View previous topic :: View next topic |
Author |
Message |
WizNut n00b
Joined: 09 Nov 2005 Posts: 19 Location: Earth
|
Posted: Sat Aug 03, 2024 4:05 am Post subject: A quick question concerning LUKS, DMCrypt, and genkernel |
|
|
Hi. I’m looking to get back into Gentoo (now that Funtoo is shutting down), and I’ve got a question.
Am I correct, that if I am setting up LVM-over-LUKS, and I intend to use genkernel, that genkernel will take care of opening the LUKS container, and I do not need to set up /etc/conf.d/dmcrypt for it? |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3444
|
Posted: Sat Aug 03, 2024 8:27 am Post subject: |
|
|
Basically, yes.
You can use it for decrypting _additional_ luks containers, but your root must be already decrypted before any services start, so there's nothing to do in the simple case. _________________ Make Computing Fun Again |
|
Back to top |
|
|
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3721 Location: Rasi, Finland
|
Posted: Sat Aug 03, 2024 8:58 am Post subject: |
|
|
Moved from "Documentation, Tips & Tricks" to "Installing Gentoo".
There's also little information on the wiki.
Personally I've found those initramfs creators too complicated (not to use, but how they work), so I tend to write my own. There are some lightweight and simple ones too, but not officially supported.
So by writing my own init script for my initramfs I can make sure things go exactly as planned before switch_root. This is not for everyone, obviously.
In recent times the default way of booting into Gentoo has started to lean in the direction of dracut instead of genkernel. In some discussions that I've read, genkernel has been described as hard to maintain, while dracut gets contributions from several directions (distros).
You said you have LVM-on-LUKS. Meaning full disk encryption? Then you must have your /boot separated and unencrypted. When your root partition is encrypted everything related to unlocking the LUKS contained needs to happen at the initramfs phase... unless bootloader can unlock it? That said, genkernel should be able to create a proper initramfs for you, you just need to give it the right arguments (see man pages and genkernel wiki for more). _________________ ..: Zucca :..
My gentoo installs: | init=/sbin/openrc-init
-systemd -logind -elogind seatd |
Quote: | I am NaN! I am a man! |
|
|
Back to top |
|
|
WizNut n00b
Joined: 09 Nov 2005 Posts: 19 Location: Earth
|
Posted: Sat Aug 03, 2024 9:20 am Post subject: |
|
|
@Zucca, I’m looking at doing two GPT partitions: /dev/sda1 will be an unencrypted FAT32 /boot, and /dev/sda2 will be a LUKS container. Everything else (including swap) will be on LVs inside the LUKS container. I’m planning on setting up GRUB security (including having GRUB check detached file signatures). I’m also planning on disabling shim-locking so that I can use GRUB directly with secure boot without having to have SHIM in between (I do not trust Microsoft!). Also, I’m looking at setting up kernel module signing. Last but not least, I’d like to see if I can figure out how to use TPM 2.0 to perform measured boot (I was trying to read WavyEbuilder’s guide, but I can’t find the link for the next section after “Requirements”…). Anyways, this should allow me to use LUKS2 (with Argon2). The /boot partition will be unencrypted, but I won’t have anything sensitive on it, and the above measures should alert me if anyone has changed anything. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|