Note

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

Difference between revisions of "User:Pnoecker/full disk encryption"

From Funtoo
Jump to navigation Jump to search
(→‎UEFI Partitioning: fix biosboot and esp partitions.)
(→‎Traditional Method: -p mkdir, don't warn if already exists)
 
(47 intermediate revisions by 2 users not shown)
Line 1: Line 1:
This howto describes how to setup LVM, boot, swap, and root with dmcrypt LUKS 1 with grub unlocking the encrypted drive. It is a standalone installation walk through, loosely based on the official installations finished product.
This howto describes how to setup LVM, boot, swap, and root with dmcrypt LUKS 1 with grub unlocking the encrypted drive. It is a standalone installation walk through, loosely based on the official installations finished product.


{{warning| You may try this installation method at your own risk! Please note: this guide is outside of the official installation documentation, and cannot be supported. If you choose to use this, we assume you know what you are doing and you are on your own!}}
{{warning|You may try this installation method at your own risk! Please note: this guide is outside of the official installation documentation, and cannot be supported. If you choose to use this, we assume you know what you are doing and you are on your own!}}
 
*standard lvm install without encryption can be found here: https://www.funtoo.org/User:Pnoecker/standard_install


== Prepare the hard drive and partitions ==
== Prepare the hard drive and partitions ==
Line 81: Line 83:
First sector: ##i##↵
First sector: ##i##↵
Last sector: ##i##↵##!i## (for rest of disk)
Last sector: ##i##↵##!i## (for rest of disk)
Hex Code: ##i##
Hex Code: ##i## 8309↵
}}
}}


Line 93: Line 95:


==Create and mount filesystems.==
==Create and mount filesystems.==
'''Create /boot filesystem '''
'''Create esp filesystem '''
====For BIOS systems====
 
{{console|body=# ##i##mkfs.ext2 /dev/sdX1}}
{{console|body=# ##i##mkfs.vfat -F 32 /dev/sdX2}}
 
*label esp system for fstab later on:
 
{{console|body=# ##i##fatlabel /dev/sdX2 "EFI"}}


====For UEFI systems====
{{console|body=# ##i##mkfs.vfat -F 32 /dev/sdX1}}


'''Create LUKS encrypted volume'''
'''Create LUKS encrypted volume'''
{{Note| Cryptsetup now defaults to LUKS2, which is unsupported by stable versions of grub. This is why we are not encrypting /boot.}}
{{Warning|The debian-sources kernel in current stage3 tarballs does not allow for passwords in excess of 63 characters.}}
{{Warning| The debian-sources kernel in current stage3 tarballs does not allow for passwords in excess of 63 characters.}}


{{console|body=
{{console|body=
# ##i##cryptsetup luksFormat /dev/sdX2
# ##i##cryptsetup luksFormat --type luks1 /dev/sdX3
}}
}}


'''Open newly created LUKS volume'''
'''Open newly created LUKS volume'''
{{console|body=# ##i##cryptsetup open /dev/sdX2 root}}
{{console|body=# ##i##cryptsetup open /dev/sdX3 root}}


'''Create LVM volumes for / and swap'''
'''Create LVM volumes for / and swap'''
{{console|body=# ##i##pvcreate /dev/mapper/root}}
{{console|body=# ##i##pvcreate /dev/mapper/root}}
{{console|body=# ##i##vgcreate vg /dev/mapper/root}}
{{console|body=# ##i##vgcreate vg /dev/mapper/root}}
{{Note|Replace "16G" with the amount of swap you would like to make available.}}
{{Note|Replace "2G" with the amount of swap you would like to make available.}}
{{console|body=# ##i##lvcreate -L16G --name swap vg}}
{{console|body=# ##i##lvcreate -L2G --name swap vg}}
{{console|body=# ##i##lvcreate -l 100%FREE --name root vg}}
{{console|body=# ##i##lvcreate -l 100%FREE --name root vg}}
{{Note|The "-l 100%FREE" option above will use the remainder of the disk for your root partition. If you would prefer to create separate for /home or /var (for example), you can instead continue to use the "-LXXG" option for fixed sizes.}}
{{Note|The "-l 100%FREE" option above will use the remainder of the disk for your root partition. If you would prefer to create separate for /home or /var (for example), you can instead continue to use the "-LXXG" option for fixed sizes.}}
Line 121: Line 124:
'''Create filesystems on LVM volumes'''
'''Create filesystems on LVM volumes'''
{{console|body=# ##i##mkswap /dev/mapper/vg-swap}}
{{console|body=# ##i##mkswap /dev/mapper/vg-swap}}
*for ext4:
{{console|body=# ##i##mkfs.ext4 /dev/mapper/vg-root}}
{{console|body=# ##i##mkfs.ext4 /dev/mapper/vg-root}}
*for xfs:
{{console|body=# ##i##mkfs.xfs /dev/mapper/vg-root}}


'''Create directories for chroot'''
'''Create directories for chroot'''
Line 128: Line 134:
==Mount filesystems==
==Mount filesystems==
{{console|body=# ##i##mount /dev/mapper/vg-root /mnt/funtoo}}
{{console|body=# ##i##mount /dev/mapper/vg-root /mnt/funtoo}}
{{console|body=# ##i##mkdir /mnt/funtoo/boot}}
{{console|body=# ##i##mount /dev/sdX1 /mnt/funtoo/boot}}
{{console|body=# ##i##mkdir /mnt/funtoo/proc}}
{{console|body=# ##i##mount -t proc none /mnt/funtoo/proc}}
{{console|body=# ##i##mkdir /mnt/funtoo/dev}}
{{console|body=# ##i##mount --rbind /dev /mnt/funtoo/dev}}
{{console|body=# ##i##mkdir /mnt/funtoo/sys}}
{{console|body=# ##i##mount --rbind /sys /mnt/funtoo/sys}}


==Set the date==
==Set the date==
Line 141: Line 139:


==Install the Funtoo starge tarball of your choice==
==Install the Funtoo starge tarball of your choice==
{{Note|These instructions will be using the ''intel-haswell'' minimal stage3. You should adjust them accordingly}}
{{Note|These instructions will be using the ''generic64 next'' minimal stage3. You should adjust them accordingly.}}
*[[Generic_64]]
or a stage more closely aligned to your hardware:
*[[Subarches]]
or funtoo from scratch generated stages:
*[https://area31.host.funtoo.org/ffs/stages/ FFS BRUH]


{{console|body=# ##i##cd /mnt/funtoo}}
{{console|body=# ##i##cd /mnt/funtoo}}
{{console|body=# ##i##wget https://build.funtoo.org/1.4-release-std/x86-64bit/intel64-haswell/2021-03-10/stage3-intel64-haswell-1.4-release-std-2021-03-10.tar.xz}}
{{console|body=# ##i##wget https://build.funtoo.org/next/x86-64bit/generic_64/2022-09-13/stage3-generic_64-next-2022-09-13.tar.xz}}
{{console|body=# ##i##tar --numeric-owner --xattrs --xattrs-include='*' -xpf stage3-intel64-haswell-1.4-release-std-2021-03-10.tar.xz && rm -f stage3-intel64-haswell-1.4-release-std-2021-03-10.tar.xz}}
{{console|body=# ##i##tar --numeric-owner --xattrs --xattrs-include='*' -xpf *stage3*.tar.xz && rm -f *stage3*.tar.xz}}


==Chroot into your new system==
==Chroot into your new system==
{{console|body=# ##i##env -i HOME=/root TERM=$TERM $(which chroot) /mnt/funtoo bash -l}}
===Traditional Method===
{{console|body=# ##i##mkdir -p /mnt/funtoo/proc}}
{{console|body=# ##i##mount -t proc none /mnt/funtoo/proc}}
{{console|body=# ##i##mkdir -p /mnt/funtoo/dev}}
{{console|body=# ##i##mount --rbind /dev /mnt/funtoo/dev}}
{{console|body=# ##i##mkdir -p /mnt/funtoo/sys}}
{{console|body=# ##i##mount --rbind /sys /mnt/funtoo/sys}}
{{console|body=# ##i##env -i HOME=/root TERM=$TERM $(which chroot) /mnt/funtoo /bin/bash -l}}
 
