Difference between revisions of "Encrypted Root"

From Funtoo
Jump to navigation Jump to search
(→‎Initialize the volume: switching back to LVM i give up on making it try to mount dmcrypt_root without it.)
m (add warning that this build is incomplete.)
 
(29 intermediate revisions by 7 users not shown)
Line 1: Line 1:
This document describes how to setup a swapless encrypted root partition without lvm.
This howto describes how to setup LVM, swap, and root with dmcrypt LUKS. It is a standalone installation walk through, based on the official installations finished product.  boot is not encrypted.


{{warning|[[Rootfs_over_encrypted_lvm]] works, this page currently does notyou may try to get this working at your own risk!}}
{{warning|You may try this installation method at your own risk! Please note: this guide is outside of the official installation documentation and cannot be supported. If you choose to use this, we assume you know what you are doing and you are on your own.}}
 
{{warning|[[Rootfs_over_encrypted_lvm]] is the only known working encrypted root page.  this page is a work in progress to strip out LVM, and is known to be incomplete.}}


== Prepare the hard drive and partitions ==
== Prepare the hard drive and partitions ==
*List the device to be partitioned, mine is on /dev/sdc
*Before you begin, make sure you are partitioning the correct drive. For the rest of this tutorial, we will be using /dev/sdX as a placeholder.
{{console|body=
{{console|body=
###i## lsblk -o name,size,label,partlabel
###i## lsblk
NAME          MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda            8:0    0  1.8T  0 disk
├─sda1          8:1    0  512M  0 part
├─sda2          8:2    0    8G  0 part [SWAP]
└─sda3          8:3    0  1.8T  0 part
  ├─main-root 254:0    0  500G  0 lvm  /
  └─main-data 254:1    0  1.3T  0 lvm  /home
}}
}}


==Partition==
===Link your drive to /dev/sdX===
{{console|body=
to make following this guide easier you can set udev rules and link the drive you're installing to /dev/sdX so everything is copy paste.  just replace the kernel's sda/mmc/nvme to match your target drive.
###i## cgdisk /dev/sdc}}
 
delete everything.


====ATA/SATA/SCSI drives (ex. hda, sda)====
{{console|body=
{{console|body=
Command: ##i## new ↵
###i## echo 'KERNEL=="sda*", SYMLINK+="sdX%n"' > /etc/udev/rules.d/01-funtoo.rules
First sector: ##i##↵
###i## udevadm control --reload-rules
Last sector: ##i##+1M ↵
###i## udevadm trigger
Hex Code: ##i##EF02 ↵
Enter name: ##i##BIOS Boot ↵
}}
}}


scroll down to large chunk of free space:
====MMC/NVMe drives (ex. mmcblk0, nvme0n1)====
{{console|body=
{{console|body=
Command: ##i##new ↵
###i## echo 'KERNEL=="mmcblk0", SYMLINK+="sdX"' > /etc/udev/rules.d/01-funtoo.rules
First sector: ##i##↵
###i## echo 'KERNEL=="mmcblk0p*", SYMLINK+="sdX%n"' >> /etc/udev/rules.d/01-funtoo.rules
Last sector: ##i##+128M ↵
###i## udevadm control --reload-rules
Hex Code: ##i##EF00 ↵
###i## udevadm trigger
Enter name: ##i##BOOT ↵
}}
}}


scroll down to large chunk of free space:
====Verify links====
{{console|body=
{{console|body=
Command: ##i##new ↵
###i## ls -al /dev/sdX*
First sector: ##i##
lrwxrwxrwx 1 root root 3 Jul 31 14:00 /dev/sdX -> sde
Last sector: ##i##↵
lrwxrwxrwx 1 root root 4 Jul 31 14:00 /dev/sdX1 -> sde1
Hex Code: ##i## 8304 ↵
lrwxrwxrwx 1 root root 4 Jul 31 14:00 /dev/sdX2 -> sde2
Enter name: ##i##FUNTOO ↵
}}
}}


{{console|body=
==Partition==


                              Disk Drive: /dev/sdc
=== MBR [BIOS] Partitioning ===
                            Size: 62333952, 29.7 GiB


Part. #    Size        Partition Type            Partition Name
{{Note|Use this method if you are booting using your BIOS, and if your Funtoo LiveCD initial boot menu was light blue. If you're going to use the UEFI/GPT disk format, then please proceed to the next section.}}
----------------------------------------------------------------
            1007.0 KiB  free space
  1        1024.0 KiB  BIOS boot partition   BIOS Boot
  2        256.0 MiB  EFI System                BOOT
  3        29.5 GiB    Linux x86-64 root (/)    FUNTOO
}}


{{console|body=
{{console|body=
Command: ##i##write ↵
###i## fdisk /dev/sdX
Command: ##i##quit ↵
}}
}}


== Encrypt the drive ==
Within {{c|fdisk}}, follow these steps:
 
'''Empty the partition table''':
 
{{console|body=
{{console|body=
###i## cryptsetup luksFormat --type luks2 --label=FUNTOO /dev/sdc3
Command (m for help): ##i##o ↵
}}
}}
* YES not yes....
*enter your password:


== Initialize the volume ==
'''Create boot partition''':
Initialize the volume:


{{console|body=
{{console|body=
###i## cryptsetup luksOpen /dev/sdc3 dmcrypt_root
Command (m for help): ##i##n ↵
Partition type (default p): ##i##↵
Partition number (1-4, default 1): ##i##↵
First sector: ##i##↵
Last sector: ##i##+128M ↵
}}
}}


== Create logical volumes ==
'''Create partition which will be encrypted with LUKS''':
 
{{console|body=
{{console|body=
###i## pvcreate /dev/mapper/dmcrypt_root
Command (m for help): ##i##n ↵
###i## vgcreate vg /dev/mapper/dmcrypt_root         
Partition type (default p): ##i##
###i## lvcreate -l 100%FREE --name root vg
Partition number (2-4, default 2): ##i##↵
First sector: ##i##
Last sector: ##i##
}}
}}


=== Create your filesystem ===
'''Verify the partition table''':
 
{{console|body=
{{console|body=
###i## mkfs.vfat -F 32 /dev/sdc2
Command (m for help): ##i##p
###i## fatlabel /dev/sdc2 "BOOT"
 
###i## mkfs.jfs /dev/mapper/vg-root
Disk /dev/sdX: 298.1 GiB, 320072933376 bytes, 625142448 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x82abc9a6
 
Device    Boot    Start      End    Blocks  Id System
/dev/sdX1          2048    264191    131072  83 Linux
/dev/sdX2        4458496 625142447 312439128  83 Linux
}}
}}


=== Mount ===
'''Write the partition table to disk''':
 
{{console|body=Command (m for help): ##i##w}}
 
Your new MBR partition table will now be written to your system disk.
 
=== UEFI Partitioning ===
 
{{Note|Use this method if you are interested in booting using UEFI, and if your Funtoo LiveCD initial boot menu was black and white, or the system booted without a boot menu. If it was light blue, this method will not work. Instead, use the instructions in the previous section then skip this section, or reboot LiveCD in UEFI mode first.}}
 
{{console|body=###i## gdisk /dev/sdX}}
 
Within {{c|gdisk}}, follow these steps:
 
'''Empty the partition table''':
{{console|body=
{{console|body=
###i## mkdir /mnt/funtoo
Command: ##i##o ↵
###i## mount /dev/mapper/vg-root /mnt/funtoo
This option deletes all partitions and creates a new protective MBR.
###i## mkdir  /mnt/funtoo/boot
Proceed? (Y/N): ##i##y ↵
###i## mount /dev/sdc2 /mnt/funtoo/boot
}}
}}


==Get Funtoo Gnome==
'''Create boot partition''':
You can pull your [[Subarches]] gnome tarball if you wish:


