Return Home

Encrypted Gentoo install on ThinkPad

(31st March 2024)


The article is not finished

Preparing disks

First you will have to prepare your disk for the Gentoo installation. This will be the base for your entire system. You will have to create four partitions (bios boot, boot, swap and root) using the program gdisk and then use the cryptsetup command on the root partition to create encrypted luks container.

Creating an encrypted container

cryptsetup -yv luksFormat /dev/sda4

Opening the encrypted container

Note that the pharse at the end of the command is the mapper name, you can choose any.

cryptsetup open /dev/sdb4 root

After opening the encrypted container, you can notice that it is located in the /dev/mapper/root.

Formatting the partitions

Now format the boot partition to ext4 and root to btrfs. And don't forget to format swap parition.

mkfs.ext4 /dev/sda2

mkfs.btrfs /dev/mapper/root

mkswap /dev/sda3

Preparing the system

In this step you will need to download the stage3 tarball from the Gentoo website and extract it installation /mnt/gentoo/. In my case I will be using amd64 desktop profile with OpenRC.

Mounting the disk

First you will need to create /mnt/gentoo/ and /mnt/gentoo/boot/

mkdir -p /mnt/gentoo/boot

And then mount the partitions

mount /dev/mapper/root /mnt/gentoo

mount /dev/sda2 /mnt/gentoo/boot

Downloading and extracting the stage3 tarball

Go to the Gentoo download website and copy the download link of the selected tarball and download it into /mnt/gentoo/.

cd /mnt/gentoo

wget [tarball link]

After downloading the tarball, extract it using this command:

tar xpvf stage3-*.tar.xz --xattrs-include='*.*' --numeric-owner

After it is done extracting the tarball, you can delete the .tar.xz file.

Configuring compile options

This is very important thing to set, most of your packages will be compiled with the settings you set in the /mnt/gentoo/etc/portage/make.conf. I will show you some important things to set for this guide. Use this wiki page for your invididual configuration as an help guide.

Most importantly don't forget to set your -march= to your CPU architecture. If you are compiling on the computer that will the Gentoo used on then just set -march=native and if not then go to this wiki page and find the code for the CPU that you will use this Gentoo installation on. In my case I will be setting -march=westmere.

You should also set your CPU_FLAGS_X86 to your CPU flags. You can do it by booting into Gentoo liveiso from an usb flash drive on the computer you will use this Gentoo installation on and running the cpuid2cpuflags command to list all the tags.

Rust software is spreading like COVID-19 few years ago, so I would advise you to include RUSTFLAGS="${COMMON_FLAGS}" in your make.conf.

You should also include this quality of life option that will automatically append these flags when you will go compile something. EMERGE_DEFAULT_OPTS="--ask --verbose"

You will want to have faster downloads from the Gentoo mirrors. So you should set the GENTOO_MIRRORS to the closest mirror there is to you. You can find mirrors by going to this wiki page.

You also will want to set the VIDEO_CARD option so your video drivers get compiled. I will use the VIDEO_CARDS="intel" on my ThinkPad because it has an integeated GPU. If you don't know which flag to set, go to this wiki page to find the GPU flag you need.

For the Grub bootloader you will want to set GRUB_PLATFORM="pc" since this guide is focused on installation with legacy boot.

If you compile on a better CPU than the installation will be used on, you can set the MAKE_OPTS="-j" to the availabile resources you have. I am compiling this installation on AMD Ryzen 7 so I will be using MAKEOPTS="-j16". Make sure you will adjust the -j number to the CPU your installation will be used on after you are done with installing Gentoo.

This is optional, but if you want to use only Free Software, you could opt to set ACCEPT_LICENSE="-* @FREE". I personally set this on all my machines.

The last thing we will set are the USE flags. You can put there any compile options you want, but make sure you include these few flags: device-mapper, crypt, elogind. You can add your flags that can be found on this wiki page.

Here is an example of what I have:

COMMON_FLAGS="-O2 -march=westmere -pipe"
CPU_FLAGS_X86="aes mmx mmxext pclmul popcnt sse sse2 sse3 sse3 sse4_1 sse4_2 ssse3"

EMERGE_DEFAULT_OPTS="--ask --verbose"

USE="device-mapper crypt elogind eme-free bluetooth wifi X wayland pipewire sound-server pulseaudio screencast cdda dvd dvdr -ppp -systemd -telemetry -gnome"


Installing the base system

Chrooting into the system

Before chrooting into your system, you should copy the DNS info to your new installation so you can connect to internet.

cp --dereference /etc/resolv.conf /mnt/gentoo/etc/

Then create a temporary chrooting script which will contain these lines:

vim /mnt/gentoo/

mount --types proc /proc /mnt/gentoo/proc
mount --rbind /sys /mnt/gentoo/sys
mount --make-rslave /mnt/gentoo/sys
mount --rbind /dev /mnt/gentoo/dev
mount --make-rslave /mnt/gentoo/dev
mount --bind /run /mnt/gentoo/run
mount --make-slave /mnt/gentoo/run

# Uncomment three lines below if you are installing from non-gentoo installation media.
#test -L /dev/shm && rm /dev/shm && mkdir /dev/shm
#mount --types tmpfs --options nosuid,nodev,noexec shm /dev/shm
#chmod 1777 /dev/shm /run/shm

chroot /mnt/gentoo /bin/bash
source /etc/profile
export PS1="(chroot) ${PS1}"

And run the script:

sh /mnt/gentoo/

After running this script, you should be chrooted in your new gentoo installation enviroment.