===Fchroot Method===
{{console|body=# ##i##fchroot .}}


==Configure your system==
==Configure your system==
Line 155: Line 168:


'''Set hostname'''
'''Set hostname'''
{{console|body=# ##i##echo 'hostname="yourdesiredhostname"' > /etc/conf.d/hostname}}
{{console|body=# ##i##echo 'hostname="FullEncryption"' > /etc/conf.d/hostname}}


'''Set up DNS resolution'''
'''Set up DNS resolution'''
Line 167: Line 180:
{{console|body=# ##i##blkid}}
{{console|body=# ##i##blkid}}
{{console|body=
{{console|body=
/dev/sdX1: UUID="6453-0C55" TYPE="vfat" PARTLABEL="efi" PARTUUID="4e195c4b-f88c-4205-b9df-79a879704b2f"
/dev/sdX2: UUID="6453-0C55" TYPE="vfat" PARTLABEL="efi" PARTUUID="4e195c4b-f88c-4205-b9df-79a879704b2f"
/dev/sdX2: UUID="aafe709b-82e7-448f-a2cb-36adc3787dc3" TYPE="crypto_LUKS" PARTLABEL="system" PARTUUID="93d0cf9b-0b95-4d8b-919f-48cd1774996f"
/dev/sdX3: UUID="aafe709b-82e7-448f-a2cb-36adc3787dc3" TYPE="crypto_LUKS" PARTLABEL="system" PARTUUID="93d0cf9b-0b95-4d8b-919f-48cd1774996f"
/dev/mapper/root: UUID="hvz79n-I2VE-nR1c-0hDQ-PVkR-3GRb-rnuJ9C" TYPE="LVM2_member"
/dev/mapper/root: UUID="hvz79n-I2VE-nR1c-0hDQ-PVkR-3GRb-rnuJ9C" TYPE="LVM2_member"
/dev/mapper/vg-swap: UUID="a9188bc3-7def-422b-990d-9de431825779" TYPE="swap"
/dev/mapper/vg-swap: UUID="a9188bc3-7def-422b-990d-9de431825779" TYPE="swap"
Line 174: Line 187:


'''Configure /etc/fstab'''
'''Configure /etc/fstab'''
{{Note|The UUID parameter is set to the UUID of your boot partition as found from the blkid command above.}}
*if installing to xfs change ext4 to xfs
{{console|body=# ##i##cat > /etc/fstab << 'EOF'
{{console|body=# ##i##cat > /etc/fstab << 'EOF'
UUID=6453-0C55 /boot vfat noauto,noatime 1 2
/dev/mapper/vg-swap none swap sw 0 0
/dev/mapper/vg-swap none swap sw 0 0
/dev/mapper/vg-root / ext4 noatime,nodiratime,defaults 0 1
/dev/mapper/vg-root / ext4 noatime,nodiratime,defaults 0 1
tmpfs /var/tmp/portage tmpfs uid=portage,gid=portage,mode=775,noatime 0 0
LABEL=EFI /boot/efi vfat umask=0077 0 1
EOF}}
EOF}}
'''compile in ram:'''
{{console|body=
###i## mkdir /var/tmp/portage
###i## chown portage:portage /var/tmp/portage
###i## mount /var/tmp/portage
}}
'''or exclude compiling in ram if your machine's not powerful enough:'''
{{console|body=
###i## umount /var/tmp/portage
}}


'''Create /etc/crypttab'''
'''Create /etc/crypttab'''
{{Note|The UUID parameter is set to the UUID of /dev/sdX2 as found from the blkid command above.}}
{{Note|The UUID parameter is set to the UUID of /dev/sdX3 as found from the blkid command above.}}
{{console|body=# ##i##echo "root UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 none luks,discard" >> /etc/crypttab}}
{{console|body=# ##i##echo "root UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 none luks,discard" >> /etc/crypttab}}
'''Create /etc/dmtab'''
{{console|body=# ##i##dmsetup table >> /etc/dmtab}}


==Portage==
==Portage==
'''Download the portage tree'''
'''Download the portage tree'''
{{console|body=# ##i##ego sync}}
{{console|body=# ##i##ego sync}}
'''Change your ego profile to include encrypted root support'''
{{console|body=# ##i##epro mix-in encrypted-root}}


'''Edit package USE-flags'''
'''Edit package USE-flags'''
{{console|body=# ##i##cat > /etc/portage/package.use <<'EOF'
{{console|body=# ##i##cat > /etc/portage/package.use <<'EOF'
*/* device-mapper lvm luks
*/* device-mapper
sys-kernel/linux-firmware initramfs
sys-kernel/linux-firmware initramfs
sys-fs/cryptsetup -dynamic
sys-fs/cryptsetup -dynamic
Line 203: Line 223:


'''Install necessary packages'''
'''Install necessary packages'''
{{console|body=# ##i##emerge grub haveged intel-microcode linux-firmware cryptsetup lvm2 genkernel iucode_tool}}
{{console|body=# ##i##emerge grub haveged intel-microcode linux-firmware cryptsetup lvm2 iucode_tool shim mokutil}}
 
'''Update as much world as possible (optional)'''
{{console|body=# ##i##emerge -avuND @world --keep-going}}


'''Configure services to start at boot'''
'''Configure services to start at boot'''
Line 211: Line 234:
{{console|body=# ##i##rc-update add haveged default}}
{{console|body=# ##i##rc-update add haveged default}}
{{console|body=# ##i##rc-update add busybox-ntpd default}}
{{console|body=# ##i##rc-update add busybox-ntpd default}}
'''Create /etc/dmtab'''
{{console|body=# ##i##dmsetup table >> /etc/dmtab}}


==Install a bootloader==
==Install a bootloader==
'''Configure /etc/boot.conf'''
'''Configure /etc/boot.conf'''
{{Note|The UUID parameter is set to the UUID of /dev/sdX2 as found from the blkid command above.}}
{{Note|The UUID parameter is set to the UUID of /dev/sdX3 as found from the blkid command above.}}
{{console|body=# ##i##cat > /etc/boot.conf <<'EOF'
{{console|body=# ##i##cat > /etc/boot.conf <<'EOF'
boot {
boot {
Line 224: Line 250:
     kernel kernel[-v]
     kernel kernel[-v]
     initrd initramfs[-v]
     initrd initramfs[-v]
     params += crypt_root=UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 dolvm real_root=/dev/mapper/vg-root ro rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
     params += crypt_root=UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 ramdisk.activate=luks,lvm real_root=auto rootfstype=auto resume=/dev/mapper/vg-swap quiet
}
}
EOF}}
EOF}}


'''Install GRUB'''
'''Install GRUB'''
====For BIOS systems====
====For BIOS systems & UEFI legacy mode support====
{{console|body=# ##i##echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub}}
{{console|body=# ##i##grub-install --target=i386-pc --no-floppy /dev/sdX}}
{{console|body=# ##i##grub-install --target=i386-pc --no-floppy /dev/sdX}}
{{console|body=# ##i##ego boot update}}


====For UEFI systems====
====For UEFI systems====
{{console|body=# ##i##mount -o remount,rw /sys/firmware/efi/efivars}}
{{console|body=# ##i##mount -o remount,rw /sys/firmware/efi/efivars}}
{{Note|For 32 bit systems, the following command should be changed to:
{{console|body=# ##i##grub-install --target=i386-efi --efi-directory=/boot --bootloader-id="Funtoo Linux" --recheck /dev/sdX}}}}
{{console|body=# ##i##grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id="Funtoo Linux" --recheck /dev/sdX}}
{{console|body=# ##i##ego boot update}}


