How to encrypt whole filesystem on Gentoo using LUKS

I struggled for days following outdated and incorrect gentoo wiki: https://wiki.gentoo.org/wiki/DM-Crypt_LUKS

Finally I figured out how to do that so I will share it here for future reference. This guide however may not work on future gentoo versions.

Note that primary difference between suggestions on Gentoo wiki is that disk is encrypted with -d – option which is necessary for it to work with dracut and genkernel generated initramfs which always use that option to open it.

Setup:

In this guide I have 1 physical disk with 2 partitions:
/dev/sda1 for /boot
/dev/sda2 for LVM with 2 LV’s
* root – /
* swap

Step 1:

Create an image of whole current filesystem for backup purpose

Step 2:

Before you reboot, prepare your initramfs so that it’s ready to work with luks, I am using dracut, there is high chance you won’t boot after encrypting so prepare it for debugging as well:

dracut -a crypt --install "bash vim"

Step 3:

Create an image of your root fs (boot from livecd)

dd if=<device> of=original_fs.iso

Store it on external disk.

Step 4:

Create a keyfile you will need to decrypt the filesystem, you can store this file on /boot partition, it will be encrypted with password:

openssl rand -base64 48 | gpg --symmetric --cipher-algo aes --armor > key.gpg

Step 5:

Encrypt sda2, this will wipe all data on it:

gpg -qd /boot/key.gpg | cryptsetup luksFormat -d - /dev/sda2

Step 6:

Mount the device and setup LV disks

Restore the fs:

dd if=original_fs.iso of=/dev/mapper/vg-root 

Step 7:

Mount fs

mount /dev/vg/root /mnt 

Now update /etc/fstab to contain proper stuff

Step 8:

Update /etc/default/grub and add kernel parameters:

rd.luks.uuid=<UUID of /dev/sda2> rd.luks.key=key.gpg:/dev/sda1:/dev/sda2

Now reboot and pray. It may fail, if you wait about 5 minutes, dracut might fall into recovery console which you can use to investigate what is wrong, try to mount the device by hand.




1 Comment

Hi Peter,

I am a PhD student in Hong Kong. We used to build a 7-machine private cloud to provide cloud-based simulation service to our lab mates. However, our NAS crashed recently, and we lost the XVP Appliance webpage platform to host the management interface for lab mates. I found that the XVP Appliance project website (www.xvpsource.org) has been shut down. Therefore, unfortunately we cannot find the downloading link of the XVP Appliance VM image. I saw that you recently asked a question in the Github page of XVP Appliance. Therefore, I would be appreciated if you could share the XVPAppliance VM image with me if you still have it? Thanks a lot!!!

Yuxuan

Leave a Reply

Your email address will not be published. Required fields are marked *