RootFS on LUKS Encrypted LVM with Funtoo Linux 1.4

Ok, first a couple assumptions.

  1. You're at least somewhat familiar with installing Funtoo/Gentoo [if not, these instructions should still work, but I advise you to consult the official Funtoo installation instructions for clarifications/questions].
  2. You have a working Linux installation that you'll be using to make your LiveCD [or know how to do so on your OS of choice, because I don't].

Download and boot the live CD of your choice.

For this installation, we'll go ahead and use the Gentoo minimal LiveCD.

  1. Download
    # wget https://bouncer.gentoo.org/fetch/root/all/releases/amd64/autobuilds/20210418T214504Z/install-amd64-minimal-20210418T214504Z.iso
  2. Make USB key.
    # dd if=install-amd64-minimal-20210418T214504Z.iso of=/dev/sdX bs=4k status=progress
    Note: sdX is the proper device name for your usb stick.
  3. Boot your installation media.
    # shutdown -r 0
    Now follow the process for booting from a USB stick on your device.
  4. Get online.
    Follow the Funtoo documentation for getting online with the Gentoo LiveCD.

Prepare your disk.

MBR Partitioning

# fdisk /dev/sdX
Note: sdX is the device you'll be installing to.

Empty the partition table

Command (m for help): o

Create boot partition

Command (m for help): n
Partition type (default p): ENTER
Partition number (1-4, default 1): ENTER
First sector: ENTER
Last sector: +128M

Create encrypted partition

Command (m for help): n
Partition type (default p): ENTER
Partition number (2-4, default 2) ENTER
First sector: ENTER
Last sector: ENTER

Save changes to disk

Command (m for help): w

GPT Partitioning.

# gdisk /dev/sdX
where sdX is the device you'll be installing to.

Empty the partition table

Command: o
This option deletes all partitions and creates a new protective MBR.
Proceed? (Y/N): y

Create boot partition

Command: n
Partition number: 1
First sector: ENTER
Last sector: +128M
Hex Code: EF00

Create encrypted partition

Command: n
Partition number: 2
First sector: ENTER
Last sector: ENTER
Hex Code: 8309

Save changes to disk

Command: w
Do you want to proceed? (Y/N): y

Create and mount filesystems.

Create /boot filesystem

For BIOS systems

# mkfs.ext2 /dev/sdX1

For EFI systems

# mkfs.vfat -F 32 /dev/sdX1

Create LUKS encrypted volume

Note: cryptsetup now defaults to LUKS2, which is unsupported by stable versions of grub. This is why we are not encrypting /boot. Additionally, the currently stable debian-sources kernel does not allow for passwords in excess of 63 characters.
# cryptsetup luksFormat /dev/sdX2

Open newly created LUKs volume

# cryptsetup open --type luks2 /dev/sdX2 data

Create LVM volumes for / and swap

# pvcreate /dev/mapper/data
# vgcreate vg /dev/mapper/data
# lvcreate -L16G --name swap vg ["16G" is the amount of swap you require]
# lvcreate -l 100%FREE --name root vg

Create filesystems on LVM volumes

# mkswap /dev/mapper/vg-swap
# mkfs.ext4 /dev/mapper/vg-root

Create directory for chroot

# mkdir -p /mnt/funtoo

Mount filesystems

# mount /dev/mapper/vg-root /mnt/funtoo
# mkdir /mnt/funtoo/boot
# mount /dev/sdX1 /mnt/funtoo/boot
# mkdir /mnt/funtoo/{dev,proc,sys}
# mount -t proc none /mnt/funtoo/proc
# mount --rbind /dev /mnt/funtoo/dev
# mount --rbind /sys /mnt/funtoo/sys

Setting the Date.

See the official Funtoo docs on setting the date.

Install the Funtoo stage tarball of your choice.

These instructions will be using the intel-haswell minimal stage3, you should adjust them accordingly.
# cd /mnt/funtoo
# wget https://build.funtoo.org/1.4-release-std/x86-64bit/intel64-haswell/2021-03-10/stage3-intel64-haswell-1.4-release-std-2021-03-10.tar.xz
# tar --numeric-owner --xattrs --xattrs-include='*' stage3-intel64-haswell-1.4-release-std-2021-03-10.tar.xz && rm -f stage3-intel64-haswell-1.4-release-std-2021-03-10.tar.xz

Chroot into your new system.

# env -i HOME=/root TERM=$TERM $(which chroot) /mnt/funtoo bash -l

Download the Portage tree.

# ego sync

Configure your system.

Set a new root passwd

# passwd

Set hostname

# echo 'hostname="yourdesiredhostname"' > /etc/conf.d/hostname

Set up reliable dns resolution via Cloudflare

# echo "nameserver 1.1.1.1" > /etc/resolv.conf

Set your timezone

# ln -sf /usr/share/zoneinfo/YOURCOUNTRY/YOURLOCALE /etc/localtime

Note your filesystem information

# lsblk

/dev/sda1: LABEL_FATBOOT="BOOT" LABEL="BOOT" UUID="6453-0C55" TYPE="vfat" PARTLABEL="efi" PARTUUID="4e195c4b-f88c-4205-b9df-79a879704b2f"
/dev/sda2: UUID="aafe709b-82e7-448f-a2cb-36adc3787dc3" TYPE="crypto_LUKS" PARTLABEL="system" PARTUUID="93d0cf9b-0b95-4d8b-919f-48cd1774996f"
/dev/mapper/root: UUID="hvz79n-I2VE-nR1c-0hDQ-PVkR-3GRb-rnuJ9C" TYPE="LVM2_member"
/dev/mapper/vg-swap: UUID="a9188bc3-7def-422b-990d-9de431825779" TYPE="swap"
/dev/mapper/vg-root: UUID="2eaf45e6-d33b-4155-b4ca-63a2fdbfb896" TYPE="ext4"

Configure /etc/fstab

# $EDITOR /etc/fstab

UUID=6453-0C55 /boot vfat noauto,noatime 1 2
/dev/mapper/vg-swap none swap sw 0 0
/dev/mapper/vg-root / ext4 noatime,nodiratime,defaults 0 1

Note: the UUID is the UUID of your boot partition as found from the blkid command above.

Create /etc/crypttab

# echo "root UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 none luks,discard" >> /etc/crypttab
Note: the UUID is the UUID of /dev/sdX2 as found from the blkid command above.

Create /etc/dmtab

# dmsetup table >> /etc/dmtab

Portage.

Sync the portage tree

# ego sync

Change your ego profile to include encrypted root support

# ego profile mix-in encrypted-root

Edit package use-flags

# $EDITOR /etc/portage/package.use

*/* device-mapper lvm luks
sys-kernel/linux-firmware initramfs
sys-fs/cryptsetup -dynamic

Install necessary packages.

# emerge grub haveged intel-microcode linux-firmware cryptsetup lvm2 genkernel iucode_tool

Configure services to start at boot

# rc-update add device-mapper sysinit
# rc-update add dmcrypt sysinit
# rc-update add lvmetad sysinit
# rc-update add haveged default
# rc-update add busybox-ntpd default

Install a bootloader.

Configure /etc/boot.conf

# $EDITOR /etc/boot.conf

boot {
    generate grub
    default "Funtoo Linux"
    timeout 3
}
"Funtoo Linux" {
    kernel kernel[-v]
    initrd initramfs[-v]
    params += crypt_root=UUID=aafe709b-82e7-448f-a2cb-36adc3787dc3 dolvm real_root=/dev/mapper/vg-root ro rootfstype=ext4 resume=swap:/dev/mapper/vg-swap quiet
}

Note: the UUID is the UUID of /dev/sdX2 as found from the blkid command above.

Install GRUB

For BIOS

# grub-install --target=i386-pc --no-floppy /dev/sdX
# ego boot update

For EFI

For x86_64 systems

# mount -o remount,rw /sys/firmware/efi/efivars
# grub-install --target=x86_64-efi --efi-directory=/boot --botloader-id="Funtoo Linux" --recheck /dev/sda
# ego boot update

For x86 systems

# mount -o remount,rw /sys/firmware/efi/efivars
# grub-install --target=i386-efi --efi-directory=/boot --bootloader-id="Funtoo Linux" --recheck /dev/sda
# ego boot update

Patch genkernel to include LUKS2 support for encrypted root

# sed '/MODULES_CRYPT/ s/\"$/ af_alg algif_skcipher\"/' -i /usr/share/genkernel/arch/$(arch)/modules_load

Generate fresh initramfs

# genkernel --clean --luks --lvm --disklabel --ramdisk-modules --fullname=$(ls /boot/initramfs-* | tail -c +17) initramfs

Finish installation

From this point, you should be able to finish following the official Funtoo Install Instructions.

Show Comments