Configuring portage

We already have done some steps for configuring portage earlier, so we will skip them. Now, run these two commands to configure the Gentoo ebuild repository:

mkdir --parents /etc/portage/repos.conf

cp /usr/share/portage/config/repos.conf /etc/portage/repos.conf/gentoo.conf

Now you have to download the Gentoo ebuild repository.


Selecting a profile

A profile is a set of specific use flags, variables and version ranges. You need to choose a profile that will suit your use case. This installation is intended for desktop use, so I will select the default/linux/amd64/23.0/desktop profile. To view profiles, you need to run this command:

eselect profile list

Output example: (my output)

  [21]  default/linux/amd64/23.0 (stable)
  [22]  default/linux/amd64/23.0/systemd (stable)
  [23]  default/linux/amd64/23.0/desktop (stable) *
  [24]  default/linux/amd64/23.0/desktop/systemd (stable)
  [25]  default/linux/amd64/23.0/desktop/gnome (stable)

It is most likely that the desktop profile is already selected if you have downloaded the desktop stage3 tarball. If not, then run the command below with the option number at the end. Then the blue asterisk should move to your selected option. For example, in my case I selected the number 23.

eselect profile set (your number)

Updating the packages

After doing changes to the use flags in make,conf, we will want to update our current packages so they are built in the way we wanted to.

emerge --ask --verbose --update --deep --newuse @world

Now get rid of obsolete packages.

emerge --ask --depclean

Setting the timezone

If you want your system time to be correct, you should set your system's timezone. You can look at all the timezones availabile by running this command:

ls -l /usr/share/zoneinfo

You can also ls deeper into the directory of your continent to see the availabile timezones.

ls -l /usr/share/zoneinfo/Europe

And then echo the timezone into the timezone file. For example, I will use Europe/Bratislava.

echo "(your timezone)" > /etc/timezone

And finally, finish it by emerging timezone-data.

emerge --config sys-libs/timezone-data

Installing vim

This is optional, but if you want to edit files using vim instead of nano, then emerge vim.

emerge vim

Generating locale

Now you will want to generate the locale by editing locale.gen. Just simply uncomment a line with your locale.

vim /etc/locale.gen

If you don't know how to type in locale code of your language, run this command to view supported locales:

less /usr/share/i18n/SUPPORTED

And now just generate the locale.


Selecting locale

Now list your locales with eselect. It is likely that your locale is already selected.

eselect locale list

And set your locale

eselect locale set (number of your option)

And now finally reload your enviroment using following command:

env-update && source /etc/profile && export PS1="(chroot) ${PS1}"

Installing the kernel

Now it is time to install the core of the operating system, the kernel. It will have to be installed bit differently than it is being done normally. You will have to use the genkernel command with few use flags.
You might want to use the linux-firmware package if you use proprietary drivers for wifi, bluetooth, etc.. But even if you don't need it like me since I have atheros wifi card, you will need to set a -firmware in the /etc/portage/package.use/sys-kernel file.

I need linux firmware

If you use proprietary drivers, you will need the firmware. You need to add ~amd64 keyword to the package.accept_keywords file.

Adding ~amd64 to the /etc/portage/package.accept_keywords/sys-kernel

echo "sys-kernel/linux-firmware ~amd64" >> /etc/portage/package.accept_keywords/sys-kernel

Only with @FREE ACCEPT_LICENSE option: Adding license of the package to portage config.

echo "linux-fw-redistributable license(s)" >> /etc/portage/package.license/package.license

And then you just install the package.

emerge sys-kernel/linux-firmware

I don't need linux firmware

If you are based and you use devices with free drivers, then you will need to put -firmware flag to the package.use.

echo "sys-kernel/genkernel -firmware" >> /etc/portage/package.use/sys-kernel

Installing the kernel

To install kernel, you will need to download two packages. The genkernel which is a tool that automates building the kernel. And gentoo-sources which includes the kernel source.

emerge genkernel gentoo-sources

Before you can compile the kernel, you need to select it with the eselect command. Do this command to list the availabile kernels:

eselect kernel list

And then select the kernel. In most cases it will be 1 in new installation.

eselect kernel set 1

After selecting the kernel, run this command that will start the compiltion of the kernel. The command contains necessary flags for encrypted installation.
note: this might take a long time.

genkernel --luks --lvm --busybox all

Generating fstab


The article is not finished