User:Nathanlkoch/Tutorials/BTRFS Encryped Root On UEFI
The following article should get you up and running with an encrypted luks and btrfs root system for EFI. Typically I follow the handbook and the Full Disk Encryption documentation as I do similar installs.
Partition the drive
We create a bios boot partition and use the remaining space for the root partition.
root #gdisk /dev/nvme0n1Number Start (sector) End (sector) Size Code Name 1 2048 2508799 1.2 GiB EF02 EFI System 2 8192 250069679 119.2 GiB 8300 Linux filesystem 3 8192? 250069679? 12 GiB 8300 Linux filesystem
(After thought)
I advise you make a third partition. Do the same with 0n1p3 and use cryptsetup to format it. Then use mk.swap on the luks container and auto unlock it with crypttab. Remember you need to enable the "cryptsetup" flag on systemd.
Encrypt partition
First we'll format the partitions
root #cryptsetup luksFormat -s 256 -c aes-xts-plain64 /dev/nvme0n1p2root #cryptsetup luksFormat -s 256 -c aes-xts-plain64 /dev/nvme0n1p3Format the first partition for /boot as EFI capable
root #mkfs.vfat -F 32 /dev/nvme0n1p1Finally we open the root partition
root #cryptsetup luksOpen /dev/nvme0n1p2 Spaceroot #cryptsetup luksOpen /dev/nvme0n1p3 SwapCreate filesystem, mountpoints and subvolumes
Now we format the mapped partition.
root #mkfs.btrfs -L BTROOT /dev/mapper/Spaceroot #mkswap /dev/mapper/Swaproot #swapon /dev/mapper/SwapNext we create the mountpoints, mount the filesystems and create subvolumes
root #mkdir /mnt/btrfsmirror
root #mount -t btrfs -o defaults,noatime,compress=lzo,autodefrag /dev/mapper/Space /mnt/btrfsmirror
root #mkdir /mnt/newroot
root #btrfs subvol create /mnt/btrfsmirror/activeroot
root #mount -t btrfs -o defaults,noatime,compress=lzo,autodefrag,subvol=activeroot /dev/mapper/Space /mnt/newroot
root #mkdir /mnt/newroot/home
root #mkdir /mnt/newroot/boot
root #btrfs subvol create /mnt/btrfsmirror/home
root #mount -t btrfs -o defaults,noatime,compress=lzo,autodefrag,subvol=home /dev/mapper/Space /mnt/newroot/homeroot #mount /dev/nvme0n1p1 /mnt/newroot/bootStage 3
As per the Gentoo handbook download and install stage3 to your /mnt/newroot directory and extract.
Handbook:AMD64/Installation/Stage
Chroot
Enter the chroot
We now need to chroot into /mnt/newroot and do the usual chroot stuff.
root #mount --types proc /proc /mnt/newroot/proc
root #mount --rbind /sys /mnt/newroot/sys
root #mount --make-rslave /mnt/newroot/sysroot #mount --rbind /dev /mnt/newroot/dev
root #mount --make-rslave /mnt/newroot/dev
root #mount --bind /run /mnt/newroot/run
root #mount --make-slave /mnt/newroot/run
The
--make-rslave operations are needed for systemd support later in the installation.When using non-Gentoo installation media, this might not be sufficient. Some distributions make /dev/shm a symbolic link to /run/shm/ which, after the chroot, becomes invalid. Making /dev/shm/ a proper tmpfs mount up front can fix this:
root #test -L /dev/shm && rm /dev/shm && mkdir /dev/shm
root #mount --types tmpfs --options nosuid,nodev,noexec shm /dev/shm
Also ensure that mode 1777 is set:
root #chmod 1777 /dev/shm /run/shmEntering the new environment
Now that all partitions are initialized and the base environment installed, it is time to enter the new installation environment by chrooting into it. This means that the session will change its root (most top-level location that can be accessed) from the current installation environment (installation CD or other installation medium) to the installation system (namely the initialized partitions). Hence the name, change root or chroot.
This chrooting is done in three steps:
- The root location is changed from / (on the installation medium) to /mnt/newroot/ (on the partitions) using chroot
- Some settings (those in /etc/profile) are reloaded in memory using the source command
- The primary prompt is changed to help us remember that this session is inside a chroot environment.
root #chroot /mnt/newroot /bin/bash
root #source /etc/profile
root #export PS1="(chroot) ${PS1}"Now follow the install handbook like you normally would. Update world etc...
Required packages
First add the required use flags for the packages.
root #echo "sys-boot/grub device-mapper" >> /etc/portage/package.use
Set the grub type for your system in /etc/portage/make.conf
/etc/portage/make.comGRUB_PLATFORMS="efi-64"
root #env-updateInstall the required packages
root #emerge --ask btrfs-progs sys-boot/grubIf this installs newer kernel sources, please change the symlink either using eselect kernel or do it manually, build the kernel and reboot. After that proceed from here.
Crypttab
Enable cryptsetup
/etc/portage/package.use/systemdsys-apps/systemd cryptsetup
root #env-updateroot #emerge -av sys-apps/systemdroot #dd bs=512 count=4 if=/dev/random of=/etc/swap.key iflag=fullblockroot #openssl genrsa -out /etc/swap.key 4096root #chmod -v 0400 /etc/swap.keyroot #chown root:root /etc/swap.keyroot #cryptsetup luksAddKey /dev/3RDPARTSWAPLUKS /etc/swap.key/etc/crypttabswap UUID=youruuid /etc/swap.key luks
mtab/fstab
Check that /etc/mtab contains the following lines and if not, add them:
/etc/mtab/dev/mapper/Space / btrfs rw,noatime,compress=lzo,autodefrag,subvol=activeroot 0 0
/dev/mapper/Space /home btrfs rw,noatime,compress=lzo,autodefrag,subvol=home 0 0
Next change /etc/fstab to this:
/etc/fstabLABEL=BTROOT /mnt/btrfsmirror btrfs defaults,noatime,compress=lzo,autodefrag,subvolid=5 0 0
LABEL=BTROOT / btrfs defaults,noatime,compress=lzo,autodefrag,discard=async,subvol=activeroot 0 0
LABEL=BTROOT /home btrfs defaults,noatime,compress=lzo,autodefrag,discard=async,subvol=home 0 0
UUID=youruuid /boot vfat umask=0077 0 1
UUID=youruuid none swap sw,discard 0 0
Build kernel and initramfs
Now we'll create the kernel with the required configuration.
root #genkernel --luks --btrfs --oldconfig --save-config --menuconfig --install --bootloader=grub all[*] Enable loadable module support
Device Drivers --->
[*] Multiple devices driver support (RAID and LVM) --->
<*> Device mapper support
<*> Crypt target support
[*] Cryptographic API --->
<*> SHA224 and SHA256 digest algorithm
<*> XTS support
<*> AES cipher algorithms
<*> AES cipher algorithms (x86_64)
General setup --->
[*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
File Systems --->
[*] Btrfs filesystem support
Grub
Customize grub
We'll change /etc/default/grub to fit our needs.
You will need to point your grub loader to unlock the UUID of your encrypted luks disk.
You can find the UUID of the disk by:
root #blkidNow /etc/default/grub should look like this (i use systemd!):
/etc/default/grub...
GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX_DEFAULT=" crypt_root=UUID=THE_UUID_OF_LUKSDISK quiet splash"
...
Install grub into EFI disk
root #grub-install --target=x86_64-efi --efi-directory=/boot --removable --recheckGenerate grub.cfg
We'll use grub-mkconfig to generate the grub.cfg
root #grub-mkconfig -o /boot/grub/grub.cfgBooting from encrypted disk
Make sure you boot from /dev/nvme0n1 !!
You'll be asked for the password to unlock the boot partition and after that it should boot up as normal (without further password request!)
Reboot
At this point you should have a full encrypted and working system.
You should now reboot. Grub will ask you for the password.
After that you should not be prompted for password input anymore.
Troubleshooting
Advanced Configurations
I would like to figure out how to make the contents of /boot encrypted while leaving /boot/efi and /boot/grub unencryped and configure grub to unlock the crypto disk before attempting to load the kernel. Leaving the kernel and the initramfs within the encrypted luks disk. Grub theoretically can do it. I just can't get it working. I was following this tutorial Full Encrypted Btrfs/Native System Root Guide but couldn't get a prompt for password. It seems a bit out dated. After tinkering for a bit I opted for this method. https://github.com/duxsco/gentoo-installation Apparently it can be done but there are a bunch of external resources needed and appears to be complicated. I am currently investigating.