Brain Dump

A place to store my random thoughts and anything else I might find useful.

Installing gentoo with root encryption: notes

Posted by mzanfardino on October 23, 2008

Note: This is compiled from several sources (which I will site at the end) and my own experience. This example assumes the following partition table:

/dev/sda1 /boot
/dev/sda2 swap
/dev/sda3 /
  • Follow Gentoo Handbook through 4.d. FUTURE: Add notes regarding flushing drive with /dev/urandom before encrypting.
  • Be sure to emerge cryptsetup. (NOTE: this should not be necessary as gentoo 2008.0 includes luks support).
  • Load necessary modules:
    modprobe dm-crypt # required
    modprobe dm-mod # required
    modprobe serpent # optional
    modprobe blowfish # optional
    modprobe aes # optional but required for aes-cbc-essiv
  • Encrypt the swap partition and mount it. NOTE: Encytping with random passkey – does not require passkey to mount:
    cryptsetup -c aes-cbc-essiv:sha256 -d /dev/urandom create swap /dev/sda2
    mkswap /dev/mapper/swap
    swapon /dev/mapper/swap
  • Encrypt the root partition. NOTE: This example assumes a keyword/passphrase. FUTURE: Add examples for keyfile encryption:
    cryptsetup -y --cipher serpent-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda3
  • Open newly encrypted partition:
    cryptsetup openLuks /dev/sda3 root
  • Create the file system on the logical root. This example assumes ext3. FUTURE: Add notes concerning the user of alternate file system:
    mke2fs -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/root -L root
  • Create the file system for /boot. This example assumes ext2 (as you needn’t journal a boot partition). FUTURE: Add notes concerning the use of alternate file system:
    mke2fs /dev/sda1 -L boot
  • Mount the file system for use during the remainder of install:
    mount /dev/mapper/root /mnt/gentoo
  • Return to the Gentoo Handbook from step 5 to 7.d (genkernel)
  • Build the kernel with genkernel
    cd /usr/src/linux
    genkernel --luks --menuconfig all

    The key here is that you configure your kernel for ramdisk support and luks support FUTURE: add details.
  • Continue with Gentoo Handbook from 7.e till 8.a
  • Modify /etc/fstab to mount root from /dev/mapper/root. fstab will look as follows:
    /dev/sda1 /boot ext2 defaults,noatime 1 2
    /dev/mapper/swap none swap sw 0 0
    /dev/mapper/root / ext3 noatime 0 1
  • Modify /etc/conf.d/dmcrypt to mount swap during boot:
    swap=swap
    source='/dev/sda2'
  • Continue with Gentoo Handbook from 8.b till 10.b.
  • Configure GRUB to use genkernel:
    title Gentoo Linux 2.6.25-r8 (genkernel)
    root (hd0,0)
    kernel /boot/kernel-genkernel-x86-2.6.25-gentoo-r8 root=/dev/ram0 init=/linuxrc ramdisk=8192 crypt_root=/dev/sda3 vga=791
    initrd /boot/initramfs-genkernel-x86-2.6.25-gentoo-r8

    NOTE:kernel name may be different,be sure to use the correct initramfs and kernel.

Unbelievably that’s it! After days and days of trying to create my own initramfs and writing my own linuxrc files it really comes down to passing using genkernel to build the kernel and initramfs with luks support by passing genkernel –luks! (well, and the rest).

More to come later.

Citation:
http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS#Preparing_the_disk
http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt_with_LUKS#Using_initramfs_and_busybox
http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt
http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=1

Here is a handy one for when you have to chroot into your system because you omitted something and it doesn’t boot: http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=6

Advertisements

2 Responses to “Installing gentoo with root encryption: notes”

  1. Thanks for this. Easy to follow, and the tutorial fits on a single printed page :) I’m about to give this a go since my sidux install has started developing problems – I knew I’d eventually end up at Gentoo!

  2. […] mzanfardino’s gentoo encryption install notes from 2008 […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: