Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
how I installed gentoo with a full disk encryption
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
oxensepp
n00b
n00b


Joined: 01 May 2020
Posts: 42

PostPosted: Sat Nov 04, 2023 11:41 pm    Post subject: how I installed gentoo with a full disk encryption Reply with quote

Finally my gentoo with full disk encryption is running. Since I am not a nerd, computer scientist, programmer, security expert, ... it was a lot of learning and try-and-error for me.
I did like to show it, because I did not find a similar "guide", therefore it may be useful for others.
All kind of errors possible, you have been warned...! I worked a lot with copy and paste, so maybe I forgot something (hope not!). Apologies for any errors, however.

it provides a two factor authentification which I saw first from Sakaki (thank you very much!), but now without special changes to the system, all "out of the box".
Additionally, even /boot is encrypted.
Thanks also to gmpreussner, who set up an arch linux, see https://gmpreussner.com/reference/fully-encrypted-archlinux-with-secure-boot-on-yoga-920. Basically I just adapted his really fine template for gentoo. So I have also the detached header, btrfs with subvolumes, ... Please see there for reference.
And it works just with usual gentoo tools, i.e. grub, genkernel, cryptsetup, .... It does not use dracut and gpg.

The computer has dual boot: Windows if you just press the power button and Linux, if you put in a boot stick before. This is done by the boot order and not part of my description. Also not described is the Windows installation, it took place before installing gentoo. A part of the sdd is occupied with windows, when the installation begins.

As usual, I have a gentoo installation image on USB and a second computer ('liszt', also linux) for more convenience. But lets start...



First, I prepare the boot stick for the target computer (that is the stick which later boots the encrypted system, do not confuse it with the gentoo installation stick, this is an USB stick with the gentoo installation iso image on it!)

Inset the boot stick into the helper computer -> /dev/sda.

Prepare EFI and (luks1-encrypted) boot partiton. I did that on the helper computer.

Code:

[root@liszt ~]# fdisk /dev/sda

Welcome to fdisk (util-linux 2.39.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.


Command (m for help): n
Partition number (1-128, default 1):
First sector (34-15730654, default 2048):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-15730654, default 15728639): +512M

Created a new partition 1 of type 'Linux filesystem' and of size 512 MiB.

Command (m for help): n
Partition number (2-128, default 2):
First sector (1050624-15730654, default 1050624):
Last sector, +/-sectors or +/-size{K,M,G,T,P} (1050624-15730654, default 15728639): +5G

Created a new partition 2 of type 'Linux filesystem' and of size 5 GiB.

Command (m for help): t
Partition number (1,2, default 2): 1
Partition type or alias (type L to list all): 1

Changed type of partition 'Linux filesystem' to 'EFI System'.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.
[root@liszt ~]# mkfs.fat -n EFI -F32 /dev/sda1
mkfs.fat 4.2 (2021-01-31)
[root@liszt ~]# cryptsetup --type=luks1 luksFormat /dev/sda2

WARNING!
========
This will overwrite data on /dev/sda2 irrevocably.

Are you sure? (Type 'yes' in capital letters): YES
Enter passphrase for /dev/sda2:
Verify passphrase:

root@liszt ~]# cryptsetup open /dev/sda2 luksboot
Enter passphrase for /dev/sda2:
[root@liszt ~]# mkfs.ext2 -L BOOT /dev/mapper/luksboot
mke2fs 1.47.0 (5-Feb-2023)
Creating filesystem with 1310208 4k blocks and 327680 inodes
Filesystem UUID: 8a73b562-f299-4828-83f9-aa6fd7213604
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done                           
Writing inode tables: done                           
Writing superblocks and filesystem accounting information: done


now, mount it to /mnt/bootstick, generate a keyfile

Code:


[root@liszt ~]# mkdir /mnt/bootstick
[root@liszt ~]# mount /dev/mapper/luksboot /mnt/bootstick/
[root@liszt ~]# mkdir -p /mnt/bootstick/luks/mnt/header
[root@liszt ~]# mkdir -p /mnt/bootstick/luks/mnt/key
[root@liszt ~]# truncate -s 20M /mnt/bootstick/luks/mnt/header/nvme0n1p5.header
[root@liszt ~]# dd bs=8388608 count=1 if=/dev/urandom of=/mnt/bootstick/luks/mnt/key/nvme0n1p5.key
1+0 records in
1+0 records out
8388608 bytes (8.4 MB, 8.0 MiB) copied, 0.0370004 s, 227 MB/s


note: one MUST use the subdirectories mnt/header and mnt/key, because genkernel looks only there for header and key files. it is hardcoded in /usr/share/genkernel/default/initrd.scripts (later more).

nvme0n1p5 is the name of the partition with the luks container in it.

Unmount / close the USB key and pull it from the helper computer.

Insert the gentoo installation stick and power the computer on (and passwd root, start sshd, etc)
Insert the boot stick in the target computer.
SSH to the target computer.

Code:

nico@liszt:~ > ssh -l root 192.168.1.82
The authenticity of host '192.168.1.82 (192.168.1.82)' can't be established.
ED25519 key fingerprint is SHA256:TBoLChNa1UP6pdtuz2rr8mE6KiicfwPu8rNR278yTgM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.82' (ED25519) to the list of known hosts.
(root@192.168.1.82) Password:
Welcome to the Gentoo Linux Minimal Installation CD!

The root password on this system has been auto-scrambled for security.

If any ethernet adapters were detected at boot, they should be auto-configured
if DHCP is available on your network.  Type "net-setup eth0" to specify eth0 IP
address settings by hand.

Check /etc/kernels/kernel-config-* for kernel configuration(s).
The latest version of the Handbook is always available from the Gentoo web
site by typing "links https://wiki.gentoo.org/wiki/Handbook".

To start an ssh server on this system, type "/etc/init.d/sshd start".  If you
need to log in remotely as root, type "passwd root" to reset root's password
to a known value.

Please report any bugs you find to https://bugs.gentoo.org. Be sure to include
detailed information about how to reproduce the bug you are reporting.

Thank you for using Gentoo Linux!
livecd ~ # cryptsetup open /dev/sdb2 luksboot
Enter passphrase for /dev/sdb2:
livecd ~ # mkdir /mnt/bootstick
livecd ~ # mount /dev/mapper/luksboot /mnt/bootstick/
livecd ~ # fdisk /dev/nvme0n1

Welcome to fdisk (util-linux 2.38.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

The backup GPT table is not on the end of the device. This problem will be corrected by
write.

Command (m for help): p
Command (m for help): p

Disk /dev/nvme0n1: 1.82 TiB, 2000398934016 bytes, 3907029168 sectors
Disk model: Seagate FireCuda 520 SSD ZP2000GM30002 
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 477565AE-CB14-47F4-8552-5C03A6FF27EC

Device             Start       End   Sectors   Size Type
/dev/nvme0n1p1      2048   2099199   2097152     1G EFI System
/dev/nvme0n1p2   2099200   2361343    262144   128M Microsoft reserved
/dev/nvme0n1p3   2361344 493813759 491452416 234.3G Microsoft basic data
/dev/nvme0n1p4 493813760 500117503   6303744     3G Windows recovery environment

Command (m for help): n
Partition number (5-128, default 5):
First sector (500117504-3907029134, default 500117504): 500120000
Last sector, +/-sectors or +/-size{K,M,G,T,P} (500120000-3907029134, default 3907028991): +1500G

Created a new partition 5 of type 'Linux filesystem' and of size 1.5 TiB.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

livecd ~ # cryptsetup --key-size 512 luksFormat --align-payload 82000 /dev/nvme0n1p5 --key-file /mnt/bootstick/luks/mnt/key/nvme0n1p5.key --header /mnt/bootstick/luks/mnt/header/nvme0n1p5.header

WARNING!
========
This will overwrite data on /mnt/bootstick/luks/nvme0n1p5.header irrevocably.

Are you sure? (Type 'yes' in capital letters): YES



note: this generates a luks container with detached header and a corresponding key file.

note: --align-payload is deprecated, use --offset instead, but be aware that the numeric attribute is calculated differently! See man page.

now create the lvm stuff and the filesystems. See gmpreussner's guide for reference.

Code:

livecd ~ # cryptsetup --header=/mnt/bootstick/luks/nvme0n1p5.header --key-file=/mnt/bootstick/luks/nvme0n1p5.key luksOpen /dev/nvme0n1p5 luksroot


EDIT 2023-11-18: that's a typo! The pathes for key and header are incorrect. Use:
Code:

 cryptsetup --header=/mnt/bootstick/luks/mnt/header/nvme0n1p6.header --key-file=/mnt/bootstick/luks/mnt/key/nvme0n1p6.key luksOpen /dev/nvme0n1p6 luksroot


Code:

livecd ~ # ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Nov  1 17:58 control
lrwxrwxrwx 1 root root       7 Nov  1 18:05 luksboot -> ../dm-0
lrwxrwxrwx 1 root root       7 Nov  1 18:18 luksroot -> ../dm-1
livecd ~ # pvcreate /dev/mapper/luksroot
  Physical volume "/dev/mapper/luksroot" successfully created.
livecd ~ # vgcreate System /dev/mapper/luksroot
  Volume group "System" successfully created
livecd ~ # lvcreate -L 40G System -n swap
  Logical volume "swap" created.
livecd ~ # lvcreate -l 100%FREE System -n root
  Logical volume "root" created.
livecd ~ # mkswap /dev/mapper/System-swap
Setting up swapspace version 1, size = 40 GiB (42949668864 bytes)
no label, UUID=a879d846-15d3-43c7-95b4-e8b6617634aa
livecd ~ # swapon -d /dev/mapper/System-swap
livecd ~ # mkfs.btrfs -L root /dev/mapper/System-root

[output snipped]


EDIT 2023-11-18: I deleted to much here, sorry for that. the mount was missing:
Code:

 livecd ~ # mount /dev/mapper/System-root /mnt/gentoo/


Code:
[
livecd ~ # btrfs subvolume create /mnt/gentoo/@
Create subvolume '/mnt/gentoo/@'
livecd ~ # btrfs subvolume create /mnt/gentoo/@home
Create subvolume '/mnt/gentoo/@home'
livecd ~ # btrfs subvolume create /mnt/gentoo/@snapshots
Create subvolume '/mnt/gentoo/@snapshots'
livecd ~ # umount /mnt/gentoo/
livecd ~ # mount -o compress=lzo,discard,noatime,nodiratime,subvol=@ /dev/mapper/System-root /mnt/gentoo/
livecd ~ # mkdir /mnt/gentoo/home
livecd ~ # mkdir /mnt/gentoo/.snapshots
livecd ~ # mount -o compress=lzo,discard,noatime,nodiratime,subvol=@home /dev/mapper/System-root /mnt/gentoo/home
livecd ~ # mount -o compress=lzo,discard,noatime,nodiratime,subvol=@snapshots /dev/mapper/System-root /mnt/gentoo/.snapshots
livecd ~ # mkdir /mnt/gentoo/var/
livecd ~ # btrfs subvolume create /mnt/gentoo/var/cache
Create subvolume '/mnt/gentoo/var/cache'
livecd ~ # btrfs subvolume create /mnt/gentoo/var/log
Create subvolume '/mnt/gentoo/var/log'
livecd ~ # btrfs subvolume create /mnt/gentoo/var/tmp
Create subvolume '/mnt/gentoo/var/tmp'
livecd ~ # umount /mnt/bootstick


note: umount /mnt/bootstick! we will need it again later, after chrooting.

now we can install the base system and some tooling.

Code:

livecd ~ # chronyd -q
2023-11-01T20:56:53Z chronyd version 4.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP
 +SCFILTER -SIGND +ASYNCDNS +NTS +SECHASH +IPV6 -DEBUG)
2023-11-01T20:56:53Z Wrong owner of /run/chrony (UID != 0)
2023-11-01T20:56:53Z Disabled command socket /run/chrony/chronyd.sock
2023-11-01T20:56:53Z Running with root privileges
2023-11-01T20:56:58Z System clock wrong by 27.926950 seconds (step)
2023-11-01T20:57:26Z chronyd exiting
ivecd /mnt/gentoo # wget https://distfiles.gentoo.org/releases/amd64/autobuilds/20231029T164701Z/stage3-amd64-openrc-20231029T164701Z.tar.xz

[gpg checks snipped, see gentoo installation handbook]

livecd /mnt/gentoo # tar xpvf stage3-*.tar.xz --xattrs-include='*.*' --numeric-owner
[...]

[generating make.conf, etc snipped, see gentoo installation handbook]



Now, chroot and mount the bootstick again. Note sdb2, this is the boot stick.

Code:

livecd /mnt/gentoo # arch-chroot /mnt/gentoo
livecd / # source /etc/profile
livecd / # export PS1="(chroot) ${PS1}"
(chroot) livecd / # mount /dev/mapper/luksboot /boot/
(chroot) livecd / # mkdir /boot/EFI
(chroot) livecd / # mount /dev/sdb1 /boot/EFI
(chroot) livecd / # lsblk
NAME              MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
loop0               7:0    0 425.1M  1 loop 
sda                 8:0    1  14.3G  0 disk 
├─sda1              8:1    1   246K  0 part 
├─sda2              8:2    1   2.8M  0 part 
├─sda3              8:3    1 463.7M  0 part 
└─sda4              8:4    1   300K  0 part 
sdb                 8:16   1   7.5G  0 disk 
├─sdb1              8:17   1   512M  0 part  /boot/EFI
└─sdb2              8:18   1     5G  0 part 
  └─luksboot      252:0    0     5G  0 crypt /boot
sr0                11:0    1  1024M  0 rom   
zram0             253:0    0     0B  0 disk 
nvme0n1           259:0    0   1.8T  0 disk 
├─nvme0n1p1       259:1    0     1G  0 part 
├─nvme0n1p2       259:2    0   128M  0 part 
├─nvme0n1p3       259:3    0 234.3G  0 part 
├─nvme0n1p4       259:4    0     3G  0 part 
└─nvme0n1p5       259:5    0   1.5T  0 part 
  └─luksroot      252:1    0   1.5T  0 crypt
    ├─System-swap 252:2    0    40G  0 lvm   [SWAP]
    └─System-root 252:3    0   1.4T  0 lvm   /.snapshots
                                             /home
                                             /


Now proceede as described in the installation handbook: emerge-webrsync, cpuid2cpuflags, locale. Then proceed with emergeing gentoo-sources, genkernel, grub, ...:

Code:

(chroot) livecd / # emerge --ask sys-kernel/linux-firmware
[...]
(chroot) livecd / # emerge --ask sys-fs/cryptsetup
[...]
(chroot) livecd / # emerge --ask sys-kernel/gentoo-sources
[...]
(chroot) livecd / # emerge --ask sys-kernel/genkernel
[...]
(chroot) livecd / # cat > /etc/portage/package.use/grub2
sys-boot/grub:2 device-mapper
(chroot) livecd / # emerge --ask sys-boot/grub
[...]
(chroot) livecd / # emerge --ask net-misc/dropbear
[...]
(chroot) livecd / # mkdir /etc/dropbear
(chroot) livecd / # cat >> /etc/dropbear/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCFPT0BEhbpE7PQn+D3p8eMvDCfurs6SgCZHGMrESD8lviOcfWV1AfhJGdiYMNLEM0YerID4xPplmgN4X+o7IllDBnNzw3qbTF+GvVN+/vM/DdgsgJqQXOZcKDCez3ncymvzaMKGh/ESmSvUgGfRa4cpVmRH0kTqHo6XYK+OKwuy0gWv9KoJ76ocfZZu+pXq3MNkuT5BRpMT4yZwsL6sxCXALlBkZDWoXbNua5z81osPzVvSPipfJrQlfAkNnabpJjgO8zZifLmhANknUXEmbYWOrxI41JZBGf0cF+Kj48zsoYuT70XthG/FGwfmdmc7slvKomVKDfLXBPZg9UsjaM3lgiPZDcV9DaS1vQmXG9rX58CEdRkpcbh25bj97lA2oNXB8GzbgHn3s2AWCLAl8N7dZi0yDKrJP/2dTpUqvno9nseTrIIHlITHn0kM4x421u1TxFRKsuIF6MuaQ6R0trG/EO4zq/la0oWwmWtZpSEm6cWOqtY7QLt1p8pY0n2OE0= nico@liszt
(chroot) livecd / # eselect kernel list
Available kernel symlink targets:
  [1]   linux-6.1.57-gentoo
(chroot) livecd / # eselect kernel set 1
(chroot) livecd / # eselect kernel list
Available kernel symlink targets:
  [1]   linux-6.1.57-gentoo *
(chroot) livecd / # emerge --ask sys-fs/genfstab
[...]

(chroot) livecd / # genfstab -Up / >> /etc/fstab
(chroot) livecd / # nano /etc/fstab
[add 'noauto' to boot and boot/EFI]



note: do not forget to add the device-mapper USE flag to grub2.

note: dropbear and authorized_keys is optional (sshd while living in initramfs), I copy&pasted the key from my helper computer.


Code:

(chroot) livecd / #  blkid /dev/sdb2
/dev/sdb2: UUID="6c1be42b-7ef0-4f18-8d27-96eb65e53f60" TYPE="crypto_LUKS" PARTUUID="2c5491e0-24d7-4eec-826a-34106de9dadf"
(chroot) livecd / # cat >> /etc/crypttab
luksboot        UUID="6c1be42b-7ef0-4f18-8d27-96eb65e53f60"     none    noauto,luks


note: is crypttab really mandatory? Dont know...

Now comes the interesting part: genkernel and grub.

Code:

(chroot) livecd / # nano /etc/genkernel.conf
(chroot) livecd / # grep -v "^$\|#" /etc/genkernel.conf
NOCOLOR="false"
LVM="yes"
LUKS="yes"
SSH="yes"
BUSYBOX="yes"
BTRFS="yes"
KEYMAP="yes"
GK_SHARE="${GK_SHARE:-/usr/share/genkernel}"
CACHE_DIR="/var/cache/genkernel"
DISTDIR="${GK_SHARE}/distfiles"
LOGFILE="/var/log/genkernel.log"
LOGLEVEL=1
DEFAULT_KERNEL_SOURCE="/usr/src/linux"
INITRAMFS_OVERLAY="/boot/luks"
(chroot) livecd / # nano /etc/default/grub
(chroot) livecd / # grep -v "^$\|#" /etc/default/grub
GRUB_DISTRIBUTOR="Gentoo"
GRUB_DISABLE_LINUX_PARTUUID=false
GRUB_PRELOAD_MODULES="part_gpt part_msdos lvm"
GRUB_ENABLE_CRYPTODISK=y
GRUB_TIMEOUT_STYLE=menu
GRUB_TERMINAL_INPUT=console
GRUB_CMDLINE_LINUX="keymap=de dosshd dolvm crypt_root=PARTUUID=25336fde-bb7c-e34d-9592-0af9ce086dd4 root_trim=yes root_key=nvme0n1p5.key root_header=nvme0n1p5.header resume=/dev/System/swap"


note:
Code:

(chroot) livecd / # blkid /dev/nvme0n1p5
/dev/nvme0n1p5: PARTUUID="25336fde-bb7c-e34d-9592-0af9ce086dd4"


note the INITRAMFS_OVERLAY! The complete path for the luks header is /boot/luks/mnt/header/nvme0n1p5.header, the path for the key file is /boot/luks/mnt/key/nvme0n1p5.key

note: I have a german keyboard, therefore KEYMAP - you will notice more keymap/"de" stuff when proceeding.

note: in /etc/default/grub, do not omit the "root_header". If unset, the mechanism for cryptsetup with a detached header is not triggered, and you will not get the luks2 container opened. As mentioned, the path for the header and the key file is critical.

Now, compile the kernel nad generate the initramfs. --menuconfig lets you edit the kernel config. I did nothing special there, at least not for the cryptsetup/luks thing.

Code:

(chroot) livecd / # genkernel --menuconfig --install --symlink --ramdisk-modules  all


This should generate a kernel image and a initramfs in /boot, which is in the openend luks1 container. See disk layout above.

Now, install the boot loader:

Code:

(chroot) livecd / # mkdir /boot/grub
(chroot) livecd / # grub-mkconfig -o /boot/grub/grub.cfg
GRUB-Konfigurationsdatei wird erstellt …
Linux-Abbild gefunden: /boot/vmlinuz-6.1.57-gentoo-x86_64
initrd-Abbild gefunden: /boot/initramfs-6.1.57-gentoo-x86_64.img
Warnung: Zur Erkennung anderer bootfähiger Partitionen wird os-prober nicht ausgeführt.
Die darauf befindlichen Systeme werden nicht zur GRUB-Bootkonfiguration hinzugefügt.
Schauen Sie in den Dokumentationseintrag GRUB_DISABLE_OS_PROBER.
Bootmenü-Eintrag für UEFI-Firmware-Einstellungen wird hinzugefügt …
abgeschlossen
(chroot) livecd / # grub-install --target=x86_64-efi --efi-directory=/boot/EFI --removable --bootloader-id="grub"
x86_64-efi wird für Ihre Plattform installiert.
installation beendet. Keine Fehler aufgetreten.


Now, set the console keymap (keymap="de-latin1-nodeadkeys") and, of course, dont forget to set a root password.

unmount, close, all filesystems and shutdown for the first boot of the new installation

Code:

(chroot) livecd / # nano /etc/conf.d/keymaps
(chroot) livecd / # passwd
[...]
(chroot) livecd / # umount /boot/EFI/
(chroot) livecd / # umount /boot/
(chroot) livecd / # cryptsetup close /dev/mapper/luksboot
livecd /mnt/gentoo # umount /mnt/gentoo/.snapshots/
livecd /mnt/gentoo # umount /mnt/gentoo/home/
livecd /mnt/gentoo # cd ..
livecd /mnt # umount /mnt/gentoo/
livecd /mnt # swapoff /dev/mapper/System-swap
livecd /mnt # cryptsetup luksClose /dev/mapper/System-swap
livecd /mnt # cryptsetup luksClose /dev/mapper/System-root
livecd /mnt # cryptsetup luksClose /dev/mapper/luksroot
livecd /mnt # shutdown -h now


When booted with the boot stick inserted, grub should come up and ask you for the passphrase for /boot resp. initramfs - it is not named "/boot", but grub will decrypt the /boot partition, load the initramfs and start the system. Then it should boot up until the login prompt. At least, mine does :-)

Now proceed with finalizing the installation, as described in the handbook.



As mentioned, I spent a lot of time until it worked, and I had learn a lot of things I never ever wanted to know.
I hope it helps another gentoo users.


Last edited by oxensepp on Sat Nov 18, 2023 8:53 am; edited 2 times in total
Back to top
View user's profile Send private message
fedeliallalinea
Administrator
Administrator


Joined: 08 Mar 2003
Posts: 31328
Location: here

PostPosted: Sun Nov 05, 2023 10:29 am    Post subject: Reply with quote

Moved from Installing Gentoo to Documentation, Tips & Tricks.
_________________
Questions are guaranteed in life; Answers aren't.
Back to top
View user's profile Send private message
oxensepp
n00b
n00b


Joined: 01 May 2020
Posts: 42

PostPosted: Sun Nov 12, 2023 1:11 pm    Post subject: Re: how I installed gentoo with a full disk encryption Reply with quote

oxensepp wrote:

Code:


livecd ~ # mount -o compress=lzo,discard,noatime,nodiratime,subvol=@ /dev/mapper/System-root /mnt/gentoo/
livecd ~ # mkdir /mnt/gentoo/home
livecd ~ # mkdir /mnt/gentoo/.snapshots
livecd ~ # mount -o compress=lzo,discard,noatime,nodiratime,subvol=@home /dev/mapper/System-root /mnt/gentoo/home
livecd ~ # mount -o compress=lzo,discard,noatime,nodiratime,subvol=@snapshots /dev/mapper/System-root /mnt/gentoo/.snapshots




After using genfstab, you get an /etc/fstab with these mount options.

I had a really severe performance issue with the new system and tracked it down to a filesystem problem.
Replacing "discard" with "discard=async" solved the problem.
"discard=async" will become default in kernel 6.2, so it should be save.
Back to top
View user's profile Send private message
oxensepp
n00b
n00b


Joined: 01 May 2020
Posts: 42

PostPosted: Sun Nov 12, 2023 2:23 pm    Post subject: Re: how I installed gentoo with a full disk encryption Reply with quote

Some annotations about the boot stick:

Since I use luks with a detached header, all credentials for decrypting the system are saved on the boot stick.
If this boot stick is damaged or lost, there is no possibillity to access the SSD.
Because the header is also on the boot stick (and only there!), adding a second key slot with a passphrase does not work in this scenario.

Therefore, I duplicated the boot stick, and addtitionally made a backup from the luks header and the luks key.

Duplicating the stick is not really difficult. I created the same partition layout on the second (and third...) USB stick and adapted the UUIDs, PARTUUIDs, LABELs, etc.
lsblk -o +UUID,PARTUUID,LABEL shows the data. fdisk can change the disk identifier, set the gpt flag, etc. PARTUUID and LABEL can be set when creating the filesystem.
A brute force method is simply dd-ing the partitions from the working stick to it's duplicate, I did this with the encrypted /boot partition (/dev/sda2 in my installation).

After creating the partitons in the second stick and dd-ing sda2, I opened and mounted /boot and /boot/EFI.
Then I rerun grub-mkconfig and grub-install, but I am unsure if that is really mandatory. Maybe copying /boot/EFI/EFI/BOOT/BOOTX64.EFI is enough?

But do not simply rerun genkernel:
kernel and modules seem sensitive to a certain build, i.e. if genkernel is run once more, the newly created kernel will not load kernel modules (/lib/modules)
from the first run, even if the version is the same, and vice versa.
If you have more than one boot stick, there are chances for mixing up kernel/initramfs and /lib/modules from different builds - this did not work on my computer.
So use always kernel, initramfs and modules from the same build, and ensure that this is the case over all your boot sticks.

But if /boot is mounted, you can simply copy System.map, initramfs and kernel to it. grub-mkconfig should find it and create a valid grub.cfg.
I keep recent copies of Systemmap, initramfs and kernel in /home.

Note: I am not yet using secure boot, so I can not say if it works also with secure boot.



for decrypting and mounting the boot stick I created a shell script. the boot stick must be /dev/sda
Code:

#!/bin/bash
##
## handle bootstick - mount, unmount
##

LUKSBOOT=luksboot
BOOTSTICK=/dev/sda

ERR_ALLREADYOPEN=1
ERR_NOBOOTDEVICE=2
ERR_NOEFI=3
ERR_CRYPTBOOT=4
ERR_DECRYPT=5
ERR_MOUNT=6
ERR_INVALIDARG=7
ERR_ACCESS=8

if [ $# -ne 1 ]
then
    echo "usage $0 [open|close]"
    exit 0
fi

if [ $1 = close ]
then

    me=$(whoami)
    if [ "$me" != root ]
    then
        echo "you must be root to operate this program!"
        exit $ERR_ACCESS
    fi

    umount /boot/EFI
    retval=$?
    if [ $retval -ne 0 ]
    then
        echo "unmounting /boot/EFI failed, but proceeding anyway!"
    fi

    umount /boot
    retval=$?
    if [ $retval -ne 0 ]
    then
        echo "unmounting /boot failed, but proceeding anyway!"
    fi

    cryptsetup close /dev/mapper/$LUKSBOOT
    retval=$?
    if [ $retval -ne 0 ]
    then
        echo "closing luks container /dev/mapper/$LUKSBOOT failed"
        exit $ERR_DECRYPT
    fi

   
   
elif [ $1 = open ]
then

    me=$(whoami)
    if [ "$me" != root ]
    then
        echo "you must be root to operate this program!"
        exit $ERR_ACCESS
    fi

   
    if [ -e /dev/mapper/$LUKSBOOT ]
    then
        echo "/dev/mapper/$LUKSBOOT already exists, exit!"
        exit $ERR_ALLREADYOPEN
    fi

    if [ ! -b $BOOTSTICK ]
    then
        echo "no boot device found at $BOOTSTICK."
        echo "boot device must be present at $BOOTSTICK! exit"
        exit $ERR_NOBOOTDEVICE
    fi

    if [ ! -b "$BOOTSTICK"1 ]
    then
        echo "no EFI partition found at $BOOTSTICK"1
        echo "EFI partition must be present at $BOOTSTICK"1"! exit"
        exit $ERR_NOEFI
    fi

    if [ ! -b "$BOOTSTICK"2 ]
    then
        echo "no encrypted boot partition found at $BOOTSTICK2"
        echo "encrypted boot partition must be present at $BOOTSTICK"2"! exit"
        exit $ERR_CRYPTBOOT
    fi

    cryptsetup open "$BOOTSTICK"2 $LUKSBOOT
    retval=$?
   
    if [ $retval -ne 0 ]
    then
        echo "decrypting $BOOTSTICK"2" failed!"
        exit $ERR_DECRYPT
    fi

    mount /dev/mapper/$LUKSBOOT /boot
    retval=$?
   
    if [ $retval -ne 0 ]
    then
        echo "mounting /dev/mapper/$LUKSBOOT to /boot failed, exit!"
        exit $ERR_MOUNT
    fi

    mount "$BOOTSTICK"1 /boot/EFI
    retval=$?

    if [ $retval -ne 0 ]
    then
        echo "mounting $BOOTSTICK"2" to /boot/EFI failed, exit!"
        exit $ERR_MOUNT
    fi

else
    echo "argument must be open or close"
    exit $ERR_INVALIDARG
fi


(not to buggy, I hope...)



The other thing is backing up the luks key/header without copying the whole kernel, initramfs, etc. Of course, the backup should be encrypted too.

I decided to use again cryptsetup, since it can not only handle partitions and filesystems, but also just files.
So I created a file with a luks container with a file system with a copy of key and header in it. This method is described in the wiki, I think.

create file:
Code:

schubert ~ # dd if=/dev/zero of=data.bin count=131072


create a luks2 container inside the file:
Code:

schubert ~ # cryptsetup luksFormat --type=luks2 --offset=16384 data.bin


open the container and create a filesystem:
Code:

schubert ~ # cryptsetup luksOpen data.bin headerkey
Geben Sie die Passphrase für »data.bin« ein:
schubert ~ # mkfs.ext2 /dev/mapper/headerkey


Mount it and copy the luks key file/header into it.

As you see from the lsblk output, the boot stick is already mounted

Code:

schubert ~ # mount /dev/mapper/headerkey /mnt/luks/
schubert ~ # lsblk
NAME              MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
loop0               7:0    0    64M  0 loop 
└─headerkey       254:3    0    56M  0 crypt /mnt/luks
sda                 8:0    1  14,3G  0 disk 
├─sda1              8:1    1   512M  0 part  /boot/EFI
├─sda2              8:2    1     5G  0 part 
│ └─luksboot      254:4    0     5G  0 crypt /boot
└─sda3              8:3    1     5G  0 part 
[...]
schubert ~ # cp -r /boot/luks/mnt/ /mnt/luks/


ensure, the the files have been copied correctly.
Then you ca umount/close the luks container as usual:

Code:

chubert ~ # umount /mnt/luks
schubert ~ # cryptsetup luksClose /dev/mapper/headerkey
schubert ~ # ls -l data.bin
-rw-r--r-- 1 root root 67108864  5. Nov 08:50 data.bin


This file you can backup even on unencrypted backups, without revealing your key.
Additionally, you can open and access the key with cryptsetup on a second computer without storing the key on a maybe unencrypted disc, since the filesystem is mapped by /dev/mapper.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum