LUKS On Gentoo

emerge cryptsetup-luks

To use LUKS on a non-root partition, it's sufficient to install cryptsetup-luks. Just emerge cryptsetup-luks. Any installation of the regular cryptsetup package should be unmerged prior to this step.

Please note that after cryptsetup-luks became cryptsetup, effectively replacing the old "main branch" in May 2007, Gentoo added the new release to portage as cryptsetup 1.0.5. If you need 1.0.5 or newer releases, use emerge cryptsetup instead of emerge cryptsetup-luks, eventually unmasking it by editing /etc/portage/package.keywords. The name of the installed files are the same, the rest of the tutorial stay valid.

emerge genkernel

emerge genkernel

genkernel is the package that builds Gentoo kernels. genkernel comes with a nice facility to build initrds. This facility is used to equip the initrd with a static binary of cryptsetup. Modify your boot loader to supply crypt_root=/dev/your-luks-root-dev as kernel parameter.

Make sure you have put LUKS="YES" into /etc/genkernel.conf. I would also recommend setting CLEAN="NO", as I find the Gentoo way to stock pile kernel configs in /etc/kernels counter-intuitive. To prepare a kernel config with CLEAN="NO", just untar the kernel tar ball, run make menuconfig|xconfig|gconfig, and when satisfied run genkernel all (optionally you can substitute all with kernel or initrd, if you want to build/rebuild parts separately). The final step is to add the kernel image and the initrd image to your grub config.

Installation to LUKS

Get a Gentoo LiveCD or get a Knoppix CD. What's important is that it's based on a 2.6. kernel (Gentoo's LiveCDs are 2.6 after 2004.3). Proceed with the Gentoo Installation as outlined in the Gentoo Linux Handbook till Section 4. "Preparing the Disks". You definitely need a /boot partition for a LUKS setup, because there needs to be an unencrypted disk section where kernel and initrd images reside. It's advisable to use the Default Partition Scheme as sketched in Section 4.b. After creating the desired disk layout with fdisk, that's the point where LUKS comes in. You need a working cryptsetup-luks binary for your host platform. Static versions for some platforms are available in the dm-crypt section.

Before creating a filesystem, you have to setup a LUKS partition and map it. Think of a password and do cryptsetup luksFormat /dev/yourblockdevice. You will be asked for a passphrase. Make sure you remember it. This is not like the PIN of your mobile, or a root password. There is absolutely no fallback, if the passphrase is lost. So make sure you remember it. See the Tips section for passphrase management.

After successfully initializing the LUKS partition, create a mapping by issuing a luksOpen command like cryptsetup luksOpen /dev/yourblockdevice root. The name of the mapping is root. Operate on /dev/mapper/root when the Gentoo Handbook requests you to operate on your root partition. For instance, create a file system with mke2fs /dev/mapper/root. The same change for the mount command: mount /dev/mapper/root /mnt/gentoo.

Continue to set up your Gentoo installation as you like until Chapter 7. This chapter describes the installation of the kernel for your system. At the first try, compile dm-crypt and your cipher algorithm (most likely) AES statically into the kernel. After you have finished menuconfig, go for genkernel to build your kernel. Get genkernel by emerging it with emerge genkernel. Proceed as outlined in the Section above.