Guide for Gentoo setup with full disk encryption using LUKS+LVM

grub2 lvm gentoo luks

6,168

So I did figure it out:

I partitioned the disk partialy following the handbook:

# parted -a optimal /dev/sda
GNU Parted 2.3
Using /dev/sda
Welcome to GNU Parted! Type 'help' to view a list of commands.

(parted)mklabel gpt

(parted)unit mib

(parted)mkpart primary 1 3
(parted)name 1 grub
(parted)set 1 bios_grub on

(parted)mkpart primary 3 131
(parted)name 2 boot
(parted)mkpart primary 131 -1
(parted)name 3 lvm

(parted)set 2 boot on
(parted)q

The only change I made was not to make a swap and root partition but instead make a single partition and named it lvm (the name doesn't matter). Next I've setup LUKS:

# Load the dm-crypt module (probably not nessesary)
modprobe dm-crypt

# Crypt the partition we named lvm (in my case that would be /dev/sda3)
cryptsetup -c aes-cbc-essiv:sha256 -v luksFormat -s 256 /dev/sda3

# Open the luks volume
cryptsetup luksOpen /dev/sda3 sda3-luks

# Setup a LVM physical volume 
lvm pvcreate /dev/mapper/sda3-luks

# Setup a volume group
lvm vgcreate vg0 /dev/mapper/sda3-luks

After that setup the actual volumes:

# Fist setup the swap volume
lvm lvcreate -L 2048M vg0
# Then check how many 'extends' are free (Free PE) using lvm vgdisplay
# use that number to use up the rest of the space:
lvm lvcreate -l 7809 vg0

For the rest we basically follow the handbook except where you would normaly do stuff for /dev/sda3 (swap) or /dev/sda4 (root) you would now use /dev/mapper/vg0-lvol0 (swap) and /dev/mapper/vg0-lvol1.

Important is, when generating the kernel (I used genkernel for this) to first install cryptsetup using emerge -av cryptsetup. and then run genkernel with the following parameters:

genkernel --luks --lvm --busybox --menuconfig all

Be sure to setup the kernel to support LVM and the chosen hashing and encrypting algorithms (in my case aes and sha256). Then continue following the handbook until you start the grub-config.

Before you run grub2-mkconfig you should edit the file /etc/defaults/grub. (I should state, for the record that I', not sure if this is the best solution but it works for me).

In that file I've put the following (find and uncomment the parameter):

GRUB_CMDLINE_LINUX="crypt_root=UUID=<uuid of sda3> dolvm"

You can find the correct UUID by using ls -l /dev/disk/by-uuid. After that grub2-mkconfig should find bother the kernel and the initramfs in /boot. Again, follow the handbook and after the reboot you should get a password prompt.

Hope this helps anyone else.

6,168

user3181422

Updated on September 18, 2022

Comments

user3181422 over 1 year
I'm looking for a way to make the following setup happen in Gentoo:
```
/dev/sda1 -> /boot (ext2)
/dev/sda2 -> Luks encrypted
|
+-lvm-vg1
  |
  +- /dev/mapper/root-fs -> / (ext4)
  +- /dev/mapper/swap    ->   (swap)
```
It's basically the same setup as Ubuntu would do when doing a graphical install.

I do know how to manually setup LUKS and even the LVM setup but I get stuck when bringing it together at boot. How do I tell the kernel and grub to unlock the LUKS partition and mount the right LVM partitions?
- jasonwryan about 8 years
  
  See the Arch Wiki entry: it is pretty straightforward.