User talk:Pnoecker/full disk encryption

FAFO keyfile decryption

root # mkdir /etc/keys
root # dd if=/dev/urandom of=/etc/keys/enc.key bs=1 count=4096
root # cryptsetup luksAddKey /dev/sdX3 /etc/keys/enc.key

then setup grub to load the key file, or initramfs or something? does anybody do this?

Beta testing process of booting Funtoo off a LUKS encrypted volume with the new experimetnal luks ramdisk plugin:
git clone https://code.funtoo.org/bitbucket/scm/~siris/funtoo-ramdisk.git somewhere on your Funtoo system or LiveCD or VM install (I do it as the root user in the root user's home directory for easy pathing)
cd into the cloned repo's directory and run git checkout FL-11023/luks-ramdisk-plugin-v1 to switch to the active PR's branch containing the working ramdisk plugin code
Make sure you have built sys-kernel/debian-sources with the default USE flags (luks and lvm should be disabled) -- This key here is this kernel already generates a ramdisk using funtoo-ramdisk by default
Once the kernel is emerged or if you already have it emerged change to the root user: sudo su - or login to root
mount /boot
Regen the ramdisk with these exact flags and use the path to the git cloned branched ramdisk bin: /root/funtoo-ramdisk/bin/ramdisk --force --plugins=core,luks,lvm initramfs-debian-sources-x86_64-6.5.10_p1
Determine the UUID of the LUKS encrypted partition with blkid | grep crypto
Edit the /etc/boot.conf and add these new kernel boot params to your primary kernel entry: crypt_root=UUID={UUID from the step 7} and ramdisk.activate=luks,lvm (Note: {UUID from the step 7} is a placeholder variable, replace the entire string including curly braces with a correct UUID)
Regenerated a new GRUB config with ego boot
Reboot