{{console|body=
{{console|body=
###i## cd /mnt/funtoo
Command: ##i##n ↵
###i## wget https://build.funtoo.org/1.4-release-std/x86-64bit/generic_64/gnome-latest.tar.xz
Partition Number: ##i##1 ↵
###i## tar --numeric-owner --xattrs --xattrs-include='*' -xpf *gnome* && rm -f *gnome*
First sector: ##i##↵
Last sector: ##i##+128M ↵
Hex Code: ##i##EF00 ↵
}}
}}


==Load Funtoo==
'''Create partition which will be encrypted with LUKS''':
*expand your run tmpfs to be half of your ram:
 
{{console|body=
{{console|body=
###i## mount -t tmpfs tmpfs /run
Command: ##i##n ↵
Partition Number: ##i##2 ↵
First sector: ##i##↵
Last sector: ##i##↵##!i## (for rest of disk)
Hex Code: ##i##
}}
}}


*mount up:
'''(Optional) Create disk labels''':
{{console|body=
{{console|body=
###i## cd /mnt/funtoo && mount -t proc none proc
Command: ##i##c ↵
mount --rbind /sys sys
Partition Number: ##i##1
mount --rbind /dev dev
Enter name: ##i##BOOT
mount --rbind /run run
Command: ##i##c ↵
Partition Number: ##i##2
Enter name: ##i##ROOT
}}
}}


*chroot in:
'''Write Partition Table To Disk''':
 
{{console|body=
{{console|body=
###i## cd /mnt/funtoo && env -i HOME=/root TERM=$TERM chroot . bash -l
Command: ##i##w ↵
Do you want to proceed? (Y/N): ##i##Y ↵
}}
}}
The partition table will now be written to the disk and {{c|gdisk}} will close.
==Create filesystems==
'''Create /boot filesystem '''
====For BIOS systems====
{{console|body=# ##i##mkfs.ext2 /dev/sdX1}}
====For UEFI systems====
{{console|body=# ##i##mkfs.vfat -F 32 /dev/sdX1}}
'''Create LUKS encrypted volume'''
{{Note|Cryptsetup now defaults to LUKS2, which is unsupported by stable versions of grub. This is why we are not encrypting /boot.}}
{{Warning|The debian-sources kernel in current stage3 tarballs does not allow for passwords in excess of 63 characters.}}


*Set yo password:
*set yo hostname:
*set cloudflare dns resolution for installing:
*Set yo time zone:
{{console|body=
{{console|body=
###i## passwd
# ##i##cryptsetup luksFormat /dev/sdX2
###i## echo 'hostname="crypto"' > /etc/conf.d/hostname
###i## echo "nameserver 1.1.1.1" > /etc/resolv.conf
###i## ln -sf /usr/share/zoneinfo/America/Detroit /etc/localtime
}}
}}
=== load your fstab ===
 
*Deploy your fstab:
'''Open newly created LUKS volume'''
{{console|body=# ##i##cryptsetup open /dev/sdX2 root}}
 
'''Create LVM volumes for / and swap'''
{{console|body=# ##i##pvcreate /dev/mapper/root}}
{{console|body=# ##i##vgcreate vg /dev/mapper/root}}
{{Note|Replace "16G" with the amount of swap you would like to make available.}}
{{console|body=# ##i##lvcreate -L16G --name swap vg}}
{{console|body=# ##i##lvcreate -l 100%FREE --name root vg}}
{{Note|The "-l 100%FREE" option above will use the remainder of the disk for your root partition. If you would prefer to create separate for /home or /var (for example), you can instead continue to use the "-LXXG" option for fixed sizes.}}
 
'''Create filesystems on LVM volumes'''
{{console|body=
{{console|body=
###i## cat > /etc/fstab << "EOF"
# ##i##mkswap /dev/mapper/vg-swap
LABEL=BOOT /boot vfat noauto,noatime 1 2
# ##i##swapon /dev/mapper/vg-swap
/dev/mapper/dmcrypt_root / ext4 noatime,nodiratime,defaults 0 1
tmpfs /run tmpfs rw,nodev,nosuid 0 0
EOF
}}
}}
{{console|body=# ##i##mkfs.ext4 /dev/mapper/vg-root}}
'''Create directories for chroot'''
{{console|body=# ##i##mkdir -p /mnt/funtoo}}
==Mount filesystems==
{{console|body=# ##i##mount /dev/mapper/vg-root /mnt/funtoo}}
{{console|body=# ##i##mkdir /mnt/funtoo/boot}}
{{console|body=# ##i##mount /dev/sdX1 /mnt/funtoo/boot}}
==Set the date==
{{Note|See the official Funtoo docs on [https://www.funtoo.org/Install/Setting_the_Date setting the date].}}


*load your crypttab:
==Download and extract stage3==
{{Note|See the official Funtoo docs on [https://www.funtoo.org/Install/Download_and_Extract_Stage3 downloading and extracting stage3].}}
 
==Chroot into your new system==
{{Note|See the official Funtoo docs on [https://www.funtoo.org/Install/Chroot chrooting into your new system] if you are using a LiveCD or USB media other than Funtoo to install Funtoo.}}
{{console|body=
{{console|body=
###i## echo "dmcrypt_root LABEL=FUNTOO none luks" >> /etc/crypttab
# ##i##fchroot /mnt/funtoo /bin/bash --login
###i## dmsetup table >> /etc/dmtab
}}
}}


*compile in ram:
==Configure your system==
'''Set a new root password'''
{{console|body=# ##i##passwd}}
 
'''Set hostname'''
{{console|body=# ##i##echo 'hostname="yourdesiredhostname"' > /etc/conf.d/hostname}}
 
'''Set your timezone'''
{{console|body=# ##i##ln -sf /usr/share/zoneinfo/YOUR/TIMEZONE /etc/localtime}}
 
'''Note your filesystem information'''
{{console|body=# ##i##blkid}}
{{console|body=
{{console|body=
###i## echo 'PORTAGE_TMPDIR="/run"' > /etc/portage/make.conf
/dev/sdX1: UUID="6453-0C55" TYPE="vfat" PARTLABEL="efi" PARTUUID="4e195c4b-f88c-4205-b9df-79a879704b2f"
}}
/dev/sdX2: UUID="aafe709b-82e7-448f-a2cb-36adc3787dc3" TYPE="crypto_LUKS" PARTLABEL="system" PARTUUID="93d0cf9b-0b95-4d8b-919f-48cd1774996f"
/dev/mapper/root: UUID="hvz79n-I2VE-nR1c-0hDQ-PVkR-3GRb-rnuJ9C" TYPE="LVM2_member"
/dev/mapper/vg-swap: UUID="a9188bc3-7def-422b-990d-9de431825779" TYPE="swap"
/dev/mapper/vg-root: UUID="2eaf45e6-d33b-4155-b4ca-63a2fdbfb896" TYPE="ext4"}}
 
'''Configure /etc/fstab'''
{{Note|The UUID parameter is set to the UUID of your boot partition as found from the blkid command above.}}
{{console|body=# ##i##cat > /etc/fstab << 'EOF'
UUID=6453-0C55 /boot vfat noauto,noatime 1 2
/dev/mapper/vg-swap none swap sw 0 0
/dev/mapper/vg-root / ext4 noatime,nodiratime,defaults 0 1
EOF}}
 
'''Create /etc/crypttab'''
{{Note|The UUID parameter is set to the UUID of /dev/sdX2 as found from the blkid command above.}}
{{console|body=# ##i##echo "root UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 none luks,discard" >> /etc/crypttab}}
 
'''Create /etc/dmtab'''
{{console|body=# ##i##dmsetup table >> /etc/dmtab}}
 
==Portage==
'''Download the portage tree'''
{{console|body=# ##i##ego sync}}


*Sync & deploy your profile:
'''Change your ego profile to include encrypted root support'''
{{console|body=
{{console|body=# ##i##epro mix-in encrypted-root}}
###i## ego sync && ego profile mix-in encrypted-root
}}


