This is a small guide on how to do encrypted Gentoo install. This isn't really an all purpose article for all cases, I just wrote this while I was installing Gentoo on my Thinkpad T430 laptop and wanted to make a article that maybe could help someone a bit.
First you will have to prepare your disk for the Gentoo installation. This will be the base for your entire system. You will have to create four partitions (bios boot, boot, swap and root) using the program gdisk and then use the cryptsetup command on the root partition to create encrypted luks container.
cryptsetup -yv luksFormat /dev/sda4
Note that the pharse at the end of the command is the mapper name, you can choose any.
cryptsetup open /dev/sdb4 root
After opening the encrypted container, you can notice that it is located in the /dev/mapper/root.
Now format the boot partition to ext4 and root to btrfs. And don't forget to format swap parition.
mkfs.ext4 /dev/sda2
mkfs.btrfs /dev/mapper/root
mkswap /dev/sda3
In this step you will need to download the stage3 tarball from the Gentoo website and extract it installation /mnt/gentoo/. In my case I will be using amd64 desktop profile with OpenRC.
First you will need to create /mnt/gentoo/ and /mnt/gentoo/boot/
mkdir -p /mnt/gentoo/boot
And then mount the partitions
mount /dev/mapper/root /mnt/gentoo
mount /dev/sda2 /mnt/gentoo/boot
Go to the Gentoo download website and copy the download link of the selected tarball and download it into /mnt/gentoo/.
cd /mnt/gentoo
wget [tarball link]
After downloading the tarball, extract it using this command:
tar xpvf stage3-*.tar.xz --xattrs-include='*.*' --numeric-owner
After it is done extracting the tarball, you can delete the .tar.xz file.
This is very important thing to set, most of your packages will be compiled with the settings you set in the /mnt/gentoo/etc/portage/make.conf. I will show you some important things to set for this guide. Use this wiki page for your invididual configuration as an help guide.
Most importantly don't forget to set your -march= to your CPU architecture. If you are compiling on the computer that will the Gentoo used on then just set -march=native and if not then go to this wiki page and find the code for the CPU that you will use this Gentoo installation on. In my case I will be setting -march=westmere.
You should also set your CPU_FLAGS_X86 to your CPU flags. You can do it by booting into Gentoo liveiso from an usb flash drive on the computer you will use this Gentoo installation on and running the cpuid2cpuflags command to list all the tags.
Rust software is spreading like COVID-19 few years ago, so I would advise you to include RUSTFLAGS="${COMMON_FLAGS}" in your make.conf.
You should also include this quality of life option that will automatically append these flags when you will go compile something. EMERGE_DEFAULT_OPTS="--ask --verbose"
You will want to have faster downloads from the Gentoo mirrors. So you should set the GENTOO_MIRRORS to the closest mirror there is to you. You can find mirrors by going to this wiki page.
You also will want to set the VIDEO_CARD option so your video drivers get compiled. I will use the VIDEO_CARDS="intel" on my ThinkPad because it has an integeated GPU. If you don't know which flag to set, go to this wiki page to find the GPU flag you need.
For the Grub bootloader you will want to set GRUB_PLATFORMS="pc" since this guide is focused on installation with legacy boot.
If you compile on a better CPU than the installation will be used on, you can set the MAKE_OPTS="-j" to the availabile resources you have. I am compiling this installation on AMD Ryzen 7 so I will be using MAKEOPTS="-j16". Make sure you will adjust the -j number to the CPU your installation will be used on after you are done with installing Gentoo.
This is optional, but if you want to use only Free Software, you could opt to set ACCEPT_LICENSE="-* @FREE". I personally set this on all my machines.
The last thing we will set are the USE flags. You can put there any compile options you want, but make sure you include these few flags: device-mapper, crypt, elogind. You can add your flags that can be found on this wiki page.
Here is an example of what I have:
COMMON_FLAGS="-O2 -march=westmere -pipe"
CFLAGS="${COMMON_FLAGS}"
CXXFLAGS="${COMMON_FLAGS}"
FCFLAGS="${COMMON_FLAGS}"
FFLAGS="${COMMON_FLAGS}"
RUSTFLAGS="${COMMON_FLAGS}"
CPU_FLAGS_X86="aes mmx mmxext pclmul popcnt sse sse2 sse3 sse3 sse4_1 sse4_2 ssse3"
EMERGE_DEFAULT_OPTS="--ask --verbose"
GENTOO_MIRRORS="https://mirror.wheel.sk/gentoo"
VIDEO_CARDS="intel"
GRUB_PLATFORMS="pc"
MAKEOPTS="-j16"
ACCEPT_LICENSE="-* @FREE"
USE="device-mapper crypt elogind eme-free bluetooth wifi X wayland pipewire sound-server pulseaudio screencast cdda dvd dvdr -ppp -systemd -telemetry -gnome"
LC_MESSAGES=C.utf8
Before chrooting into your system, you should copy the DNS info to your new installation so you can connect to internet.
