I struggled for days following outdated and incorrect gentoo wiki: https://wiki.gentoo.org/wiki/DM-Crypt_LUKS
Finally I figured out how to do that so I will share it here for future reference. This guide however may not work on future gentoo versions.
Note that primary difference between suggestions on Gentoo wiki is that disk is encrypted with -d – option which is necessary for it to work with dracut and genkernel generated initramfs which always use that option to open it.
In this guide I have 1 physical disk with 2 partitions:
/dev/sda1 for /boot
/dev/sda2 for LVM with 2 LV’s
* root – /
Create an image of whole current filesystem for backup purpose
Before you reboot, prepare your initramfs so that it’s ready to work with luks, I am using dracut, there is high chance you won’t boot after encrypting so prepare it for debugging as well:
dracut -a crypt --install "bash vim"
Create an image of your root fs (boot from livecd)
dd if=<device> of=original_fs.iso
Store it on external disk.
Create a keyfile you will need to decrypt the filesystem, you can store this file on /boot partition, it will be encrypted with password:
openssl rand -base64 48 | gpg --symmetric --cipher-algo aes --armor > key.gpg
Encrypt sda2, this will wipe all data on it:
gpg -qd /boot/key.gpg | cryptsetup luksFormat -d - /dev/sda2
Mount the device and setup LV disks
gpg -qd /boot/key.gpg | cryptsetup luksOpen -d - /dev/sda2 encrypted
vgcreate vg /dev/mapper/encrypted
lvcreate vg -n root -L <size>
lvcreate vg -n swap -L <size>
Restore the fs:
dd if=original_fs.iso of=/dev/mapper/vg-root
mount /dev/vg/root /mnt
Now update /etc/fstab to contain proper stuff
Update /etc/default/grub and add kernel parameters:
rd.luks.uuid=<UUID of /dev/sda2> rd.luks.key=key.gpg:/dev/sda1:/dev/sda2
Now reboot and pray. It may fail, if you wait about 5 minutes, dracut might fall into recovery console which you can use to investigate what is wrong, try to mount the device by hand.