*Deploy your package.use file:
'''Edit package USE-flags'''
{{console|body=
{{console|body=# ##i##cat > /etc/portage/package.use <<'EOF'
###i## cat > /etc/portage/package.use << "EOF"
*/* device-mapper lvm luks
*/* lvm device-mapper
sys-kernel/linux-firmware initramfs
sys-kernel/linux-firmware initramfs
EOF
sys-fs/cryptsetup -dynamic
}}
EOF}}


{{console|body=
'''Install necessary packages'''
###i## emerge grub haveged intel-microcode linux-firmware eix cryptsetup lvm2 debian-sources-lts && emerge debian-sources && emerge -vuND @world && emerge --depclean
{{console|body=# ##i##emerge grub haveged intel-microcode linux-firmware cryptsetup lvm2 genkernel iucode_tool}}
}}


*set services:
'''Configure services to start at boot'''
{{console|body=
{{console|body=# ##i##rc-update add device-mapper sysinit}}
###i## rc-update del swap boot && rc-update add haveged && rc-update add gpm && rc-update add busybox-ntpd
{{console|body=# ##i##rc-update add dmcrypt sysinit}}
###i## rc-update add device-mapper boot
{{console|body=# ##i##rc-update add lvmetad sysinit}}
###i## rc-update add dmcrypt boot
{{console|body=# ##i##rc-update add haveged default}}
}}
{{console|body=# ##i##rc-update add busybox-ntpd default}}


== Bootloader Configuration ==
==Install a bootloader==
=== /etc/boot.conf ===
'''Configure /etc/boot.conf'''
 
{{Note|The UUID parameter is set to the UUID of /dev/sdX2 as found from the blkid command above.}}
<pre>
{{console|body=# ##i##cat > /etc/boot.conf <<'EOF'
boot {
boot {
  generate grub
    generate grub
  default "Funtoo Linux"
    default "Funtoo Linux"
  timeout 3
    timeout 3
}
}
"Funtoo Linux" {
"Funtoo Linux" {
kernel kernel[-v]
    kernel kernel[-v]
initrd initramfs[-v]
    initrd initramfs[-v]
  params += crypt_root=LABEL=FUNTOO dolvm luks=yes real_root=/dev/mapper/dmcrypt_root rootfstype=ext4
    params += crypt_root=UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 dolvm real_root=/dev/mapper/vg-root ro rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}
}
</pre>
EOF}}


== GRUB ==
'''Install GRUB'''
*Install grub in legacy mode:
====For BIOS systems====
{{console|body=
{{console|body=# ##i##grub-install --target=i386-pc --no-floppy /dev/sdX}}
###i## grub-install --target=i386-pc /dev/sdc
{{console|body=# ##i##ego boot update}}
###i## ego boot update}}


=== EFI from Legacy ===
====For UEFI systems====
*manually make efi directory:
{{console|body=# ##i##mount -o remount,rw /sys/firmware/efi/efivars}}
*remount /dev/sdc2 to /boot/efi:
{{console|body=# ##i##grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id="Funtoo Linux" --recheck /dev/sdX}}
*install efi images:
{{Note|For 32 bit systems, the command should instead be:
{{console|body=
{{console|body=# ##i##grub-install --target=i386-efi --efi-directory=/boot --bootloader-id="Funtoo Linux" --recheck /dev/sdX}}}}
###i## mkdir /boot/efi
{{console|body=# ##i##ego boot update}}
###i## mount /dev/sdc2 /boot/efi
###i## grub-install --target=x86_64-efi /boot/efi
}}


=== EFI from EFI ===
'''Generate a new initramfs'''
{{console|body=
{{console|body=# ##i##genkernel --clean --luks --lvm --disklabel --ramdisk-modules --fullname=$(ls /boot/initramfs-* {{!}} tail -c +17) initramfs}}
###i##mount -o remount,rw /sys/firmware/efi/efivars
###i##grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id="Funtoo Linux [GRUB]" --recheck /dev/sda
###i##ego boot update
}}


== Final steps ==
==Finishing installation==
*exit chroot, unmount everything,and close encrypted root:
From this point, you should be able to finish following the [https://www.funtoo.org/Install/Network official Funtoo Linux install instructions]
{{console|body=
###i## exit
###i## cd ..
###i## umount -lR funtoo
# ##i##cryptsetup luksClose dmcrypt_root
}}


==management==
==Managing your LUKS volume==
=== Change your LUKs-encrypted drive's passphrase ===
'''Change your LUKs-encrypted drive's passphrase'''
You may want to change your encrypted volume’s passphrase or password from time to time. To do so, run the following commands in the console as root:
You may want to change your encrypted volume’s passphrase or password from time to time. To do so, run the following commands in the console as root:


{{console|body=
{{console|body=
###i## cryptsetup luksChangeKey /dev/sda3
# ##i##cryptsetup luksChangeKey /dev/sdX2
}}
}}


Line 237: Line 315:
You will not be asked to confirm your new passphrase, so be careful when running this operation.
You will not be asked to confirm your new passphrase, so be careful when running this operation.


== External Resources ==
== Additional links and information ==
* [https://www.freedesktop.org/software/systemd/man/crypttab.html crypttab]
* [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]]
* [[gentoo-wiki:Root filesystem over LVM2, DM-Crypt and RAID|Root filesystem over LVM2, DM-Crypt, and RAID]]
* [http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt System Encryption with LUKS for dm-crypt]
* [http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt System Encryption with LUKS for dm-crypt]

Latest revision as of 03:58, January 13, 2023

This howto describes how to setup LVM, swap, and root with dmcrypt LUKS. It is a standalone installation walk through, based on the official installations finished product. boot is not encrypted.

   Warning

You may try this installation method at your own risk! Please note: this guide is outside of the official installation documentation and cannot be supported. If you choose to use this, we assume you know what you are doing and you are on your own.

   Warning

Rootfs_over_encrypted_lvm is the only known working encrypted root page. this page is a work in progress to strip out LVM, and is known to be incomplete.

Prepare the hard drive and partitions

  • Before you begin, make sure you are partitioning the correct drive. For the rest of this tutorial, we will be using /dev/sdX as a placeholder.
root # lsblk
NAME          MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda             8:0    0  1.8T  0 disk 
├─sda1          8:1    0  512M  0 part 
├─sda2          8:2    0    8G  0 part [SWAP]
└─sda3          8:3    0  1.8T  0 part 
  ├─main-root 254:0    0  500G  0 lvm  /
  └─main-data 254:1    0  1.3T  0 lvm  /home

Link your drive to /dev/sdX

to make following this guide easier you can set udev rules and link the drive you're installing to /dev/sdX so everything is copy paste. just replace the kernel's sda/mmc/nvme to match your target drive.

ATA/SATA/SCSI drives (ex. hda, sda)

root # echo 'KERNEL=="sda*", SYMLINK+="sdX%n"' > /etc/udev/rules.d/01-funtoo.rules
root # udevadm control --reload-rules
root # udevadm trigger

MMC/NVMe drives (ex. mmcblk0, nvme0n1)

root # echo 'KERNEL=="mmcblk0", SYMLINK+="sdX"' > /etc/udev/rules.d/01-funtoo.rules
root # echo 'KERNEL=="mmcblk0p*", SYMLINK+="sdX%n"' >> /etc/udev/rules.d/01-funtoo.rules
root # udevadm control --reload-rules
root # udevadm trigger

Verify links

root # ls -al /dev/sdX*
lrwxrwxrwx 1 root root 3 Jul 31 14:00 /dev/sdX -> sde
lrwxrwxrwx 1 root root 4 Jul 31 14:00 /dev/sdX1 -> sde1
lrwxrwxrwx 1 root root 4 Jul 31 14:00 /dev/sdX2 -> sde2

Partition

MBR [BIOS] Partitioning

   Note

Use this method if you are booting using your BIOS, and if your Funtoo LiveCD initial boot menu was light blue. If you're going to use the UEFI/GPT disk format, then please proceed to the next section.

root # fdisk /dev/sdX

Within fdisk, follow these steps:

Empty the partition table:

Command (m for help): o ↵

Create boot partition:

Command (m for help): n ↵
Partition type (default p): 
Partition number (1-4, default 1): 
First sector: 
Last sector: +128M ↵

Create partition which will be encrypted with LUKS:

Command (m for help): n ↵
Partition type (default p): 
Partition number (2-4, default 2): 
First sector: 
Last sector: 

Verify the partition table:

Command (m for help): p

Disk /dev/sdX: 298.1 GiB, 320072933376 bytes, 625142448 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x82abc9a6

Device    Boot     Start       End    Blocks  Id System
/dev/sdX1           2048    264191    131072  83 Linux
/dev/sdX2        4458496 625142447 312439128  83 Linux

Write the partition table to disk:

Command (m for help): w

Your new MBR partition table will now be written to your system disk.

UEFI Partitioning

   Note

Use this method if you are interested in booting using UEFI, and if your Funtoo LiveCD initial boot menu was black and white, or the system booted without a boot menu. If it was light blue, this method will not work. Instead, use the instructions in the previous section then skip this section, or reboot LiveCD in UEFI mode first.

root # gdisk /dev/sdX

Within gdisk, follow these steps:

Empty the partition table:

Command: o ↵
This option deletes all partitions and creates a new protective MBR.
Proceed? (Y/N): y ↵

Create boot partition:

Command: n ↵
Partition Number: 1 ↵
First sector: 
Last sector: +128M ↵
Hex Code: EF00 ↵

Create partition which will be encrypted with LUKS:

Command: n ↵
Partition Number: 2 ↵
First sector: 
Last sector:  (for rest of disk)
Hex Code: 

(Optional) Create disk labels:

Command: c ↵
Partition Number: 1
Enter name: BOOT 
Command: c ↵
Partition Number: 2
Enter name: ROOT

Write Partition Table To Disk:

Command: w ↵
Do you want to proceed? (Y/N): Y ↵

The partition table will now be written to the disk and gdisk will close.

Create filesystems

Create /boot filesystem

For BIOS systems

root # mkfs.ext2 /dev/sdX1

For UEFI systems

root # mkfs.vfat -F 32 /dev/sdX1

Create LUKS encrypted volume

   Note

Cryptsetup now defaults to LUKS2, which is unsupported by stable versions of grub. This is why we are not encrypting /boot.

   Warning

The debian-sources kernel in current stage3 tarballs does not allow for passwords in excess of 63 characters.

root # cryptsetup luksFormat /dev/sdX2

Open newly created LUKS volume

root # cryptsetup open /dev/sdX2 root

Create LVM volumes for / and swap

root # pvcreate /dev/mapper/root
root # vgcreate vg /dev/mapper/root
   Note

Replace "16G" with the amount of swap you would like to make available.

root # lvcreate -L16G --name swap vg
root # lvcreate -l 100%FREE --name root vg
   Note

The "-l 100%FREE" option above will use the remainder of the disk for your root partition. If you would prefer to create separate for /home or /var (for example), you can instead continue to use the "-LXXG" option for fixed sizes.

Create filesystems on LVM volumes

root # mkswap /dev/mapper/vg-swap
root # swapon /dev/mapper/vg-swap
root # mkfs.ext4 /dev/mapper/vg-root

Create directories for chroot

root # mkdir -p /mnt/funtoo

Mount filesystems

root # mount /dev/mapper/vg-root /mnt/funtoo
root # mkdir /mnt/funtoo/boot
root # mount /dev/sdX1 /mnt/funtoo/boot

Set the date

   Note

See the official Funtoo docs on setting the date.

Download and extract stage3

   Note

See the official Funtoo docs on downloading and extracting stage3.

Chroot into your new system

   Note

See the official Funtoo docs on chrooting into your new system if you are using a LiveCD or USB media other than Funtoo to install Funtoo.

root # fchroot /mnt/funtoo /bin/bash --login

Configure your system

Set a new root password

root # passwd

Set hostname

root # echo 'hostname="yourdesiredhostname"' > /etc/conf.d/hostname

Set your timezone

root # ln -sf /usr/share/zoneinfo/YOUR/TIMEZONE /etc/localtime

Note your filesystem information

root # blkid
/dev/sdX1: UUID="6453-0C55" TYPE="vfat" PARTLABEL="efi" PARTUUID="4e195c4b-f88c-4205-b9df-79a879704b2f"
/dev/sdX2: UUID="aafe709b-82e7-448f-a2cb-36adc3787dc3" TYPE="crypto_LUKS" PARTLABEL="system" PARTUUID="93d0cf9b-0b95-4d8b-919f-48cd1774996f"
/dev/mapper/root: UUID="hvz79n-I2VE-nR1c-0hDQ-PVkR-3GRb-rnuJ9C" TYPE="LVM2_member"
/dev/mapper/vg-swap: UUID="a9188bc3-7def-422b-990d-9de431825779" TYPE="swap"
/dev/mapper/vg-root: UUID="2eaf45e6-d33b-4155-b4ca-63a2fdbfb896" TYPE="ext4"

Configure /etc/fstab

   Note

The UUID parameter is set to the UUID of your boot partition as found from the blkid command above.

root # cat > /etc/fstab << 'EOF'
UUID=6453-0C55 /boot vfat noauto,noatime 1 2
/dev/mapper/vg-swap none swap sw 0 0
/dev/mapper/vg-root / ext4 noatime,nodiratime,defaults 0 1
EOF

Create /etc/crypttab

   Note

The UUID parameter is set to the UUID of /dev/sdX2 as found from the blkid command above.

root # echo "root UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 none luks,discard" >> /etc/crypttab

Create /etc/dmtab

root # dmsetup table >> /etc/dmtab

Portage

Download the portage tree

root # ego sync

Change your ego profile to include encrypted root support

root # epro mix-in encrypted-root

Edit package USE-flags

root # cat > /etc/portage/package.use <<'EOF'
*/* device-mapper lvm luks
sys-kernel/linux-firmware initramfs
sys-fs/cryptsetup -dynamic
EOF

Install necessary packages

root # emerge grub haveged intel-microcode linux-firmware cryptsetup lvm2 genkernel iucode_tool

Configure services to start at boot

root # rc-update add device-mapper sysinit
root # rc-update add dmcrypt sysinit
root # rc-update add lvmetad sysinit
root # rc-update add haveged default
root # rc-update add busybox-ntpd default

Install a bootloader

Configure /etc/boot.conf

   Note

The UUID parameter is set to the UUID of /dev/sdX2 as found from the blkid command above.

root # cat > /etc/boot.conf <<'EOF'
boot {
    generate grub
    default "Funtoo Linux"
    timeout 3
}
"Funtoo Linux" {
    kernel kernel[-v]
    initrd initramfs[-v]
    params += crypt_root=UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 dolvm real_root=/dev/mapper/vg-root ro rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}
EOF

Install GRUB

For BIOS systems

root # grub-install --target=i386-pc --no-floppy /dev/sdX
root # ego boot update

For UEFI systems

root # mount -o remount,rw /sys/firmware/efi/efivars
root # grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id="Funtoo Linux" --recheck /dev/sdX
   Note

For 32 bit systems, the command should instead be:

root # grub-install --target=i386-efi --efi-directory=/boot --bootloader-id="Funtoo Linux" --recheck /dev/sdX
root # ego boot update

Generate a new initramfs

root # genkernel --clean --luks --lvm --disklabel --ramdisk-modules --fullname=$(ls /boot/initramfs-* | tail -c +17) initramfs

Finishing installation

From this point, you should be able to finish following the official Funtoo Linux install instructions

Managing your LUKS volume

Change your LUKs-encrypted drive's passphrase You may want to change your encrypted volume’s passphrase or password from time to time. To do so, run the following commands in the console as root:

root # cryptsetup luksChangeKey /dev/sdX2

You'll be prompted to enter in the existing passphrase first, then to enter in your new passphrase. You will not be asked to confirm your new passphrase, so be careful when running this operation.

Additional links and information