Ok, first a couple assumptions.
- You're at least somewhat familiar with installing Funtoo/Gentoo [if not, these instructions should still work, but I advise you to consult the official Funtoo installation instructions for clarifications/questions].
- You have a working Linux installation that you'll be using to make your LiveCD [or know how to do so on your OS of choice, because I don't].
Download and boot the live CD of your choice.
For this installation, we'll go ahead and use the Gentoo minimal LiveCD.
- Download
#wget https://bouncer.gentoo.org/fetch/root/all/releases/amd64/autobuilds/20210418T214504Z/install-amd64-minimal-20210418T214504Z.iso
- Make USB key.
#dd if=install-amd64-minimal-20210418T214504Z.iso of=/dev/sdX bs=4k status=progress
Note: sdX is the proper device name for your usb stick. - Boot your installation media.
#shutdown -r 0
Now follow the process for booting from a USB stick on your device. - Get online.
Follow the Funtoo documentation for getting online with the Gentoo LiveCD.
Prepare your disk.
MBR Partitioning
# fdisk /dev/sdX
Note: sdX is the device you'll be installing to.
Empty the partition table
Command (m for help): o
Create boot partition
Command (m for help): n
Partition type (default p): ENTER
Partition number (1-4, default 1): ENTER
First sector: ENTER
Last sector: +128M
Create encrypted partition
Command (m for help): n
Partition type (default p): ENTER
Partition number (2-4, default 2) ENTER
First sector: ENTER
Last sector: ENTER
Save changes to disk
Command (m for help): w
GPT Partitioning.
# gdisk /dev/sdX
where sdX is the device you'll be installing to.
Empty the partition table
Command: o
This option deletes all partitions and creates a new protective MBR.
Proceed? (Y/N): y
Create boot partition
Command: n
Partition number: 1
First sector: ENTER
Last sector: +128M
Hex Code: EF00
Create encrypted partition
Command: n
Partition number: 2
First sector: ENTER
Last sector: ENTER
Hex Code: 8309
Save changes to disk
Command: w
Do you want to proceed? (Y/N): y
Create and mount filesystems.
Create /boot filesystem
For BIOS systems
# mkfs.ext2 /dev/sdX1
For EFI systems
# mkfs.vfat -F 32 /dev/sdX1
Create LUKS encrypted volume
Note: cryptsetup now defaults to LUKS2, which is unsupported by stable versions of grub. This is why we are not encrypting /boot. Additionally, the currently stable debian-sources kernel does not allow for passwords in excess of 63 characters.
# cryptsetup luksFormat /dev/sdX2
Open newly created LUKs volume
# cryptsetup open --type luks2 /dev/sdX2 data
Create LVM volumes for / and swap
# pvcreate /dev/mapper/data
# vgcreate vg /dev/mapper/data
# lvcreate -L16G --name swap vg
["16G" is the amount of swap you require]
# lvcreate -l 100%FREE --name root vg
Create filesystems on LVM volumes
# mkswap /dev/mapper/vg-swap
# mkfs.ext4 /dev/mapper/vg-root
Create directory for chroot
# mkdir -p /mnt/funtoo
Mount filesystems
# mount /dev/mapper/vg-root /mnt/funtoo
# mkdir /mnt/funtoo/boot
# mount /dev/sdX1 /mnt/funtoo/boot
# mkdir /mnt/funtoo/{dev,proc,sys}
# mount -t proc none /mnt/funtoo/proc
# mount --rbind /dev /mnt/funtoo/dev
# mount --rbind /sys /mnt/funtoo/sys
Setting the Date.
See the official Funtoo docs on setting the date.
Install the Funtoo stage tarball of your choice.
These instructions will be using the intel-haswell minimal stage3, you should adjust them accordingly.
# cd /mnt/funtoo
# wget https://build.funtoo.org/1.4-release-std/x86-64bit/intel64-haswell/2021-03-10/stage3-intel64-haswell-1.4-release-std-2021-03-10.tar.xz
# tar --numeric-owner --xattrs --xattrs-include='*' stage3-intel64-haswell-1.4-release-std-2021-03-10.tar.xz && rm -f stage3-intel64-haswell-1.4-release-std-2021-03-10.tar.xz
Chroot into your new system.
# env -i HOME=/root TERM=$TERM $(which chroot) /mnt/funtoo bash -l
Download the Portage tree.
# ego sync
Configure your system.
Set a new root passwd
# passwd
Set hostname
# echo 'hostname="yourdesiredhostname"' > /etc/conf.d/hostname
Set up reliable dns resolution via Cloudflare
# echo "nameserver 1.1.1.1" > /etc/resolv.conf
Set your timezone
# ln -sf /usr/share/zoneinfo/YOURCOUNTRY/YOURLOCALE /etc/localtime
Note your filesystem information
# lsblk
/dev/sda1: LABEL_FATBOOT="BOOT" LABEL="BOOT" UUID="6453-0C55" TYPE="vfat" PARTLABEL="efi" PARTUUID="4e195c4b-f88c-4205-b9df-79a879704b2f"
/dev/sda2: UUID="aafe709b-82e7-448f-a2cb-36adc3787dc3" TYPE="crypto_LUKS" PARTLABEL="system" PARTUUID="93d0cf9b-0b95-4d8b-919f-48cd1774996f"
/dev/mapper/root: UUID="hvz79n-I2VE-nR1c-0hDQ-PVkR-3GRb-rnuJ9C" TYPE="LVM2_member"
/dev/mapper/vg-swap: UUID="a9188bc3-7def-422b-990d-9de431825779" TYPE="swap"
/dev/mapper/vg-root: UUID="2eaf45e6-d33b-4155-b4ca-63a2fdbfb896" TYPE="ext4"
Configure /etc/fstab
# $EDITOR /etc/fstab
UUID=6453-0C55 /boot vfat noauto,noatime 1 2
/dev/mapper/vg-swap none swap sw 0 0
/dev/mapper/vg-root / ext4 noatime,nodiratime,defaults 0 1
Note: the UUID is the UUID of your boot partition as found from the blkid
command above.
Create /etc/crypttab
# echo "root UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 none luks,discard" >> /etc/crypttab
Note: the UUID is the UUID of /dev/sdX2 as found from the blkid
command above.
Create /etc/dmtab
# dmsetup table >> /etc/dmtab
Portage.
Sync the portage tree
# ego sync
Change your ego profile to include encrypted root support
# ego profile mix-in encrypted-root
Edit package use-flags
# $EDITOR /etc/portage/package.use
*/* device-mapper lvm luks
sys-kernel/linux-firmware initramfs
sys-fs/cryptsetup -dynamic
Install necessary packages.
# emerge grub haveged intel-microcode linux-firmware cryptsetup lvm2 genkernel iucode_tool
Configure services to start at boot
# rc-update add device-mapper sysinit
# rc-update add dmcrypt sysinit
# rc-update add lvmetad sysinit
# rc-update add haveged default
# rc-update add busybox-ntpd default
Install a bootloader.
Configure /etc/boot.conf
# $EDITOR /etc/boot.conf
boot {
generate grub
default "Funtoo Linux"
timeout 3
}
"Funtoo Linux" {
kernel kernel[-v]
initrd initramfs[-v]
params += crypt_root=UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 dolvm real_root=/dev/mapper/vg-root ro rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}
Note: the UUID is the UUID of /dev/sdX2 as found from the blkid
command above.
Install GRUB
For BIOS
# grub-install --target=i386-pc --no-floppy /dev/sdX
# ego boot update
For EFI
For x86_64 systems
# mount -o remount,rw /sys/firmware/efi/efivars
# grub-install --target=x86_64-efi --efi-directory=/boot --botloader-id="Funtoo Linux" --recheck /dev/sda
# ego boot update
For x86 systems
# mount -o remount,rw /sys/firmware/efi/efivars
# grub-install --target=i386-efi --efi-directory=/boot --bootloader-id="Funtoo Linux" --recheck /dev/sda
# ego boot update
Patch genkernel to include LUKS2 support for encrypted root
# sed '/MODULES_CRYPT/ s/\"$/ af_alg algif_skcipher\"/' -i /usr/share/genkernel/arch/$(arch)/modules_load
Generate fresh initramfs
# genkernel --clean --luks --lvm --disklabel --ramdisk-modules --fullname=$(ls /boot/initramfs-* | tail -c +17) initramfs
Finish installation
From this point, you should be able to finish following the official Funtoo Install Instructions.