Hey there!


How to encrypt whole filesystem on Gentoo using LUKS

I struggled for days following outdated and incorrect gentoo wiki: https://wiki.gentoo.org/wiki/DM-Crypt_LUKS

Finally I figured out how to do that so I will share it here for future reference. This guide however may not work on future gentoo versions.

Note that primary difference between suggestions on Gentoo wiki is that disk is encrypted with -d – option which is necessary for it to work with dracut and genkernel generated initramfs which always use that option to open it.

Setup:

In this guide I have 1 physical disk with 2 partitions:
/dev/sda1 for /boot
/dev/sda2 for LVM with 2 LV’s
* root – /
* swap

Step 1:

Create an image of whole current filesystem for backup purpose

Step 2:

Before you reboot, prepare your initramfs so that it’s ready to work with luks, I am using dracut, there is high chance you won’t boot after encrypting so prepare it for debugging as well:

dracut -a crypt --install "bash vim"

Step 3:

Create an image of your root fs (boot from livecd)

dd if=<device> of=original_fs.iso

Store it on external disk.

Step 4:

Create a keyfile you will need to decrypt the filesystem, you can store this file on /boot partition, it will be encrypted with password:

openssl rand -base64 48 | gpg --symmetric --cipher-algo aes --armor > key.gpg

Step 5:

Encrypt sda2, this will wipe all data on it:

gpg -qd /boot/key.gpg | cryptsetup luksFormat -d - /dev/sda2

Step 6:

Mount the device and setup LV disks

Restore the fs:

dd if=original_fs.iso of=/dev/mapper/vg-root 

Step 7:

Mount fs

mount /dev/vg/root /mnt 

Now update /etc/fstab to contain proper stuff

Step 8:

Update /etc/default/grub and add kernel parameters:

rd.luks.uuid=<UUID of /dev/sda2> rd.luks.key=key.gpg:/dev/sda1:/dev/sda2

Now reboot and pray. It may fail, if you wait about 5 minutes, dracut might fall into recovery console which you can use to investigate what is wrong, try to mount the device by hand.