
root #efibootmgr --create --disk /dev/vda --label "Gentoo" --loader vmlinuz-6.6.41-gentoo-dist --unicode 'initrd=initramfs-6.6.41-gentoo-dist.img rd.luks.uuid=b40f1abf-2a53-400a-889a-2eccc27eaa40'When using Systemd unfortunately it is not possible to set encrypted luks volume with its LABEL. Only rd.luks.uuid notation works.