cp --dereference /etc/resolv.conf /mnt/gentoo/etc/
Then create a temporary chrooting script chroot.sh which will contain these lines:
vim /mnt/gentoo/chroot.sh
mount --types proc /proc /mnt/gentoo/proc
mount --rbind /sys /mnt/gentoo/sys
mount --make-rslave /mnt/gentoo/sys
mount --rbind /dev /mnt/gentoo/dev
mount --make-rslave /mnt/gentoo/dev
mount --bind /run /mnt/gentoo/run
mount --make-slave /mnt/gentoo/run
# Uncomment three lines below if you are installing from non-gentoo installation media.
#test -L /dev/shm && rm /dev/shm && mkdir /dev/shm
#mount --types tmpfs --options nosuid,nodev,noexec shm /dev/shm
#chmod 1777 /dev/shm /run/shm
chroot /mnt/gentoo /bin/bash
source /etc/profile
export PS1="(chroot) ${PS1}"
And run the script:
sh /mnt/gentoo/chroot.sh
After running this script, you should be chrooted in your new gentoo installation enviroment.
We already have done some steps for configuring portage earlier, so we will skip them. Now, run these two commands to configure the Gentoo ebuild repository:
mkdir --parents /etc/portage/repos.conf
cp /usr/share/portage/config/repos.conf /etc/portage/repos.conf/gentoo.conf
Now you have to download the Gentoo ebuild repository.
emerge-webrsync
A profile is a set of specific use flags, variables and version ranges. You need to choose a profile that will suit your use case. This installation is intended for desktop use, so I will select the default/linux/amd64/23.0/desktop profile. To view profiles, you need to run this command:
eselect profile list
Output example: (my output)
[21] default/linux/amd64/23.0 (stable) [22] default/linux/amd64/23.0/systemd (stable) [23] default/linux/amd64/23.0/desktop (stable) * [24] default/linux/amd64/23.0/desktop/systemd (stable) [25] default/linux/amd64/23.0/desktop/gnome (stable)
It is most likely that the desktop profile is already selected if you have downloaded the desktop stage3 tarball. If not, then run the command below with the option number at the end. Then the blue asterisk should move to your selected option. For example, in my case I selected the number 23.
eselect profile set (your number)
After doing changes to the use flags in make,conf, we will want to update our current packages so they are built in the way we wanted to.
emerge --ask --verbose --update --deep --newuse @world
Now get rid of obsolete packages.
emerge --ask --depclean
If you want your system time to be correct, you should set your system's timezone. You can look at all the timezones availabile by running this command:
ls -l /usr/share/zoneinfo
You can also ls deeper into the directory of your continent to see the availabile timezones.
ls -l /usr/share/zoneinfo/Europe
And then echo the timezone into the timezone file. For example, I will use Europe/Bratislava.
echo "(your timezone)" > /etc/timezone
And finally, finish it by emerging timezone-data.
emerge --config sys-libs/timezone-data
This is optional, but if you want to edit files using vim instead of nano, then emerge vim.
emerge vim
Now you will want to generate the locale by editing locale.gen. Just simply uncomment a line with your locale.
vim /etc/locale.gen
If you don't know how to type in locale code of your language, run this command to view supported locales:
less /usr/share/i18n/SUPPORTED
And now just generate the locale.
locale-gen
Now list your locales with eselect. It is likely that your locale is already selected.
eselect locale list
And set your locale
eselect locale set (number of your option)
And now finally reload your enviroment using following command:
env-update && source /etc/profile && export PS1="(chroot) ${PS1}"
Now it is time to install the core of the operating system, the kernel. It will have to be installed bit differently
than it is being done normally. You will have to use the genkernel command with few use
flags.
You might want to use the linux-firmware package if you use proprietary drivers for wifi,
bluetooth, etc.. But even if you don't need it like me since I have atheros wifi card, you will need to set a
-firmware in the /etc/portage/package.use/sys-kernel file.
If you use proprietary drivers, you will need the firmware. You need to add ~amd64 keyword to the package.accept_keywords file.
Adding ~amd64 to the /etc/portage/package.accept_keywords/sys-kernel
echo "sys-kernel/linux-firmware ~amd64" >> /etc/portage/package.accept_keywords/sys-kernel
Only with @FREE ACCEPT_LICENSE option: Adding license of the package to portage config.
echo "linux-fw-redistributable license(s)" >> /etc/portage/package.license/package.license
And then you just install the package.
emerge sys-kernel/linux-firmware
If you are based and you use devices with free drivers, then you will need to put -firmware flag to the package.use.
echo "sys-kernel/genkernel -firmware" >> /etc/portage/package.use/sys-kernel
To install kernel, you will need to download two packages. The genkernel which is a tool that automates building the kernel. And gentoo-sources which includes the kernel source.
emerge genkernel gentoo-sources
Before you can compile the kernel, you need to select it with the eselect command. Do this command to list the availabile kernels:
eselect kernel list
And then select the kernel. In most cases it will be 1 in new installation.
eselect kernel set 1
After selecting the kernel, run this command that will start the compiltion of the kernel. The command contains
necessary flags for encrypted installation.
note: this might take a long time.
genkernel --luks --lvm --busybox all
All of your partitions that will be used in your system must be in the /etc/fstab file where are all the mount points and options on how they should be mounted set.
Run the command blkid to find the UUIDs of your partitions.
Output example (my output):
/dev/sdb4: UUID="52121e1c-c51c-4ffc-92bc-eb6423e736c8" TYPE="crypto_LUKS" PARTLABEL="Linux filesystem" PARTUUID="389956c6-89c7-4122-b45f-17e6256be3c9" /dev/sdb2: UUID="8bee939e-50f2-41ba-b359-2070ec1511f1" BLOCK_SIZE="4096" TYPE="ext4" PARTLABEL="Linux filesystem" PARTUUID="eccfcd37-5a98-4e4b-ac18-f1194a9679b9" /dev/sdb3: UUID="75fca4da-eb35-47f7-8696-ae9bbcf1c75c" TYPE="swap" PARTLABEL="Linux swap" PARTUUID="c99f141c-3cea-440c-beb6-cf7fa9c74a89" /dev/sdb1: PARTLABEL="BIOS boot partition" PARTUUID="b1db83bd-94f0-452a-86bc-bf22a3277873" /dev/mapper/root: UUID="1e0b2067-8937-47c0-9a5c-f200fe4607b8" UUID_SUB="1ff8b4f2-f1bb-4916-aea9-bdb7f0111584" BLOCK_SIZE="4096" TYPE="btrfs"
You will want to put your LUKS parition as root partition in the fstab, in my case it is /dev/sdb4
Fill in the fstab file so it looks like the example below, just input your own UUIDs instead of the one shown in example.
# /dev/sdb4 (root) UUID=52121e1c-c51c-4ffc-92bc-eb6423e736c8 / btrfs rw,relatime 0 0 # /dev/sdb2 (boot) UUID=8bee939e-50f2-41ba-b359-2070ec1511f1 /boot ext4 rw,relatime 0 2 # Swap UUID=75fca4da-eb35-47f7-8696-ae9bbcf1c75c none swap defaults 0 0
Setting a name of your device which is viewable on your local network.
echo ThinkPaw > /etc/hostname
If you want to use internet on your device, you will need to install this dhcp server and set startup of the service on the system boot.
emerge --ask net-misc/dhcpcd
emerge --ask net-misc/dhcpcd
rc-service dhcpcd start
To set your root password, use the passwd command.
You can skip this step, but it is pretty useful to install some of these packages. Especially these progs packages
emerge --ask sys-fs/btrfs-progs sys-fs/e2fsprogs net-misc/chrony app-shells/bash-completion sys-apps/mlocate sys-process/dcron
Now enable the chrony service if you have installed it.
rc-update add chronyd default
If you want to use wifi on your computer, you should also install this package.
emerge --ask net-wireless/iw net-wireless/wpa_supplicant
After succesfuly finishing all the previous steps, you shall proceed to the installation of grub. Grub is a software that helps you boot your system upon pressing the power button on your pc.
Install the grub package and make sure you have GRUB_PLATFORMS="pc" in your emerge configs.
emerge --ask --verbose sys-boot/grub
Now you will need to configure your grub to work with encryption. You can find the configuration file at /etc/default/grub/grub.
Your grub config should look something like this, change only the shown parameters. Make sure to put your LUKS partition instead of the one in my example. It is the same UUID as in fstab root parition.
... GRUB_PRELOAD_MODULES='part_gpt part_msdos luks lvm' GRUB_CMDLINE_LINUX='dolvm crypt_root=UUID=52121e1c-c51c-4ffc-92bc-eb6423e736c8 root_trim=yes rootfstype=btrfs' GRUB_ENABLE_CRYPTODISK=y ...
Now generate grub config.
grub-mkconfig -o /boot/grub/grub.cfg
Now that you are done, you will need to exit your installation enviroment safely.
exit
cd
umount -l /mnt/gentoo/dev{/shm,/pts,}
umount -R /mnt/gentoo
Now you can reboot your system.
reboot
The article is not finished