<< Back Home UK uk   Donate Donate

Installing Gentoo on encrypted RAID


Yes, there are a lot of docs for this topic, but I didn't find any complete one.

So what we have to do ?

boot from Linux live CD and configure network. By default DHCP client is enabled and may skip it if DHCP is used in your network.

killall -9 dhclient
ip addr add  dev eno1
ip ro add via
echo "nameserver" > /etc/resolv.conf

load all necessary modules and create partiotions on both drives (assume sda and sdb)

modprobe raid1
modprobe dm-mod
modprobe dm-crypt

parted -a optimal /dev/sda

create grub and boot partitions + lvm partition for encrypted root and all the rest with parted

 unit mib
 mklabel gpt
 mkpart primary 1 3 
 name 1 grub 
 set 1 bios_grub on 
 mkpart primary fat32 3 515
 name 2 boot
 set 2 BOOT on 
 mkpart primary 515 -1 
 name 3 lvm
 #set 3 lvm on

repeat the same on the second disk sdb and initialize raid mirror. Initialize FAT32 boot partition for UEFI BIOS. It worth to check UUIDs if pertitions

parted -a optimal /dev/sdb

mdadm --create /dev/md2 --level=1 --raid-devices=2 --metadata=1.0 /dev/sda2 /dev/sdb2
mdadm --create /dev/md3 --level=1 --raid-devices=2 --metadata=1.0 /dev/sda3 /dev/sdb3

mkfs.vfat -F32 /dev/md2


initialize encryption on lvm partition and create root, swap and so on there

cryptsetup luksFormat -c aes-xts-plain64:sha256 -s 256 /dev/md3

cryptsetup luksOpen /dev/md3 lvm
lvm pvcreate /dev/mapper/lvm
vgcreate vg0 /dev/mapper/lvm

lvcreate -L 50G -n root vg0
lvcreate -L 100G -n home vg0
lvcreate -L 50G -n log vg0
lvcreate -L 16G -n swap vg0
lvcreate -l 100%FREE -n var vg0

mkfs.ext4 /dev/mapper/vg0-root
mkfs.ext4 /dev/mapper/vg0-home
mkfs.ext4 /dev/mapper/vg0-log
mkfs.ext4 /dev/mapper/vg0-var
mkswap /dev/mapper/vg0-swap
swapon /dev/mapper/vg0-swap

it we get here after reboot and encrypted partitions are already created, just detect and mount. It is possible that md partitions would be detected under different names, e.g. /dev/mdadm/md127 and /dev/mdadm/md128. Check UUIDs and create corresponding symlinks

mdadm --assemble --scan

ln -s /dev/mdadm/md127 /dev/md2
ln -s /dev/mdadm/md128 /dev/md3

cryptsetup luksOpen /dev/md3 lvm

lvm vgscan
lvm vgchange -ay

mount /dev/mapper/vg0-root /mnt/gentoo 
mkdir /mnt/gentoo/var
mkdir /mnt/gentoo/home
mount /dev/mapper/vg0-var /mnt/gentoo/var 
mount /dev/mapper/vg0-home /mnt/gentoo/home
mkdir /mnt/gentoo/var/log
mount /dev/mapper/vg0-log /mnt/gentoo/var/log
swapon /dev/mapper/vg0-swap

download and unpack stage3 iso image

cd /mnt/gentoo 
wget ""
tar xvJpf stage3-*.tar.xz --xattrs --numeric-owner

nano /mnt/gentoo/etc/portage/make.conf

enable static-libs (and other options if necessary) in make.conf

#USE="static-libs mysql php iconv acl apache2 "

chroot to new media

mkdir /mnt/gentoo/etc/portage/repos.conf
cp /mnt/gentoo/usr/share/portage/config/repos.conf /mnt/gentoo/etc/portage/repos.conf/gentoo.conf 

mount -t proc /proc /mnt/gentoo/proc 
mount --rbind /sys /mnt/gentoo/sys
mount --make-rslave /mnt/gentoo/sys 
mount --rbind /dev /mnt/gentoo/dev 
mount --make-rslave /mnt/gentoo/dev

test -L /dev/shm && rm /dev/shm && mkdir /dev/shm 
mount -t tmpfs -o nosuid,nodev,noexec shm /dev/shm
chmod 1777 /dev/shm 

cp /etc/resolv.conf /mnt/gentoo/etc/resolv.conf

chroot /mnt/gentoo /bin/bash
source /etc/profile 
export PS1="(chroot) $PS1" 

mount /dev/md2 /boot 

configure time zone


echo Europe/Kiev > /etc/timezone 
emerge --config sys-libs/timezone-data 
nano -w /etc/locale.gen 
eselect locale list 
eselect locale set 1 
env-update && source /etc/profile 

build new fstab and specify there proper partition UUIDs. Remember lvm UUID for further grub setup


you will see smth. like this

/dev/md2: UUID="AAAA-AAAA" TYPE="vfat"
/dev/md3: UUID="bbbbbbbb-cccc-0000-0000-000000bbbbbb" TYPE="crypto_LUKS"
/dev/mapper/lvm: UUID="ZZZZZZ-zzzz-zzzz-zzzz-zzzz-zzzz-ZZZZZZ" TYPE="LVM2_member"
/dev/mapper/vg0-root: UUID="cccccccc-0000-0000-0000-cccccc000000" TYPE="ext4"
/dev/mapper/vg0-home: UUID="cccccccc-0000-0000-0000-cccccc000001" TYPE="ext4"
/dev/mapper/vg0-log: UUID="cccccccc-0000-0000-0000-cccccc000002" TYPE="ext4"
/dev/mapper/vg0-var: UUID="cccccccc-0000-0000-0000-cccccc000003" TYPE="ext4"
/dev/mapper/vg0-swap: UUID="cccccccc-0000-0000-0000-cccccc000004" TYPE="swap"

UUID=AAAA-AAAA                                  /boot           vfat            noauto,noatime  1 2
UUID=cccccccc-0000-0000-0000-cccccc000000       /               ext4            defaults        0 1
UUID=cccccccc-0000-0000-0000-cccccc000001       /home           ext4            defaults        0 1
UUID=cccccccc-0000-0000-0000-cccccc000002       /var            ext4            defaults        0 1
UUID=cccccccc-0000-0000-0000-cccccc000003       /var/log        ext4            defaults        0 1
UUID=cccccccc-0000-0000-0000-cccccc000004       none            swap            sw              0 0
# tmps
tmpfs                                           /tmp            tmpfs           size=4Gb        0 0
tmpfs                                           /run            tmpfs           size=100M       0 0
# shm
shm                                             /dev/shm        tmpfs           nodev,nosuid,noexec 0 0

configure network again only if static IP is used

cd /etc/init.d/
ln -s net.lo  net.eno1
nano /etc/conf.d/net

config_eno1=" 2000:0000:0000:9999::2/126"
routes_eno1="default via"

rc-update add net.eno1 default

obtain all necessary kernel sources and moduled and rebuild kernel

emerge sys-kernel/gentoo-sources 
emerge sys-kernel/genkernel
emerge sys-fs/cryptsetup 
emerge mdadm

cd /usr/src/linux
zcat /proc/config.gz >.config

mount /boot

mdadm --examine --scan
mdadm --examine --scan |sed -e 's/md\//md/' > /etc/mdadm.conf 

make menuconfig

the following options are mandatory

    Cryptographic API -> CBC support
    Cryptographic API -> ECB support
    Cryptographic API -> XTS support
    Cryptographic API -> HMAC support
    Cryptographic API -> all CRC32c options
    Cryptographic API -> MD5 digest algorithm
    Cryptographic API -> Michael MIC keyed digest algorithm
    Cryptographic API -> SHA1 digest algorithm
    Cryptographic API -> SHA224 and SHA256 digest algorithm
    Cryptographic API -> SHA384 and SHA512 digest algorithms
    Cryptographic API -> all AES options

build kernel image with all necessary modules and configure grub

genkernel --luks --lvm --mdadm --disklabel --no-zfs all 

echo "sys-boot/grub:2 device-mapper" >> /etc/portage/package.use/sys-boot 
emerge -av grub 

nano /etc/default/grub 

GRUB_CMDLINE_LINUX="domdadm dolvm crypt_root=UUID=bbbbbbbb-cccc-0000-0000-000000bbbbbb root=/dev/mapper/vg0-root"

install and reboot

grub-install --target=x86_64-efi --efi-directory=/boot 
grub-mkconfig -o /boot/grub/grub.cfg 

rc-update add lvm default
rc-update add sshd default


See also:

FB or mail (remove X)   Share
<< Back designed by Alter aka Alexander A. Telyatnikov powered by Apache+PHP under FBSD © 2002-2024