Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Encrypted Install partitioning
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
FOSSilized_Daemon
n00b
n00b


Joined: 08 Mar 2019
Posts: 18

PostPosted: Sat Mar 09, 2019 3:15 am    Post subject: Encrypted Install partitioning Reply with quote

Hello everyone, I am new to Gentoo and am trying to do an encrypted installation as I want to have a hardened system. I have been working through the handbook and have been trying like crazy to figure out partitions. The handbook gives a great walk through of general partitioning, but I need some help bad. I am setting up Gentoo on a test laptop to get to know the system, I am taking notes and writing down everything I am learning for future reference. I can not for the life of me figure out how to do an encrypted partitioning setup. I have done this on Void Linux and Arch Linux and had notes on both, but I lost these notes the old fashion way... I forgot to back them up. I am very confused and could use a little guidance. I have done some searching and this guide: https://linux.arantius.com/gentoo-encrypted-root-with-luks-and-lvm does just about everything I planned to do on my initial install partition wise, but I am having a brain failure here. I can't remember how in the world to make the boot partition and the second partition (which he omits in his guide). I understand this has to be a very noob question, but I am going crazy trying to figure out how I did this. Please, any help would be severally welcomed. Sorry for the noob question.

Edit: I do really want to apologize about this question, I know this is a place for more advanced users and I have used Linux for a while. A lot of my questions have been easily solved with a quick duckduckgo search and the handbook. But partitions are something I have always struggled with. I want to thank everyone who even is taking the time to read this.
Back to top
View user's profile Send private message
jburns
Veteran
Veteran


Joined: 18 Jan 2007
Posts: 1061
Location: Massachusetts USA

PostPosted: Sat Mar 09, 2019 6:24 am    Post subject: Reply with quote

Look at https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide
Back to top
View user's profile Send private message
fturco
l33t
l33t


Joined: 08 Dec 2010
Posts: 716
Location: Italy

PostPosted: Sat Mar 09, 2019 9:51 am    Post subject: Reply with quote

@FOSSilized_Daemon: Do you need LVM? Do you prefer LUKS only?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14281

PostPosted: Sat Mar 09, 2019 4:56 pm    Post subject: Re: Encrypted Install partitioning Reply with quote

FOSSilized_Daemon wrote:
Hello everyone, I am new to Gentoo and am trying to do an encrypted installation as I want to have a hardened system. I have been working through the handbook and have been trying like crazy to figure out partitions. The handbook gives a great walk through of general partitioning, but I need some help bad. I am setting up Gentoo on a test laptop to get to know the system, I am taking notes and writing down everything I am learning for future reference. I can not for the life of me figure out how to do an encrypted partitioning setup. I have done this on Void Linux and Arch Linux and had notes on both, but I lost these notes the old fashion way... I forgot to back them up. I am very confused and could use a little guidance. I have done some searching and this guide: https://linux.arantius.com/gentoo-encrypted-root-with-luks-and-lvm does just about everything I planned to do on my initial install partition wise, but I am having a brain failure here. I can't remember how in the world to make the boot partition and the second partition (which he omits in his guide). I understand this has to be a very noob question, but I am going crazy trying to figure out how I did this. Please, any help would be severally welcomed. Sorry for the noob question.
Perhaps you are thinking too much. For the unencrypted partitions, which includes /boot, you can use the basic guidance offered to people who are not using any encryption at all. You want to make two partitions (at least, but let's go with exactly two for now). This will be a small /boot partition and a large partition that spans the rest of the drive. In the first partition, follow exactly the same steps you would for an unencrypted system. For the second partition, create a LUKS container on it. (Obligatory warning: creating LUKS containers destroys any prior contents. Since you just created this partition, there will not be any contents worth saving this time.) Open the LUKS container. Within the device representing the inside of the LUKS container, create your LVM PV. Then create your LVM VGs and LVs as normal. Create your filesystem(s) on the LV(s) (one filesystem per LV; choose number and size of LVs based on how you want to separate your filesystems).

That is an overview of what you want. It doesn't discuss making the environment bootable later. If you can't work out the details or you want confirmation before you do something expensive or dangerous, post back and someone can elaborate further.
FOSSilized_Daemon wrote:
Edit: I do really want to apologize about this question, I know this is a place for more advanced users and I have used Linux for a while.
We routinely help users with questions much easier than this one. If you put reasonable effort into solving your problem and you're still stuck, posting here is fine even if you think the question should be easy.
Back to top
View user's profile Send private message
FOSSilized_Daemon
n00b
n00b


Joined: 08 Mar 2019
Posts: 18

PostPosted: Sat Mar 09, 2019 5:48 pm    Post subject: Reply with quote

First, I just want to thank you so much for responding and taking the time to read my post. I am looking to do a LUKS + LVM install, however on my initial install I am not including /boot however I do plan on adding that at some point. The laptop that I am doing my install on doesn't have UEFI support, so this will be done using the older bios boot. I am just looking to do a simple encrypted install with /root, /swap and /home, just a standard install. I am having a hard time remembering this and feel very foolish. It has just been so long since I have done this. I am also looking at the other solutions provided by the other memebers of this forums. Thank you so much for your time, I do really appreciate it.
Back to top
View user's profile Send private message
FOSSilized_Daemon
n00b
n00b


Joined: 08 Mar 2019
Posts: 18

PostPosted: Sat Mar 09, 2019 5:53 pm    Post subject: Re: Encrypted Install partitioning Reply with quote

So I have been looking through guides and just want some assistance figuring out whether this is correct. I am using GPT.

create two partitions:

cfdisk

new:

first one will get 512M

new

second one will get the rest of disk

save

after this how do I make the first partition into boot? I know how to do all of the second partition, but /boot is confusing me :(
Back to top
View user's profile Send private message
fturco
l33t
l33t


Joined: 08 Dec 2010
Posts: 716
Location: Italy

PostPosted: Sat Mar 09, 2019 8:19 pm    Post subject: Reply with quote

If you don't have UEFI and use GPT then you need an extra small partition at the beginning of the disk. For now I recommend you to stick with MBR, to simplify things.

So suppose you have /dev/sda1 (512M) and /dev/sda2 (all the rest) as your newly created partitions. Warning: change the device names according to your system, in order to avoid overwriting important data.

First, you need to format the boot partition using your choice of filesystem. For ext4 the command is:

Code:
mkfs.ext4 /dev/sda1


Then you need to encrypt and format the other partition with LUKS:

Code:

cryptsetup luksFormat /dev/sda2 # choose a strong password and type it twice
cryptsetup luksOpen /dev/sda2 MyRootPartition # type the same password as before
mkfs.ext4 /dev/mapper/MyRootPartition


Now you can mount your root partition:

Code:
mount /dev/mapper/MyRootPartition /mnt/gentoo


Now you can continue following the Gentoo Handbook. Remember to mount the boot partition (/dev/sda1) under /mnt/gentoo/boot after having extracted the stage3 tarball.

You should at this point choose if you want to use Systemd or OpenRC as the init manager.
And Genkernel or Dracut for the initramfs.

On my system I have Systemd and Dracut, so I don't know how to guide you if you choose other programs, but I'm sure there are other people that can help you too!
Back to top
View user's profile Send private message
fturco
l33t
l33t


Joined: 08 Dec 2010
Posts: 716
Location: Italy

PostPosted: Sat Mar 09, 2019 8:22 pm    Post subject: Re: Encrypted Install partitioning Reply with quote

FOSSilized_Daemon wrote:
after this how do I make the first partition into boot? I know how to do all of the second partition, but /boot is confusing me :(


In the previous reply I forgot to answer this question.

Basically the configuration file where you will assign your 512M boot partition to the /boot mount point is placed into /etc/fstab.
You just need to add a single line, very easy to do.
But that comes later. First you need to create partitions, format them, and extract the stage3 tarball.
Back to top
View user's profile Send private message
FOSSilized_Daemon
n00b
n00b


Joined: 08 Mar 2019
Posts: 18

PostPosted: Sat Mar 09, 2019 8:28 pm    Post subject: Re: Encrypted Install partitioning Reply with quote

My big question is how do I create those two partitions? I usually use cfdisk, but cfdisk doesn't have an option for mbr.
Back to top
View user's profile Send private message
fturco
l33t
l33t


Joined: 08 Dec 2010
Posts: 716
Location: Italy

PostPosted: Sat Mar 09, 2019 9:19 pm    Post subject: Reply with quote

Use GNU Parted (parted command).
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14281

PostPosted: Sat Mar 09, 2019 9:25 pm    Post subject: Reply with quote

cfdisk can do MBR or GPT, depending on how you use it.

Note that fturco's commands for LUKS assume you will not use LVM and will instead have exactly one filesystem, which is stored directly in the LUKS container. This is a valid configuration, but much less flexible. I prefer your original design of LVM-inside-LUKS.
Back to top
View user's profile Send private message
fturco
l33t
l33t


Joined: 08 Dec 2010
Posts: 716
Location: Italy

PostPosted: Sat Mar 09, 2019 9:28 pm    Post subject: Reply with quote

@Hu: Since he's a beginner, I think he should attempt a simpler install first, without LVM or GPT. Once he fully understands the basics, he may try more advanced configurations.
Back to top
View user's profile Send private message
FOSSilized_Daemon
n00b
n00b


Joined: 08 Mar 2019
Posts: 18

PostPosted: Sat Mar 09, 2019 9:57 pm    Post subject: Reply with quote

Code:

code:
fdisk /dev/sda

# this part will create the sda1 (for /boot)
n

p

1

2048

512M

# this part will create the sda2 (for the rest)
n

p

(I am unsure what should go here for the 2048 part)

(for this part I assume this gets the rest of the disk)

mke2fs /dev/sda1

cryptsetup --verify-passphrase luksFormat /dev/sda2

cryptsetup luksOpen /dev/sda2 root

pvcreate /dev/mapper/root

vgcreate vg /dev/mapper/root

lvcreate --size 4G --name swap vg

lvcreate --size 50G --name root vg

lvcreate --size 1G --name tmp vg

lvcreate --size 50G --name var vg

lvcreate --extents 100%FREE --name home vg

vgchange --available y

mkswap /dev/mapper/vg-swap

mkfs.xfs /dev/mapper/vg-root

mkfs.xfs /dev/mapper/vg-tmp

mkfs.xfs /dev/mapper/vg-var

mkfs.xfs /dev/mapper/vg-home


how is this? I would love a lot of help with sizing, my drive is 750 GB. What do you recommend for this? Also if there are any flags I can use to make cryptsetup more secure I would love to hear them. I think I am missing flagging /dev/sda1 as boot :(
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum