Note: This is compiled from several sources (which I will site at the end) and my own experience. This example assumes the following partition table:
| /dev/sda1 | /boot |
| /dev/sda2 | swap |
| /dev/sda3 | / |
- Follow Gentoo Handbook through 4.d. FUTURE: Add notes regarding flushing drive with /dev/urandom before encrypting.
- Be sure to emerge cryptsetup. (NOTE: this should not be necessary as gentoo 2008.0 includes luks support).
- Load necessary modules:
modprobe dm-crypt # required
modprobe dm-mod # required
modprobe serpent # optional
modprobe blowfish # optional
modprobe aes # optional but required for aes-cbc-essiv - Encrypt the swap partition and mount it. NOTE: Encytping with random passkey – does not require passkey to mount:
cryptsetup -c aes-cbc-essiv:sha256 -d /dev/urandom create swap /dev/sda2
mkswap /dev/mapper/swap
swapon /dev/mapper/swap - Encrypt the root partition. NOTE: This example assumes a keyword/passphrase. FUTURE: Add examples for keyfile encryption:
cryptsetup -y --cipher serpent-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda3 - Open newly encrypted partition:
cryptsetup openLuks /dev/sda3 root - Create the file system on the logical root. This example assumes ext3. FUTURE: Add notes concerning the user of alternate file system:
mke2fs -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/root -L root - Create the file system for /boot. This example assumes ext2 (as you needn’t journal a boot partition). FUTURE: Add notes concerning the use of alternate file system:
mke2fs /dev/sda1 -L boot - Mount the file system for use during the remainder of install:
mount /dev/mapper/root /mnt/gentoo - Return to the Gentoo Handbook from step 5 to 7.d (genkernel)
- Build the kernel with genkernel
cd /usr/src/linux
genkernel --luks --menuconfig all
The key here is that you configure your kernel for ramdisk support and luks support FUTURE: add details. - Continue with Gentoo Handbook from 7.e till 8.a
- Modify /etc/fstab to mount root from /dev/mapper/root. fstab will look as follows:
/dev/sda1 /boot ext2 defaults,noatime 1 2 /dev/mapper/swap none swap sw 0 0 /dev/mapper/root / ext3 noatime 0 1 - Modify /etc/conf.d/dmcrypt to mount swap during boot:
swap=swap
source='/dev/sda2' - Continue with Gentoo Handbook from 8.b till 10.b.
- Configure GRUB to use genkernel:
title Gentoo Linux 2.6.25-r8 (genkernel) root (hd0,0) kernel /boot/kernel-genkernel-x86-2.6.25-gentoo-r8 root=/dev/ram0 init=/linuxrc ramdisk=8192 crypt_root=/dev/sda3 vga=791 initrd /boot/initramfs-genkernel-x86-2.6.25-gentoo-r8 NOTE:kernel name may be different,be sure to use the correct initramfs and kernel.
Unbelievably that’s it! After days and days of trying to create my own initramfs and writing my own linuxrc files it really comes down to passing using genkernel to build the kernel and initramfs with luks support by passing genkernel –luks! (well, and the rest).
More to come later.
Citation:
http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS#Preparing_the_disk
http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt_with_LUKS#Using_initramfs_and_busybox
http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt
http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=1
Here is a handy one for when you have to chroot into your system because you omitted something and it doesn’t boot: http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=6
Brain Dump 