Install Gentoo with UEFI, LUKS, LVM

In this article I’ll describe how you can install Linux Gentoo with Luks encryption, LVM and for PC with UEFI.

The point of this article is fact that Linux supports some cryptographic techniques to protect data on the hard disk (also whole partitions). So why not just use them?

Luks (Linux Unified Key Setup) is a way to allow you encrypt/decrypt specific disc and it was originally intended for Linux OS. Dm-crypt (DMCrypt kernel module) is used for proper operation as a kernel to handle encryption/decryption on the block disc level.

Luks is independent of any linux distribution, and any new kernel should be compatible. All sensitive and necessary data is stored in the partition header, and this allows to move data between devices.

To install, crypt or decrypt data we must using CLI commands.

Make sure you have an efi system

ls /sys/firmware/efi

If you see something, your machine ha an efi system

Wifi connection

Check all interfaces

ifconfig

Store wifi name and password in config file (wpa_supplicant.conf)

wpa_passphrase [ssid] ["passphrase"] > /etc/wpa_supplicant/wpa_supplicant.conf

wpa_supplicant -i [interface] -c /etc/wpa_supplicant/wpa_supplicant.conf

Checking broadcast connection

ping -c 3 8.8.8.8

Disk partition

parted -a optimal /dev/sda
    > rm [number]

When number is number of partition

    > mklabel gpt
    > unit mib
    > mkpart primary 1 513
    > name 1 boot
    > set 1 boot on
    > mkpart primary 513 -1
    > name 2 lvm
    > set 2 lvm on
    > print
    > quit

Create a filesystem

Before using the drive, we must format volume. We can use one of the different systems, like ext3, ext4, btrfs or xfs and so on.

mkfs.fat -F32 /dev/sda1

LVM

modprobe dm-crypt
/etc/init.d/lvmetad restart

cryptsetup -v -y -c aes-xts-plain64 -s 512 -hash sha512 --iter-time 5000 --use-random luksFormat /dev/sda2

cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/sda2

ls /dev/mapper
cryptsetup luksDump /dev/sda2
cryptsetup luksOpen /dev/sda2 gentoo

lvmdiskscan

Create the physical volume

pvcreate /dev/mapper/gentoo
pvdisplay

Create the volume group

vgcreate gentoo /dev/mapper/gentoo
vgdisplay

lvmdiskscan

lvcreate -C y -L 32G gentoo -n swap

where 32G is the total size of the oparating memory

lvcreate -L 32G gentoo -n root
lvcreate -L 65G gentoo -n var
lvcreate -l +100%FREE gentoo -n home

lvdisplay
vgscan
vgchange -ay

mkswap /dev/mapper/gentoo-swap
mkfs.ext4 /dev/mapper/gentoo-root
mkfs.ext4 /dev/mapper/gentoo-var
mkfs.ext4 /dev/mapper/gentoo-home

swapon /dev/mapper/gentoo-swap
mount /dev/mapper/gentoo-root /mnt/gentoo
mkdir /mnt/gentoo/boot
mkdir /mnt/gentoo/home
mkdir /mnt/gentoo/var
mount /dev/sda1 /mnt/gentoo/boot
mount /dev/mapper/gentoo-var /mnt/gentoo/var
mount /dev/mapper/gentoo-home /mnt/gentoo/home

lsblk /dev/sda

Download stage3

cd /mnt/gentoo
links https://www.gentoo.org/downloads/mirrors/
ls -la

Extract stage3

tar xpvf stage3-* --xattrs-include='*.*' --numeric-owner

Config make.conf

nano -w /mnt/gentoo/etc/portage/make.conf
mirrorselect -i -o >> /mnt/gentoo/etc/portage/make.conf

Mount system

mkdir --parents /mnt/gentoo/etc/portage/repos.conf

cp /mnt/gentoo/usr/share/portage/config/repos.conf /mnt/gentoo/etc/portage/repos.conf/gentoo.conf

cp --dereference /etc/resolv.conf /mnt/gentoo/etc/

mount --types proc /proc /mnt/gentoo/proc
mount --rbind /sys /mnt/gentoo/sys
mount --rbind /dev /mnt/gentoo/dev
mount --make-rslave /mnt/gentoo/sys
mount --make-rslave /mnt/gentoo/dev

test -L /dev/shm && rm /dev/shm && mkdir /dev/shm
mount --types tmpfs --options nosuid,nodev,noexec shm /dev/shm
chmod 1777 /dev/shm

mkdir /mnt/gentoo/hostrun
mount --bind /run /mnt/gentoo/hostrun/

Mount bash and chroot

chroot /mnt/gentoo /bin/bash
source /etc/profile
export PS1="(chroot) $PS1"

Updating the ebuild repository

emerge-webrsync
emerge --sync

Edit /etc/portage

cd /etc/portage/
mkdir -p /etc/portage/package.{accept_keywords,license,mask,unmask,use}

Install Vim

echo "app-editors/vim lua luajit perl python ruby terminal vim-pager" > package.use/vim
emerge -av vim eix

Update the world

emerge --ask --verbose --update --deep --with-bdeps=y --newuse  --keep-going --backtrack=30 @world

Set new gcc version

gcc-config --list-profiles
gcc-config [version]
source /etc/profile
export PS1="(chroot) $PS1"

Re-emerge the libtool

emerge --ask --oneshot --usepkg=n sys-devel/libtool

Enable cpu features and update make.conf

emerge -av cpuid2cpuflags
cpuid2cpuflags >> /etc/portage/make.conf

Set timezone

echo "America/Los_Angeles" > /etc/timezone
emerge --config sys-libs/timezone-data
nano /etc/locale.gen
locale-gen
eselect locale list
eselect locale set [number]

env-update && source /etc/profile && export PS1="(chroot) ${PS1}"

eselect profile list
eselect profile set [number]

emerge -av gentoo-sources genkernel-next cryptsetup lvm2 linux-firmware

Edit /etc/fstab

nano /etc/fstab

This is the simple scheme used in this article. Remember that in your case the file /etc/fstab should be similar, unless you want to do it differently and you are sure about it.

/dev/sda1	/boot	vfat	noatime	0 2
/dev/mapper/gentoo-root	/	ext4	rw,relatime,data=ordered	0 1
/dev/mapper/gentoo-home	/home	ext4	rw,relatime,data=ordered	0 2
/dev/mapper/gentoo-var	/var	ext4	rw,relatime,data=ordered	0 2
/dev/mapper/gentoo-swap	none	swap	defaults	0 0

Manual kernel configuration

cd /usr/src
ls -la
cd linux/
ln -s /usr/src/linux* /usr/src/linux

Edit genkernel.conf

nano /etc/genkernel.conf

Change LVM and LUKS to yes

LVM=”yes”
LUKS=”yes”
MAKEOPTS=”$(portageq envvar MAKEOPTS)”

genkernel --makeopts=-j17 --menuconfig --lvm --luks --no-zfs all

when 17 is number of processors + 1

nano /etc/lvm/lvm.conf

devices {
multipath_component_detection = 0
md_component_detection = 0
}
activation {
udev_sync = 0
udev_rules = 0
}

genkernel --lvm --luks initramfs

echo "sys-boot/grub mount device-mapper" > /etc/portage/package.use/grub
emerge -av grub gentoolkit

nano /etc/default/grub

GRUB_CMDLINE_LINUX=”crypt_root=/dev/sda2 root=/dev/mapper/gentoo-root rootfstype=ext4 dolvm quiet”

grub-install --target=x86_64-efi --efi-directory=/boot /dev/sda --bootloader-id="Gentoo linux [GRUB]" --recheck

grub-mkconfig -o /boot/grub/grub.cfg

Change root password and create new user

passwd

useradd -m -G users,wheel,audio,video -s /bin/bash [user]
passwd [user]

Set hostname

echo "[hostname]" > /etc/hostname
nano /etc/hosts
127.0.0.1    [hostname].localdomain    localhost

emerge -av syslog-ng cronie mlocate
rc-update add syslog-ng default
rc-update add cronie default
rc-update add sshd default
rc-update add wpa_supplicant boot
rc-update add lvm boot

Configure networking

Desktop

emerge -av net-misc/dhcpcd

Laptop

emerge -av wireless-tools net-tools app-text/tree wpa_supplicant networkmanager
emerge -av x11-misc/xdotool x11-misc/wmctrl
rc-update add NetworkManager default

tree /sys/class/net

zgrep 'IWLWIFI\|IWLDVM\|IWLMVM' /proc/config.gz
    * iwlwifi
    M iwldvm
    M iwlmvm

exit
cd

Rebooting

exit
shutdown -r now

Aditional

Create LUKS header backup

To create LUKS header backup, we can use command:

cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file sda2-luks-header-backup