User:Den4ikRus/Rootfs encryption

From Gentoo Wiki
Jump to:navigation Jump to:search

Disk preparation

Partitions layout

In this example root volume takes 9GiB and swap volume takes 1GiB. However in real life scenario it would be wise to give root volume at least 50-100Gib. Following guidelines can be used to choose swap size.

CODE Partition layout
/dev/vda
 ├── /dev/vda1 [EFI]          /boot   512M     vfat Kernel, initramfs
 └── /dev/vda2 [luks]         (crypt) ->END    luks Encrypted root device, mapped to the name 'crypt'
      └── /dev/mapper/crypt   (volg)  ->END    lvm  LVM volume group
           ├─volg-root [root] /       9G       xfs  Logical volume created for the root directory
           ├─volg-swap        [SWAP]  1G       swap Logical volume created for swap
           └─volg-home        /home   100%free xfs  Logical volume created for the home directory

Create new GPT table

Create new GPT partition table using fdisk command.

root #fdisk /dev/vda
Command (m for help):g

Create EFI partition

Add new partition with the size of 512MiB.

Command (m for help):n
Partition number (1-128, default 1):                                                                                                    
First sector (2048-31457246, default 2048):                                                                                             
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-31457246, default 31455231): +512M

Set partition type to EFI System

Command (m for help):t
                                                                                                               
Selected partition 1                                                                                                                    
Partition type or alias (type L to list all): 1

Create LUKS partition

Add another partition that takes all leftover space.

Command (m for help):n
                                                                                                               
Partition number (2-128, default 2):                                                                                                    
First sector (1050624-31457246, default 1050624):                                                                                       
Last sector, +/-sectors or +/-size{K,M,G,T,P} (1050624-31457246, default 31455231):

Save partition table

Command (m for help):w

Create encrypted LUKS volume

Create encrypted LUKS.

root #cryptsetup luksFormat /dev/vda2

Open LUKS volume

root #cryptsetup luksOpen /dev/vda2 crypt

Create LVM Paritions

Create LVM volume group

root #vgcreate volg /dev/mapper/crypt

Create LVM logical volumes

First we create logical volume for root partition and limit its size to 9G (as an example). However in real life situations 50-100G would be more appropriate.

root #lvcreate --name root -L 9G volg

Then we create logical volume for swap partition and again we limit its size using 1G (as an example).

root #lvcreate --name swap -L 1G volg

Last logical volume will be used for home partition. We give it all the remaining space.

root #lvcreate --name home -l 100%free volg
Note
A good idea to give the home partition around 80% of the remaining space instead of 100%. That way you have 20% of the space remaining unused and in the future you can easily grow one of the logical volumes if needed.

Format the filesystems

Use vfat for EFI partition because UEFI implementations on most motherboards can only read vfat filesystem.

root #mkfs.vfat /dev/vda1

Use xfs for / and /home partitions because its a simple to use and robust filesystem like ext4. However unlike ext4 it has COW (Copy-on-write) that speeds up IO.

root #mkfs.xfs /dev/volg/root
root #mkfs.xfs /dev/volg/home

Just a regular old swap partition.

root #mkswap /dev/volg/swap

Gentoo installation

Mount paritions

root #mount /dev/volg/root /mnt/gentoo
root #mkdir /mnt/gentoo/{boot,home
root #mount /dev/vda1 /mnt/gentoo/boot
root #mount /dev/volg/home /mnt/gentoo/home

Stage 3 and chroot

root #cd /mnt/gentoo
root #tar xpvf stage3-*.tar.xz --xattrs-include='*.*' --numeric-owner -C /mnt/gentoo
root #cp /etc/resolv.conf /mnt/gentoo/etc
root #arch-chroot /mnt/gentoo

Fetch repo data & keys

root #emerge-webrsync && getuto

LVM & cryptsetup

FILE /etc/portage/package.use
sys-fs/lvm2 lvm
root #emerge --ask sys-fs/lvm2 sys-fs/cryptsetup

OpenRC

root #rc-update add lvm boot

Systemd

root #systemctl enable lvm2-monitor.service

Kernel install

OpenRC

FILE /etc/portage/package.use
sys-kernel/installkernel ugrd systemd-boot systemd uki ukify
sys-apps/systemd-utils kernel-install boot ukify

Systemd

FILE /etc/portage/package.use
sys-kernel/installkernel ugrd systemd-boot uki ukify
sys-apps/systemd boot ukify
root #emerge --ask --oneshot installkernel

systemd-boot

Systemd

root #systemd-machine-id-setup
root #systemd-firstboot --prompt
root #systemctl preset-all --preset-mode=enable-only
FILE /etc/ugrd/config.toml
modules = [                                                                                                                                                                                                                                                                                                                                                     
  "ugrd.fs.fakeudev",                                                                                                                                                                           
]

Install

root #bootctl install

fstab

FILE /etc/fstab
LABEL=EFI /boot vfat umask=0077 0 2

/dev/volg/root /     xfs defaults,noatime 0 1
/dev/volg/home /home xfs defaults,noatime 0 2

/dev/volg/swap none swap sw 0 0

Kernel

root #touch /etc/kernel/cmdline.txt
root #emerge --ask gentoo-kernel-bin

Enable serial console (optional)

FILE /etc/kernel/cmdline
console=ttyS0

OpenRC

later

Systemd

root #systemctl enable getty@ttyS0.service

Reboot

Set root password

root #passwd

Reboot into the installed system

root #reboot

See also

Retrieved from "https://wiki.gentoo.org/index.php?title=User:Den4ikRus/Rootfs_encryption&oldid=1333443"