'''Generate a new initramfs'''
==Install grub & shim==
 
*load efi directory:
{{console|body=
###i## mkdir /boot/efi
###i## mount /boot/efi
}}
 
*generate a sbat file to install with grub:
{{console|body=
###i## cat > /usr/share/grub/sbat.csv << EOF
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,1,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
EOF
}}
 
===64bit systems===
{{console|body=# ##i##grub-install --target=x86_64-efi --sbat /usr/share/grub/sbat.csv --efi-directory=/boot/efi --bootloader-id="Funtoo" --recheck /dev/sdX}}
 
{{console|body=
###i## cp /usr/share/shim/BOOTX64.EFI /usr/share/shim/mmx64.efi /boot/efi/EFI/Funtoo
}}
 
*For usb keys & removable drives:
{{console|body=# ##i##grub-install --target=x86_64-efi --sbat /usr/share/grub/sbat.csv --efi-directory=/boot/efi --bootloader-id="BOOT" --no-nvram --recheck /dev/sdX}}
 
{{console|body=
###i## cp /usr/share/shim/BOOTX64.EFI /usr/share/shim/mmx64.efi /boot/efi/EFI/BOOT
}}
 
===32bit systems===
{{console|body=# ##i##grub-install --target=i386-efi --sbat /usr/share/grub/sbat.csv --efi-directory=/boot/efi --bootloader-id="Funtoo" --recheck /dev/sdX}}
 
{{console|body=
###i## cp /usr/share/shim/BOOTIA32.EFI /usr/share/shim/mmia32.efi /boot/efi/EFI/Funtoo
}}
 
*For usb keys & removable drives:
{{console|body=# ##i##grub-install --target=i386-efi --sbat /usr/share/grub/sbat.csv --efi-directory=/boot/efi --bootloader-id="BOOT" --no-nvram --recheck /dev/sdX}}
 
{{console|body=
###i## cp /usr/share/shim/BOOTIA32.EFI /usr/share/shim/mmia32.efi /boot/efi/EFI/BOOT
}}
 
====Generate Grub menu====
 
'''Generate a new initramfs that supports encryption'''
{{console|body=# ##i##genkernel --clean --luks --lvm --disklabel --ramdisk-modules --fullname=$(ls /boot/initramfs-* {{!}} tail -c +17) initramfs}}
{{console|body=# ##i##genkernel --clean --luks --lvm --disklabel --ramdisk-modules --fullname=$(ls /boot/initramfs-* {{!}} tail -c +17) initramfs}}
====Generate Grub menu====
{{console|body=# ##i##ego boot update}}


==Finishing installation==
==Finishing installation==
Line 256: Line 327:
You'll be prompted to enter in the existing passphrase first, then to enter in your new passphrase.
You'll be prompted to enter in the existing passphrase first, then to enter in your new passphrase.
You will not be asked to confirm your new passphrase, so be careful when running this operation.
You will not be asked to confirm your new passphrase, so be careful when running this operation.
==Rechroot==
In the event of build failure, to rechroot requires unlocking the root, re-mounting, and re-chroot.
{{console|body=
###i## cryptsetup open /dev/sdX3 root
###i## mkdir /mnt/funtoo
###i## mount /dev/mapper/vg-root /mnt/funtoo
###i## cd /mnt/funtoo
###i## fchroot .
}}
*remount efi:
{{console|body=
###i## mount /boot/efi
}}
If you intend to compile in ram again, mount /var/tmp/portage
{{console|body=
###i## mount /var/tmp/portage
}}
update available ebuilds, and rebuild world:
{{console|body=
###i## ego sync && emerge -avuND @world
}}


== Additional links and information ==
== Additional links and information ==

Latest revision as of 06:42, May 29, 2024

This howto describes how to setup LVM, boot, swap, and root with dmcrypt LUKS 1 with grub unlocking the encrypted drive. It is a standalone installation walk through, loosely based on the official installations finished product.

   Warning

You may try this installation method at your own risk! Please note: this guide is outside of the official installation documentation, and cannot be supported. If you choose to use this, we assume you know what you are doing and you are on your own!

Prepare the hard drive and partitions

  • Before you begin, make sure you are partitioning the correct drive. For the rest of this tutorial, we will be using /dev/sdX as a placeholder.
root # lsblk
#NAME          MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
#sda             8:0    0  1.8T  0 disk 
#├─sdX1          8:1    0    1M  0 bios_boot
#├─sdX2          8:2    0    8G  0 esp      /efi
#└─sdX3          8:3    0  1.8T  0 part 
#  ├─main-root 254:0    0  500G  0 lvm  /
#  └─main-data 254:1    0  1.3T  0 lvm  /home

link your drive to /dev/sdX

to make following this guide easier you can set udev rules and link the drive you're installing to /dev/sdX so everything is copy paste. just replace the kernel's == sda/mmc/nvme to match your target drive.

  • hda/sda drives:
root # echo 'KERNEL=="sda*", SYMLINK+="sdX%n"' > /etc/udev/rules.d/01-funtoo.rules
root # udevadm control --reload-rules
root # udevadm trigger
  • mmc/nvme drives:
root # echo 'KERNEL=="mmcblk0", SYMLINK+="sdX"' > /etc/udev/rules.d/01-funtoo.rules
root # echo 'KERNEL=="mmcblk0p*", SYMLINK+="sdX%n"' >> /etc/udev/rules.d/01-funtoo.rules
root # udevadm control --reload-rules
root # udevadm trigger
  • verify linking
root # ls -al /dev/sdX*
lrwxrwxrwx 1 root root 3 Jul 31 14:00 /dev/sdX -> sde
lrwxrwxrwx 1 root root 4 Jul 31 14:00 /dev/sdX1 -> sde1
lrwxrwxrwx 1 root root 4 Jul 31 14:00 /dev/sdX2 -> sde2

Partition

UEFI Partitioning

root # gdisk /dev/sdX

Within gdisk, follow these steps:

Empty the partition table:

Command: o ↵
This option deletes all partitions and creates a new protective MBR.
Proceed? (Y/N): y ↵

Create bios boot partition:

Command: n ↵
Partition Number: 1 ↵
First sector: 
Last sector: +1M ↵
Hex Code: EF02 ↵

Create efi esp partition:

Command: n ↵
Partition Number: 2 ↵
First sector: 
Last sector: +64M ↵
Hex Code: EF00 ↵

Create partition which will be encrypted with LUKS:

Command: n ↵
Partition Number: 3 ↵
First sector: 
Last sector:  (for rest of disk)
Hex Code:  8309↵

Write Partition Table To Disk:

Command: w ↵
Do you want to proceed? (Y/N): Y ↵

The partition table will now be written to the disk and gdisk will close.

Create and mount filesystems.

Create esp filesystem

root # mkfs.vfat -F 32 /dev/sdX2
  • label esp system for fstab later on:
root # fatlabel /dev/sdX2 "EFI"


Create LUKS encrypted volume

   Warning

The debian-sources kernel in current stage3 tarballs does not allow for passwords in excess of 63 characters.

root # cryptsetup luksFormat --type luks1 /dev/sdX3

Open newly created LUKS volume

root # cryptsetup open /dev/sdX3 root

Create LVM volumes for / and swap

root # pvcreate /dev/mapper/root
root # vgcreate vg /dev/mapper/root
   Note

Replace "2G" with the amount of swap you would like to make available.

root # lvcreate -L2G --name swap vg
root # lvcreate -l 100%FREE --name root vg
   Note

The "-l 100%FREE" option above will use the remainder of the disk for your root partition. If you would prefer to create separate for /home or /var (for example), you can instead continue to use the "-LXXG" option for fixed sizes.

Create filesystems on LVM volumes

root # mkswap /dev/mapper/vg-swap
  • for ext4:
root # mkfs.ext4 /dev/mapper/vg-root
  • for xfs:
root # mkfs.xfs /dev/mapper/vg-root

Create directories for chroot

root # mkdir -p /mnt/funtoo

Mount filesystems

root # mount /dev/mapper/vg-root /mnt/funtoo

Set the date

   Note

See the official Funtoo docs on setting the date.

Install the Funtoo starge tarball of your choice

   Note

These instructions will be using the generic64 next minimal stage3. You should adjust them accordingly.

or a stage more closely aligned to your hardware:

or funtoo from scratch generated stages:

root # cd /mnt/funtoo
root # wget https://build.funtoo.org/next/x86-64bit/generic_64/2022-09-13/stage3-generic_64-next-2022-09-13.tar.xz
root # tar --numeric-owner --xattrs --xattrs-include='*' -xpf *stage3*.tar.xz && rm -f *stage3*.tar.xz

Chroot into your new system

Traditional Method

root # mkdir -p /mnt/funtoo/proc
root # mount -t proc none /mnt/funtoo/proc
root # mkdir -p /mnt/funtoo/dev
root # mount --rbind /dev /mnt/funtoo/dev
root # mkdir -p /mnt/funtoo/sys
root # mount --rbind /sys /mnt/funtoo/sys
root # env -i HOME=/root TERM=$TERM $(which chroot) /mnt/funtoo /bin/bash -l

Fchroot Method

root # fchroot .

Configure your system

Set a new root password

root # passwd

Set hostname

root # echo 'hostname="FullEncryption"' > /etc/conf.d/hostname

Set up DNS resolution

   Note

We are using the Cloudflare DNS server address here. Feel free to use your own.

root # echo "nameserver 1.1.1.1" > /etc/resolv.conf

Set your timezone

root # ln -sf /usr/share/zoneinfo/$(tzselect) /etc/localtime

Note your filesystem information

root # blkid
/dev/sdX2: UUID="6453-0C55" TYPE="vfat" PARTLABEL="efi" PARTUUID="4e195c4b-f88c-4205-b9df-79a879704b2f"
/dev/sdX3: UUID="aafe709b-82e7-448f-a2cb-36adc3787dc3" TYPE="crypto_LUKS" PARTLABEL="system" PARTUUID="93d0cf9b-0b95-4d8b-919f-48cd1774996f"
/dev/mapper/root: UUID="hvz79n-I2VE-nR1c-0hDQ-PVkR-3GRb-rnuJ9C" TYPE="LVM2_member"
/dev/mapper/vg-swap: UUID="a9188bc3-7def-422b-990d-9de431825779" TYPE="swap"
/dev/mapper/vg-root: UUID="2eaf45e6-d33b-4155-b4ca-63a2fdbfb896" TYPE="ext4"

Configure /etc/fstab

  • if installing to xfs change ext4 to xfs
root # cat > /etc/fstab << 'EOF'
/dev/mapper/vg-swap none swap sw 0 0
/dev/mapper/vg-root / ext4 noatime,nodiratime,defaults 0 1
tmpfs /var/tmp/portage tmpfs uid=portage,gid=portage,mode=775,noatime 0 0
LABEL=EFI /boot/efi vfat umask=0077 0 1
EOF

compile in ram:

root # mkdir /var/tmp/portage
root # chown portage:portage /var/tmp/portage
root # mount /var/tmp/portage

or exclude compiling in ram if your machine's not powerful enough:

root # umount /var/tmp/portage

Create /etc/crypttab

   Note

The UUID parameter is set to the UUID of /dev/sdX3 as found from the blkid command above.

root # echo "root UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 none luks,discard" >> /etc/crypttab

Portage

Download the portage tree

root # ego sync

Edit package USE-flags

root # cat > /etc/portage/package.use <<'EOF'
*/* device-mapper
sys-kernel/linux-firmware initramfs
sys-fs/cryptsetup -dynamic
EOF

Install necessary packages

root # emerge grub haveged intel-microcode linux-firmware cryptsetup lvm2 iucode_tool shim mokutil

Update as much world as possible (optional)

root # emerge -avuND @world --keep-going

Configure services to start at boot

root # rc-update add device-mapper sysinit
root # rc-update add dmcrypt sysinit
root # rc-update add lvmetad sysinit
root # rc-update add haveged default
root # rc-update add busybox-ntpd default

Create /etc/dmtab

root # dmsetup table >> /etc/dmtab

Install a bootloader

Configure /etc/boot.conf

   Note

The UUID parameter is set to the UUID of /dev/sdX3 as found from the blkid command above.

root # cat > /etc/boot.conf <<'EOF'
boot {
    generate grub
    default "Funtoo Linux"
    timeout 3
}
"Funtoo Linux" {
    kernel kernel[-v]
    initrd initramfs[-v]
    params += crypt_root=UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 ramdisk.activate=luks,lvm real_root=auto rootfstype=auto resume=/dev/mapper/vg-swap quiet
}
EOF

Install GRUB

For BIOS systems & UEFI legacy mode support

root # echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
root # grub-install --target=i386-pc --no-floppy /dev/sdX

For UEFI systems

root # mount -o remount,rw /sys/firmware/efi/efivars

Install grub & shim

  • load efi directory:
root # mkdir /boot/efi
root # mount /boot/efi
  • generate a sbat file to install with grub:
root # cat > /usr/share/grub/sbat.csv << EOF
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,1,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
EOF

64bit systems

root # grub-install --target=x86_64-efi --sbat /usr/share/grub/sbat.csv --efi-directory=/boot/efi --bootloader-id="Funtoo" --recheck /dev/sdX
root # cp /usr/share/shim/BOOTX64.EFI /usr/share/shim/mmx64.efi /boot/efi/EFI/Funtoo
  • For usb keys & removable drives:
root # grub-install --target=x86_64-efi --sbat /usr/share/grub/sbat.csv --efi-directory=/boot/efi --bootloader-id="BOOT" --no-nvram --recheck /dev/sdX
root # cp /usr/share/shim/BOOTX64.EFI /usr/share/shim/mmx64.efi /boot/efi/EFI/BOOT

32bit systems

root # grub-install --target=i386-efi --sbat /usr/share/grub/sbat.csv --efi-directory=/boot/efi --bootloader-id="Funtoo" --recheck /dev/sdX
root # cp /usr/share/shim/BOOTIA32.EFI /usr/share/shim/mmia32.efi /boot/efi/EFI/Funtoo
  • For usb keys & removable drives:
root # grub-install --target=i386-efi --sbat /usr/share/grub/sbat.csv --efi-directory=/boot/efi --bootloader-id="BOOT" --no-nvram --recheck /dev/sdX
root # cp /usr/share/shim/BOOTIA32.EFI /usr/share/shim/mmia32.efi /boot/efi/EFI/BOOT

Generate Grub menu

Generate a new initramfs that supports encryption

root # genkernel --clean --luks --lvm --disklabel --ramdisk-modules --fullname=$(ls /boot/initramfs-* | tail -c +17) initramfs

Generate Grub menu

root # ego boot update

Finishing installation

From this point, you should be able to finish following the official Funtoo Linux install instructions

Managing your LUKS volume

Change your LUKs-encrypted drive's passphrase You may want to change your encrypted volume’s passphrase or password from time to time. To do so, run the following commands in the console as root:

root # cryptsetup luksChangeKey /dev/sdx3

You'll be prompted to enter in the existing passphrase first, then to enter in your new passphrase. You will not be asked to confirm your new passphrase, so be careful when running this operation.

Rechroot

In the event of build failure, to rechroot requires unlocking the root, re-mounting, and re-chroot.

root # cryptsetup open /dev/sdX3 root
root # mkdir /mnt/funtoo
root # mount /dev/mapper/vg-root /mnt/funtoo
root # cd /mnt/funtoo
root # fchroot .
  • remount efi:
root # mount /boot/efi

If you intend to compile in ram again, mount /var/tmp/portage

root # mount /var/tmp/portage

update available ebuilds, and rebuild world:

root # ego sync && emerge -avuND @world

Additional links and information