Dale wrote:
Do you have a link, or several links, on how to set that up? I'd like to read it and may even play with it on one of my old rigs, then maybe on my main rig at some point.
I don't think I have any step-by-step resources at hand but I can outline a general "recipe" if that helps.
For LVM, if unfamiliar, I can highly recommend the Gentoo [1] and Arch Wiki [2] pages. The former has useful information on boot parameters, which I'll get to near the end, and kernel configuration.
But other than getting the initramfs to unlock the LUKS-encrypted volume there isn't anything unusual to the set up - it's simply combining the two building blocks together.
Let's start with the sample layout I gave earlier:
/dev/sda
├─ /dev/sda1 : EFI System Partition
├─ /dev/sda2 : /boot partition, not encrypted
└─ /dev/sda3 : LUKS crypt container
└─ hello_lvm - LVM Physical Volume and "hello_lvm" Volume Group
├─ hello_lvm/root : LVM volume, OS / partition
└─ hello_lvm/home : LVM volume, /home partition
The above assumes a GPT formatted drive, but GPT is not a prerequisite. If using MBR, there's no need for the /dev/sda1 ESP. Everything below, of course, also assumes that it is not done on a "live" system and something like the gentoo live install ISO or another live distro is used.
1) /dev/sda2 - format as usual with filesystem of choice, e.g. ext4 (must be supported by GRUB).
2) Now for /dev/sda3. Format as LUKS as usual:
# cryptsetup luksFormat /dev/sda3
and supply the unlock password. Any LUKS configuration specifics that
one might have can also be specified here - e.g. hashing algorithm, key
size, etc, see cryptsetup-luksFormat(8)
You can now open the LUKS container and call it, e.g. "crypt_gentoo":
# cryptsetup open /dev/sda3 crypt_gentoo
which will show up as "/dev/mapper/crypt_gentoo". This is the now
unlocked device where LVM will be set up.
3) "Format" the unlocked device as an LVM Physical Volume:
# pvcreate /dev/mapper/crypt_gentoo
You can confirm LVM can detect it as such by inspecting the output of
# pvdisplay
Which should show information about "/dev/mapper/crypt_gentoo", its
overall size, etc.
4) Next, create the "hello_lvm" LVM Volume Group (or a name of your choice) by passing in the LVM Physical Device where it will be placed:
# vgcreate hello_lvm /dev/mapper/crypt_gentoo
and can verify if LVM can detect it with
# vgdisplay
5) Create the "root" logical volume, say 30GB, into the target VG:
# lvcreate --size 30G --name root hello_lvm
The device for this volume will appear under "/dev/hello_lvm/root" and
"/dev/mapper/hello_lvm-root"
6) Create the "home" volume, and let it occupy all the remaining available space:
# lvcreate --extents 100%FREE --name home hello_lvm
The device for this volume will appear under "/dev/hello_lvm/home" and
"/dev/mapper/hello_lvm-home"
You can check that both the volumes are correctly configured with:
# lvdisplay hello_lvm
7) Format the volumes as usual with a filesystem of choice, e.g. ext4
# mkfs.ext4 /dev/hello_lvm/root
# mkfs.ext4 /dev/hello_lvm/home
These can now be mounted as usual to a target location, e.g.:
# mount /dev/hello_lvm/root /mnt/gentoo
8) Skipping forward and assuming that Gentoo is now present on the root
volume, configuring fstab is nothing special. the UUID entries for "/"
and "/home" are those of the LVM volumes:
# blkid /dev/hello_lvm/root
# blkid /dev/hello_lvm/home
e.g.
UUID=<lvm fs uuid> / ext4 defaults 1 1
9) Ensure the relevant LUKS and LVM tools are available on the Gentoo
installation, if not already, i.e. "sys-fs/cryptsetup" and
"sys-fs/lvm2". Add lvm2 to the boot runlevel (chroot will be needed):
# rc-update add lvm2 boot
10) Setting up the boot parameters. This is really the "critical" part
as you need to tell the initramfs that a LUKS volume needs to be
unlocked. Support for LUKS and LVM must be added to the initramfs.
10.1) If using genkernel, Enable LUKS and LVM in "/etc/genkernel.conf":
LVM="yes"
LUKS="yes"
Alternatively, one must remember to add "--lvm" and "--luks" when
generating an initramfs.
For GRUB you also need to add the relevant parameters. In "/etc/default/grub" add the following to "GRUB_CMDLINE_LINUX":
crypt_root=UUID=<UUID of /dev/sda3> dolvm
Note that the UUID is that of /dev/sda3, i.e. the LUKS formatted
partition, *not* the unlocked one:
# blkid /dev/sda3
Regenerate the initramfs and GRUB config as usual (chroot will be needed).
10.2) If using Dracut things are a bit simpler. LUKS and LVM support is
added in by default. So you only need to add the relevant boot
parameters to "/etc/default/grub"
rd.luks.uuid=luks-<UUID of /dev/sda3> rd.lvm.vg=hello_lvm rd.lvm.lv=hello_lvm/root
Regenerate the initramfs and GRUB config as usual (chroot will be needed).And that's it! Encrypted /boot is not covered, as I've not dabbled into it so far. Whether that is merited and poses a risk is subjective. If compiling your own kernel, I'd suggest looking at the relevant kernel configuration sections in [1,3]. Otherwise, "gentoo-kernel-bin" with Dracut should work out of the box.
If the system doesn't boot, it will be most likely due to boot parameters or the initramfs not having support for LUKS and LVM. Any error messages should hint to the cause.
As always, please, please backup any data beforehand, sanity check commands at every step, and I would always recommend using a disposable VM to try on first. None of it is complicated, but can be error-prone and risks data loss.
Hope this helps and that I've not missed anything. I usually refrain from sharing "guides" on disk setup with working CLI examples to avoid people blindly following without sanity checking and messing up their data. But this a Gentoo community, an exception can be made :)
Refs: [1] https://wiki.gentoo.org/wiki/LVM [2] https://wiki.archlinux.org/title/LVM [3] https://wiki.gentoo.org/wiki/Dm-crypt
signature.asc
Description: OpenPGP digital signature
