Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
A quick question concerning LUKS, DMCrypt, and genkernel
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
WizNut
n00b
n00b


Joined: 09 Nov 2005
Posts: 19
Location: Earth

PostPosted: Sat Aug 03, 2024 4:05 am    Post subject: A quick question concerning LUKS, DMCrypt, and genkernel Reply with quote

Hi. I’m looking to get back into Gentoo (now that Funtoo is shutting down), and I’ve got a question.

Am I correct, that if I am setting up LVM-over-LUKS, and I intend to use genkernel, that genkernel will take care of opening the LUKS container, and I do not need to set up /etc/conf.d/dmcrypt for it?
Back to top
View user's profile Send private message
szatox
Advocate
Advocate


Joined: 27 Aug 2013
Posts: 3447

PostPosted: Sat Aug 03, 2024 8:27 am    Post subject: Reply with quote

Basically, yes.
You can use it for decrypting _additional_ luks containers, but your root must be already decrypted before any services start, so there's nothing to do in the simple case.
_________________
Make Computing Fun Again
Back to top
View user's profile Send private message
Zucca
Moderator
Moderator


Joined: 14 Jun 2007
Posts: 3732
Location: Rasi, Finland

PostPosted: Sat Aug 03, 2024 8:58 am    Post subject: Reply with quote

Moved from "Documentation, Tips & Tricks" to "Installing Gentoo".

There's also little information on the wiki.

Personally I've found those initramfs creators too complicated (not to use, but how they work), so I tend to write my own. There are some lightweight and simple ones too, but not officially supported.
So by writing my own init script for my initramfs I can make sure things go exactly as planned before switch_root. This is not for everyone, obviously.

In recent times the default way of booting into Gentoo has started to lean in the direction of dracut instead of genkernel. In some discussions that I've read, genkernel has been described as hard to maintain, while dracut gets contributions from several directions (distros).

You said you have LVM-on-LUKS. Meaning full disk encryption? Then you must have your /boot separated and unencrypted. When your root partition is encrypted everything related to unlocking the LUKS contained needs to happen at the initramfs phase... unless bootloader can unlock it? That said, genkernel should be able to create a proper initramfs for you, you just need to give it the right arguments (see man pages and genkernel wiki for more).
_________________
..: Zucca :..

My gentoo installs:
init=/sbin/openrc-init
-systemd -logind -elogind seatd

Quote:
I am NaN! I am a man!
Back to top
View user's profile Send private message
WizNut
n00b
n00b


Joined: 09 Nov 2005
Posts: 19
Location: Earth

PostPosted: Sat Aug 03, 2024 9:20 am    Post subject: Reply with quote

@Zucca, I’m looking at doing two GPT partitions: /dev/sda1 will be an unencrypted FAT32 /boot, and /dev/sda2 will be a LUKS container. Everything else (including swap) will be on LVs inside the LUKS container. I’m planning on setting up GRUB security (including having GRUB check detached file signatures). I’m also planning on disabling shim-locking so that I can use GRUB directly with secure boot without having to have SHIM in between (I do not trust Microsoft!). Also, I’m looking at setting up kernel module signing. Last but not least, I’d like to see if I can figure out how to use TPM 2.0 to perform measured boot (I was trying to read WavyEbuilder’s guide, but I can’t find the link for the next section after “Requirements”…). Anyways, this should allow me to use LUKS2 (with Argon2). The /boot partition will be unencrypted, but I won’t have anything sensitive on it, and the above measures should alert me if anyone has changed anything.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum