Dejice Jacob: University of Glasgow (Posts about gentoo)http://www.dcs.gla.ac.uk/~jacobd/enContents © 2025 <a href="mailto:dejice.jacob@glasgow.ac.uk">Dejice Jacob</a> Wed, 29 Jan 2025 17:55:22 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssA gentoo installation story - continued!http://www.dcs.gla.ac.uk/~jacobd/posts/2025/01/a-gentoo-installation-story-continued/Dejice Jacob<h3>The birth of a Gentoo Linux KDE Desktop</h3> <p>I have previously journaled (<a href="http://www.dcs.gla.ac.uk/~jacobd/posts/2025/01/an-encrypted-boot-gentoo-installation-story">Part-I</a>) my attempt to create an encrypted Gentoo Linux desktop. Please follow that first. It was a little more involved than I expected. I had to revisit some of the steps one or two times. Some of the steps in that post might better fit in this post. But hindsight is a wonderful thing. Now we come to building out what the general public think of as a computer (the Desktop). </p> <h3>Install some useful utilities</h3> <div class="code"><pre class="code literal-block">localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>eselect<span class="w"> </span>profile<span class="w"> </span>list<span class="w"> </span><span class="c1"># to get a list of desktop profiles </span> localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>eselect<span class="w"> </span>profile<span class="w"> </span><span class="nb">set</span><span class="w"> </span>&lt;KDE-openrc&gt;<span class="w"> </span><span class="c1"># I will also setup i3 tiling window manager</span> localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"Europe/London"</span><span class="w"> </span>&gt;<span class="w"> </span>/etc/timezone localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>emerge<span class="w"> </span>--sync<span class="w"> </span> localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>emerge<span class="w"> </span>--quiet-build<span class="w"> </span>--ask<span class="w"> </span>--config<span class="w"> </span>sys-libs/timezone-data<span class="w"> </span> localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>emerge<span class="w"> </span>--quiet-build<span class="w"> </span>--ask<span class="w"> </span>app-misc/screen<span class="w"> </span>sys-process/htop </pre></div> <h5>Setup WiFi (Optional)</h5> <p>In (<a href="http://www.dcs.gla.ac.uk/~jacobd/posts/2025/01/an-encrypted-boot-gentoo-installation-story">Part-I</a>), I already had ethernet and used that for installation. However, if WiFi is something that is required, then the following instructions should set up WiFi. Bear in mind that WiFi drivers could be missing from your kernel configuration. Searching the <a href="https://forums.gentoo.org">Gentoo forums</a> for a similar issue would be helpful. </p> <p>I will be installing <code>network-manager</code> later on and will have to disable both <em>dhcpcd</em> and <em>wpa-supplicant</em>. If we forget, then we will have two instances of DHCP and WiFi daemons duelling each other. </p> <div class="code"><pre class="code literal-block">localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>emerge<span class="w"> </span>--quiet-build<span class="w"> </span>--ask<span class="w"> </span>net-misc/dhcpcd localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>emerge<span class="w"> </span>--ask<span class="w"> </span>--verbose<span class="w"> </span>net-wireless/wpa_supplicant localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>cp<span class="w"> </span>/usr/share/dhcpcd/hooks/10-wpa_supplicant<span class="w"> </span>/lib/dhcpcd/dhcpcd-hooks/ localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>bzcat<span class="w"> </span>/usr/share/doc/wpa_supplicant-&lt;ver-no&gt;/wpa-supplicant.conf.bz2<span class="w"> </span>&gt;<span class="w"> </span>/etc/wpa_supplicant/wpa_supplicant.conf </pre></div> <p>Almost all variations of a wpa-supplicant configuration can be obtained from "<em>/usr/share/doc/wpa_supplicant-<ver-no>/wpa_supplicant.conf.bz2</ver-no></em>". Uncomment the following in <code>/etc/wpa_supplicant/wpa_supplicant.conf</code>. </p> <div class="code"><pre class="code literal-block"><span class="nv">ctrl_interface</span><span class="o">=</span><span class="nv">DIR</span><span class="o">=</span>/var/run/wpa_supplicant<span class="w"> </span><span class="nv">GROUP</span><span class="o">=</span>wheel <span class="nv">eapol_version</span><span class="o">=</span><span class="m">1</span> <span class="nv">ap_scan</span><span class="o">=</span><span class="m">1</span> <span class="nv">fast_reauth</span><span class="o">=</span><span class="m">1</span> </pre></div> <p>Also generate the network connection parameters and insert into <code>wpa_supplicant.conf</code> using <code>wpa_passphrase</code> and remove every other configuration in that file. In case you have a more complicated set-up, then you will have to configure this according to your setup. </p> <div class="code"><pre class="code literal-block">localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>wpa_passphrase<span class="w"> </span><span class="si">${</span><span class="nv">ssid</span><span class="si">}</span><span class="w"> </span><span class="si">${</span><span class="nv">passphrase</span><span class="si">}</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/wpa_supplicant/wpa_supplicant.conf </pre></div> <p>Change the value of <code>wpa_supplicant_args</code> in <code>/etc/conf.d/wpa_supplicant.conf</code> to: </p> <div class="code"><pre class="code literal-block"><span class="nv">wpa_supplicant_args</span><span class="o">=</span><span class="s2">"-B -M -c/etc/wpa_supplicant/wpa_supplicant.conf"</span> </pre></div> <p>Now add the <code>dhcpcd</code> and <code>wpa_supplicant</code> services to default runlevel and start the services. </p> <div class="code"><pre class="code literal-block">localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-update<span class="w"> </span>add<span class="w"> </span>dhcpcd<span class="w"> </span>default localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-update<span class="w"> </span>add<span class="w"> </span>wpa_supplicant<span class="w"> </span>default localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-service<span class="w"> </span>dhcpcd<span class="w"> </span>start localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-service<span class="w"> </span>wpa_supplicant<span class="w"> </span>start </pre></div> <h5><a href="https://wiki.gentoo.org/wiki/Ntp#Ntpd">Setting up NTP</a></h5> <p>Networking and "time" dependent programs require accurate date and time information. This is achieved by installing <strong>NTPD</strong>. </p> <div class="code"><pre class="code literal-block">localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>emerge<span class="w"> </span>--ask<span class="w"> </span>net-misc/ntp localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-update<span class="w"> </span>add<span class="w"> </span>ntpd<span class="w"> </span>default localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-service<span class="w"> </span>ntpd<span class="w"> </span>start </pre></div> <p><img src="https://upload.wikimedia.org/wikipedia/commons/thumb/0/05/Gentoo_Live_GUI_USB_running_KDE.png/640px-Gentoo_Live_GUI_USB_running_KDE.png" title="A Gentoo KDE Desktop" alt="Gentoo KDE desktop"> </p> <h3><a href="https://wiki.gentoo.org/wiki/KDE">Install the KDE desktop</a></h3> <p>While Wayland seems to be the future, I am still quite comfortable with the <code>X</code> server. It also helps that the <code>i3wm</code> window manager also is dependent on <code>X-sever</code>. The <strong>KDE</strong> meta-package is comprehensive and installs all the KDE applications and dependencies. </p> <div class="code"><pre class="code literal-block">localhost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>emerge<span class="w"> </span>--ask<span class="w"> </span>kde-plasma/plasma-meta </pre></div> <p>Ensure that the KDE display manager <code>sddm</code> is installed; then ensure that the "<strong>DISPLAYMANAGER</strong>" variable is set to <em>sddm</em>. </p> <div class="code"><pre class="code literal-block"><span class="nv">DISPLAYMANAGER</span><span class="o">=</span><span class="s2">"sddm"</span> </pre></div> <p>Add the requisite services to openrc to start at boot, </p> <div class="code"><pre class="code literal-block">localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-update<span class="w"> </span>add<span class="w"> </span>dbus<span class="w"> </span>default localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-update<span class="w"> </span>add<span class="w"> </span>display-manager<span class="w"> </span>default localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-update<span class="w"> </span>add<span class="w"> </span>elogind<span class="w"> </span>boot </pre></div> <p><img src="https://media2.giphy.com/media/v1.Y2lkPTc5MGI3NjExc2t3czJ2YTF6MHJheGRlNHplenlmbGhpN214Mng3czBrcnQya203dCZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/DUtVdGeIU8lmo/giphy.gif" title="Restarting always works!" alt="IT crowd"> In my case, at this point, I found that just starting up the boot displaymanager from <em>openrc</em> did not get <code>sddm</code> to start. Rebooting the machine sorted the crashing display manager out. </p> <h5>Debugging: <a href="https://wiki.gentoo.org/wiki/X_server">Install <em>X-server</em></a></h5> <p>If there are any problems with bringing up KDE, using X-server to debug the issue is very useful. In case it was not already installed when <em>KDE-meta</em> was installed, start with installing X-server and driver packages.</p> <div class="code"><pre class="code literal-block">localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>emerge<span class="w"> </span>--ask<span class="w"> </span>--verbose<span class="w"> </span>x11-base/xorg-drivers<span class="w"> </span>x11-base/xorg-server </pre></div> <p>To test out that the X-server is working correctly install a few <strong>X</strong> applications</p> <div class="code"><pre class="code literal-block">localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>emerge<span class="w"> </span>-a<span class="w"> </span>x11-terms/xterm<span class="w"> </span>x11-apps/xclock<span class="w"> </span>x11-wm/twm localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>startx<span class="w"> </span><span class="c1"># to test if display server is working</span> </pre></div> <h5>Sidenote: Uninstall dhcp and wpa-supplicant</h5> <p>Keeping <code>dhcpcd</code> and <code>wpa-supplicant</code> running in the background led me to some incredibly annoying and hard to debug problems with networking. The KDE deskptop already installs <code>NetworkManager</code> and this will in turn call an instance of <em>dhcp</em> and <em>wpa_supplicant</em>. You do NOT need your own version fighting with it. So... </p> <div class="code"><pre class="code literal-block">localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-service<span class="w"> </span>stop<span class="w"> </span>dhcpcd localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-update<span class="w"> </span>del<span class="w"> </span>dhcpcd localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-service<span class="w"> </span>stop<span class="w"> </span>wpa_supplicant localost<span class="w"> </span>/<span class="w"> </span>$<span class="w"> </span>rc-update<span class="w"> </span>del<span class="w"> </span>wpa_supplicant </pre></div> <h3>Congratulations!</h3> <p>If you have persevered with the process this far, congratulations! You should have a desktop machine that you have compiled from source. Obviously, I have cleverly hidden all the frustrating debug work that went into steps going wrong. Along with this, there are issues with drivers or kernel features required by some software component not being turned <strong>ON</strong>. However, that is what the incredible gentoo <a href="https://forums.gentoo.org/">forums</a> and <a href="https://wiki.gentoo.org/wiki/Main_Page">wiki</a> are for. Happy compiling and debugging.</p>gentooinstalllinuxsecurityhttp://www.dcs.gla.ac.uk/~jacobd/posts/2025/01/a-gentoo-installation-story-continued/Sun, 19 Jan 2025 20:14:21 GMTAn encrypted-boot gentoo installation storyhttp://www.dcs.gla.ac.uk/~jacobd/posts/2025/01/an-encrypted-boot-gentoo-installation-story/Dejice Jacob<h3>How I got to gentoo</h3> <p>Like many people, I have gone through a few linux distros in my lifetime. Over the span of two decades, I ended up going through OpenSuse → Ubuntu → Debian (Stable) → Debian (Testing) → Gentoo. I keep an eye on distributions quite often, but the motivation for moving distributions crosses a threshold when a major workflow or technology disruption occurs within the distribution. It also correlates with my (<em>Slowly</em>) increasing knowledge and comfort with delving into how systems are put together. </p> <p><img src="https://upload.wikimedia.org/wikipedia/commons/thumb/3/32/Gentoo_Penguin_Baby_%2824940372635%29.jpg/209px-Gentoo_Penguin_Baby_%2824940372635%29.jpg" title="A Southern Gentoo Penguin" alt="Southern Gentoo Penguin" align="right"> </p> <p>I moved from Ubuntu → Debian (Stable) when Ubuntu decided to develop <a href="https://fridge.ubuntu.com/2013/03/04/mir-an-outpost-envisioned-as-a-new-home">Mir</a> rather than developing for Wayland. I am always enthusiastic about new software being developed, if only to see what could have been. The vision of convergence between devices was a cool one and given the right circumstances, may have succeeded. However, any large scale surgery of this sort which veers off and does its own thing risks failure. </p> <p>Another thing that philosophically did not sit right with me was the usage of <a href="https://snapcraft.io/blog/a-technical-comparison-between-snaps-and-debs"><em>snap</em> packages</a>. To me this felt like a way to reduce the pressure of maintenance in the short-term at the expense of long-term fragmentation. Desktop <em>*nix</em> distributions are not <strong>yet</strong> (it is now decade no.3 of trying to conquer the desktop) popular enough. I wish it was different (<em>sigh</em>)! Like any demand-supply equation, any let-up in the pressure to maintain library/API compatibility, in my opinion, would just lead to fragmentation and end-user frustration in the long-run.</p> <p>So I decided to do the Ubuntu → Debian (Stable) switch. As I was using a slightly older laptop, and it had all the drivers and packages I needed, I wonder why I did not do this earlier (<em>Doh</em>)! After two of my upgrades between major Debian revisions ended up requiring re-installations, I heard of this amazing new term called <em>rolling</em>-distributions. (Please excuse the <em>naïvete</em> and yes, I really am that naïve)! </p> <p>The next trigger to move was Debian's <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727708#6734">embrace</a> of <a href="https://systemd.io">Systemd</a>. I feel more comfortable with <a href="https://github.com/OpenRC/openrc">openRC</a> which I think keeps better to the overall *nix philosophy. I had by now done enough systems level software development and debugging to no longer be afraid of doing silly things that break stuff (<em>a little knowledge being dangerous</em> and all that). Building a new system from ground up would be something that would allow me to explore and understand the guts of my own system. </p> <h5>Enter Gentoo</h5> <p>Keeping with the theme of going further upstream and closer to the source (<em>wipe that smug <a href="https://en.wikipedia.org/wiki/Icarus">Icarus</a> image from your mind</em>), the choice was between <a href="https://www.linuxfromscratch.org/">Linux from Scratch</a>, <a href="http://www.slackware.com">Slackware</a> and <a href="https://www.gentoo.org">Gentoo</a>. In the end, I went with Gentoo due to the package manager and the sheer amount of support and documentation on the website. It should help reduce the amount of debugging and maintenance work I have to do, while still making me feel like a proper computer scientist. <em>Vanity and naïvete -- what could possibly go wrong?</em></p> <p><img src="https://wiki.gentoo.org/images/thumb/e/ee/Gblend.png/234px-Gblend.png" title="Gentoo Linux" alt="Gentoo Linux Logo" align="right"> </p> <h3>Why ?!</h3> <p>This leads us onto the purpose of this blog. Installing gentoo is relatively easy but time consuming if we go through the relatively straightforward instructions in the marvellous <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64">Gentoo AMD64 handbook</a>. However, I wanted to do a fully encrypted <code>/boot</code> drive as well and had to search around for various instructions. This is the command log (My Gentoo installation story) for my own personal notes. Someone else finding it useful is just a bonus. For more comprehensive information and various options, Each link in the subsections below are linked to the much more comprehensive information in the gentoo <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64">wiki</a>. </p> <h3>Gentoo AMD64 installation with encrypted <em>/boot</em></h3> <h5>Obtaining and preparing the <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Media">installation media</a></h5> <p>Very detailed instructions are already provided in the <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Media">handbook</a> and I don't have anything new to add. Switch off secure-boot in the BIOS and choose to boot from the USB drive that was just prepared. Once the laptop has been booted into the linux kernel and shows a root prompt, we will need to set up <a href="http://www.dcs.gla.ac.uk/~jacobd/posts/2025/01/an-encrypted-boot-gentoo-installation-story/#configuring-the-network">networking</a>. </p> <h5>Partitioning the storage <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Disks">disks</a></h5> <p>I have a 16 GiB Laptop with 1TB of space on the SSD. I wanted to partition it with the following schema:</p> <div class="code"><pre class="code literal-block">NAME<span class="w"> </span>MAJ:MIN<span class="w"> </span>RM<span class="w"> </span>SIZE<span class="w"> </span>RO<span class="w"> </span>TYPE<span class="w"> </span>MOUNTPOINTS nvme0n1<span class="w"> </span><span class="m">259</span>:0<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="m">953</span>.9G<span class="w"> </span><span class="m">0</span><span class="w"> </span>disk ├─nvme0n1p1<span class="w"> </span><span class="m">259</span>:2<span class="w"> </span><span class="m">0</span><span class="w"> </span>2M<span class="w"> </span><span class="m">0</span><span class="w"> </span>part ├─nvme0n1p2<span class="w"> </span><span class="m">259</span>:4<span class="w"> </span><span class="m">0</span><span class="w"> </span>512M<span class="w"> </span><span class="m">0</span><span class="w"> </span>part │<span class="w"> </span>└─luks_boot<span class="w"> </span><span class="m">253</span>:0<span class="w"> </span><span class="m">0</span><span class="w"> </span>496M<span class="w"> </span><span class="m">0</span><span class="w"> </span>crypt ├─nvme0n1p3<span class="w"> </span><span class="m">259</span>:6<span class="w"> </span><span class="m">0</span><span class="w"> </span>128M<span class="w"> </span><span class="m">0</span><span class="w"> </span>part └─nvme0n1p4<span class="w"> </span><span class="m">259</span>:8<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="m">953</span>.2G<span class="w"> </span><span class="m">0</span><span class="w"> </span>part <span class="w"> </span>└─luks_root<span class="w"> </span><span class="m">253</span>:1<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="m">953</span>.2G<span class="w"> </span><span class="m">0</span><span class="w"> </span>crypt <span class="w"> </span>├─osvg-swap<span class="w"> </span><span class="m">253</span>:2<span class="w"> </span><span class="m">0</span><span class="w"> </span>8G<span class="w"> </span><span class="m">0</span><span class="w"> </span>lvm<span class="w"> </span><span class="o">[</span>SWAP<span class="o">]</span> <span class="w"> </span>├─osvg-gentoo--root<span class="w"> </span><span class="m">253</span>:3<span class="w"> </span><span class="m">0</span><span class="w"> </span>64G<span class="w"> </span><span class="m">0</span><span class="w"> </span>lvm<span class="w"> </span>/ <span class="w"> </span>├─osvg-gentoo--home<span class="w"> </span><span class="m">253</span>:4<span class="w"> </span><span class="m">0</span><span class="w"> </span>16G<span class="w"> </span><span class="m">0</span><span class="w"> </span>lvm<span class="w"> </span>/home <span class="w"> </span>└─osvg-data<span class="w"> </span><span class="m">253</span>:5<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="m">865</span>.2G<span class="w"> </span><span class="m">0</span><span class="w"> </span>lvm<span class="w"> </span>/media/data </pre></div> <p>Zap all pre-existing partitions on the disk. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>sgdisk<span class="w"> </span>--zap-all<span class="w"> </span>/dev/nvme0n1 </pre></div> <p>Ensure the first <em>1MiB</em> is left for grub to be written into raw device head. So we create a <em>1MiB</em> partition with <em>offset=1MiB</em>.</p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>sgdisk<span class="w"> </span>--new<span class="o">=</span><span class="m">1</span>:1M:+2M<span class="w"> </span>/dev/nvme0n1 livecd<span class="w"> </span>~#<span class="w"> </span>sgdisk<span class="w"> </span>--new<span class="o">=</span><span class="m">2</span>:0:+512M<span class="w"> </span>/dev/nvme0n1 livecd<span class="w"> </span>~#<span class="w"> </span>sgdisk<span class="w"> </span>--new<span class="o">=</span><span class="m">3</span>:0:+128M<span class="w"> </span>/dev/nvme0n1<span class="w"> </span> livecd<span class="w"> </span>~#<span class="w"> </span>sgdisk<span class="w"> </span>--new<span class="o">=</span><span class="m">4</span>:0:0<span class="w"> </span>/dev/nvme0n1 </pre></div> <p>Change the names of the partitions and their filesystem types in the GPT partition table. A list of partition types can be obtained with <code>sgdisk -L</code>. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>sgdisk<span class="w"> </span>--typecode<span class="o">=</span><span class="m">1</span>:ef02<span class="w"> </span>--typecode<span class="o">=</span><span class="m">2</span>:8300<span class="w"> </span>--typecode<span class="o">=</span><span class="m">3</span>:ef00<span class="w"> </span>--typecode<span class="o">=</span><span class="m">4</span>:8300<span class="w"> </span>/dev/nvme0n1 livecd<span class="w"> </span>~#<span class="w"> </span>sgdisk<span class="w"> </span>--change-name<span class="o">=</span><span class="m">1</span>:GRUB<span class="w"> </span>--change-name<span class="o">=</span><span class="m">2</span>:/boot<span class="w"> </span>--change-name<span class="o">=</span><span class="m">3</span>:EFI-SP<span class="w"> </span>--change-name<span class="o">=</span><span class="m">4</span>:OS<span class="w"> </span>/dev/nvme0n1 </pre></div> <p>Encrypt the <code>/boot</code> partition with a password. While it is certainly more robust to have a separate Keyfile stored on another USB flash drive, it is cumbersome to carry around. Also, if you forget it or lose it, then it can be a pain. I am just going to use a plain old password for this in this case. Additionally, grub can not yet decrypt keys in the default LUKS2 format (argon2id) and requires the key to be in the LUKS1 default format of PBKDF2. So the <code>/boot</code> partition is formatted with LUKS1. I will maybe write up a detached header version in a future post.</p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>cryptsetup<span class="w"> </span>luksFormat<span class="w"> </span>--key-size<span class="o">=</span><span class="m">512</span><span class="w"> </span>--type<span class="o">=</span>luks1<span class="w"> </span>/dev/nvme0n1p2 </pre></div> <p>Format the <code>/boot</code> and <code>efi-sp</code> partitions </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>cryptsetup<span class="w"> </span>open<span class="w"> </span>/dev/nvme0n1p2<span class="w"> </span>/dev/mapper/luks_boot livecd<span class="w"> </span>~#<span class="w"> </span>mkfs.ext4<span class="w"> </span>-L<span class="w"> </span>boot<span class="w"> </span>/dev/mapper/luks_boot livecd<span class="w"> </span>~#<span class="w"> </span>mkfs.vfat<span class="w"> </span>-n<span class="w"> </span>EFI-SP<span class="w"> </span>-F<span class="w"> </span><span class="m">16</span><span class="w"> </span>/dev/nvme0n1p3<span class="w"> </span> </pre></div> <p>To obtain an encrypted <em><code>/root, /home and swap</code></em> partition, I decided to use Logical Volume Management (<a href="https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/configuring_and_managing_logical_volumes/overview-of-logical-volume-management_configuring-and-managing-logical-volumes#lvm-architecture_overview-of-logical-volume-management">LVM</a>) on a LUKS encrypted partition. With experience, I can say that if you intend on using the KDE desktop, the machine should ideally have 32GB of RAM. Some packages such as firefox, the qtwebkit renderer etc require greater than 16GB of RAM. This would then influence the amount of swap space that you should keep aside. Since I have 32GiB of RAM, and I do not want suspend, only 8GiB of swap space is allocated. The beauty of LVM is that this can be resized in the future if required. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>cryptsetup<span class="w"> </span>luksFormat<span class="w"> </span>--key-size<span class="o">=</span><span class="m">512</span><span class="w"> </span>--key-slot<span class="o">=</span><span class="m">1</span><span class="w"> </span>/dev/nvme0n1p4<span class="w"> </span> livecd<span class="w"> </span>~#<span class="w"> </span>cryptsetup<span class="w"> </span>open<span class="w"> </span>/dev/nvme0n1p4<span class="w"> </span>luks_root<span class="w"> </span> livecd<span class="w"> </span>~#<span class="w"> </span>pvcreate<span class="w"> </span>/dev/mapper/luks_root<span class="w"> </span><span class="c1"># Create a Physical volume on the decrypted device</span> livecd<span class="w"> </span>~#<span class="w"> </span>vgcreate<span class="w"> </span>osvg<span class="w"> </span>/dev/mapper/luks_root<span class="w"> </span><span class="c1"># Create a volume group on the Physical volume</span> livecd<span class="w"> </span>~#<span class="w"> </span>lvcreate<span class="w"> </span>-L<span class="w"> </span>8G<span class="w"> </span>-n<span class="w"> </span>swap<span class="w"> </span>osvg<span class="w"> </span><span class="c1"># Create swap space on the encrypted LVM </span> livecd<span class="w"> </span>~#<span class="w"> </span>lvcreate<span class="w"> </span>-L<span class="w"> </span>64G<span class="w"> </span>-n<span class="w"> </span>gentoo-root<span class="w"> </span>osvg<span class="w"> </span><span class="c1"># Create /root on the encrypted LVM </span> livecd<span class="w"> </span>~#<span class="w"> </span>lvcreate<span class="w"> </span>-L<span class="w"> </span>16G<span class="w"> </span>-n<span class="w"> </span>gentoo-home<span class="w"> </span>osvg<span class="w"> </span><span class="c1"># Create /home on the encrypted LVM </span> livecd<span class="w"> </span>~#<span class="w"> </span>lvcreate<span class="w"> </span>-l<span class="w"> </span><span class="m">100</span>%FREE<span class="w"> </span>-n<span class="w"> </span>data<span class="w"> </span>osvg<span class="w"> </span><span class="c1"># Create a separate data partition</span> </pre></div> <p>Format the partitions created in the LVM.</p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>mkswap<span class="w"> </span>-L<span class="w"> </span>swap<span class="w"> </span>/dev/mapper/osvg-swap<span class="w"> </span> livecd<span class="w"> </span>~#<span class="w"> </span>mkfs.ext4<span class="w"> </span>-L<span class="w"> </span>root<span class="w"> </span>/dev/mapper/osvg-gentoo--root livecd<span class="w"> </span>~#<span class="w"> </span>mkfs.ext4<span class="w"> </span>-L<span class="w"> </span>home<span class="w"> </span>/dev/mapper/osvg-gentoo--home livecd<span class="w"> </span>~#<span class="w"> </span>mkfs.ext4<span class="w"> </span>-L<span class="w"> </span>data<span class="w"> </span>/dev/mapper/osvg-data </pre></div> <p>Now mount the encrypted drives to various directories</p> <div class="code"><pre class="code literal-block">mkdir<span class="w"> </span>-p<span class="w"> </span>/mnt/gentoo/<span class="o">{</span>root,home,data<span class="o">}</span> mount<span class="w"> </span>/dev/mapper/osvg-gentoo--root<span class="w"> </span>/mnt/gentoo/root mount<span class="w"> </span>/dev/mapper/osvg-gentoo--home<span class="w"> </span>/mnt/gentoo/home mount<span class="w"> </span>/dev/mapper/osvg-data<span class="w"> </span>/mnt/gentoo/data </pre></div> <h5>Configuring the <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Networking">network</a></h5> <p>I already have an ethernet cable to connect, so I did not require to set up WiFi. Gentoo already has the <code>net-setup</code> utility to help with setting up WiFi. The network interface names can be obtained using the <code>ip link</code> command. Set-up is through a fairly easy menu driven <code>ncurses</code> style interactive interface. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>net-setup<span class="w"> </span> </pre></div> <ol> <li>For ethernet, configure the wired ethernet interface (starts with <em>enp</em>...) </li> <li>In the case of WiFi, choose wireless WiFi interface (starts with <em>wlp</em>...) </li> </ol> <p>Make sure the time of the system is accurate. I utilised a simple <strong>NTP</strong> client (<em>chronyd</em>) to correct the time. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>chronyd<span class="w"> </span>-q </pre></div> <h5>Obtaining the <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Stage">Stage-3</a> Installation files</h5> <p>I like <em>openrc</em> and chose the <em>desktop-openrc</em> profile for the stage-3 tarball. Use the livecd built-in <em>ncurses</em> browser to obtain the stage-3 tarball. Alternatively download it on another PC and transfer via another USB device. </p> <h5>Setup base <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Stage">root filesystem</a>, configure <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Stage#Configuring_compile_options">portage</a> and <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Base">gentoo base</a></h5> <p>Assuming the stage-3 tarball is in <code>/mnt/gentoo/data</code> untar it to the target storage-device's <code>/root</code> directory. In our case, we have mounted it to <code>/mnt/gentoo/root</code>. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">cd</span><span class="w"> </span>/mnt/gentoo/data livecd<span class="w"> </span>~#<span class="w"> </span>tar<span class="w"> </span>-Jxpvf<span class="w"> </span>stage3_tarball.tar.xz<span class="w"> </span>--xattrs-include<span class="o">=</span><span class="s1">'*.*'</span><span class="w"> </span>--numeric-owner<span class="w"> </span>-C<span class="w"> </span>/mnt/gentoo/root<span class="w"> </span> livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">cd</span><span class="w"> </span>/mnt/gentoo/root livecd<span class="w"> </span>~#<span class="w"> </span>cp<span class="w"> </span>--dereference<span class="w"> </span>/etc/resolv.conf<span class="w"> </span>/mnt/gentoo/root/etc/resolv.conf<span class="w"> </span> livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">MAKEOPTS</span><span class="o">=</span><span class="se">\"</span>-j<span class="k">$(</span>nproc<span class="k">)</span><span class="se">\"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/mnt/gentoo/root/etc/portage/make.conf livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">ACCEPT_KEYWORDS</span><span class="o">=</span><span class="se">\"</span>amd64<span class="se">\"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/mnt/gentoo/root/etc/portage/make.conf livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">USE</span><span class="o">=</span><span class="se">\"</span>udev<span class="w"> </span>lvm<span class="w"> </span>dbus<span class="w"> </span>X<span class="w"> </span>pulseaudio<span class="w"> </span>networkmanager<span class="w"> </span>clang<span class="se">\"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/mnt/gentoo/root/etc/portage/make.conf </pre></div> <p>Add the CPU flags for your host to <code>/mnt/gentoo/root/etc/portage/make.conf</code>. Make sure you replace the newly added line to the format <code>CPU_FLAGS_X86="aes ....."</code>. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="k">$(</span>cpuid2cpuflags<span class="k">)</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/mnt/gentoo/root/etc/portage/make.conf </pre></div> <p>Now add the <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Base#VIDEO_CARDS">video-cards</a> depending on your machine. On this machine, I had an AMD video card. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">VIDEO_CARDS</span><span class="o">=</span><span class="se">\"</span>amdgpu<span class="w"> </span>radeonsi<span class="se">\"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/mnt/gentoo/root/etc/portage/make.conf </pre></div> <p>Add some miscellaneous devices as well. <code>libinput</code> provides input handling for display servers. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">INPUT_DEVICES</span><span class="o">=</span><span class="se">\"</span>libinput<span class="se">\"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/mnt/gentoo/root/etc/portage/make.conf livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">SANEBACKENDS</span><span class="o">=</span><span class="se">\"</span>hp<span class="se">\"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/mnt/gentoo/root/etc/portage/make.conf </pre></div> <p>Within the portage configuration file <code>/mnt/gentoo/root/etc/portage/make.conf</code> update the value of the variable <code>COMMON_FLAGS</code> to <code>COMMON_FLAGS="-march=native -O2 -pipe"</code> Also select from the worldwide mirrors to download software from. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>mirrorselect<span class="w"> </span>-i<span class="w"> </span>-o<span class="w"> </span>&gt;&gt;<span class="w"> </span>/mnt/gentoo/root/etc/portage/make.conf </pre></div> <p>Mount the system files required to prepare the target computer's <code>chroot</code> environment. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>--types<span class="w"> </span>proc<span class="w"> </span>/proc<span class="w"> </span>/mnt/gentoo/root/proc livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>--rbind<span class="w"> </span>/sys<span class="w"> </span>/mnt/gentoo/root/sys livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>--make-rslave<span class="w"> </span>/mnt/gentoo/root/sys livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>--rbind<span class="w"> </span>/dev<span class="w"> </span>/mnt/gentoo/root/dev livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>--make-rslave<span class="w"> </span>/mnt/gentoo/root/dev livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>--bind<span class="w"> </span>/run<span class="w"> </span>/mnt/gentoo/root/run livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>--make-slave<span class="w"> </span>/mnt/gentoo/root/run </pre></div> <p>Enter the <code>chroot</code> environment. </p> <div class="code"><pre class="code literal-block">livecd<span class="w"> </span>~#<span class="w"> </span>umount<span class="w"> </span>/mnt/gentoo/home<span class="w"> </span>/mnt/gentoo/data livecd<span class="w"> </span>~#<span class="w"> </span>chroot<span class="w"> </span>/mnt/gentoo/root<span class="w"> </span>/bin/bash livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">source</span><span class="w"> </span>/etc/profile livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">export</span><span class="w"> </span><span class="nv">PS1</span><span class="o">=</span><span class="s2">"(chroot) </span><span class="si">${</span><span class="nv">PS1</span><span class="si">}</span><span class="s2">"</span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">export</span><span class="w"> </span><span class="nv">PS1</span><span class="o">=</span><span class="s2">"(chroot) </span><span class="si">${</span><span class="nv">PS1</span><span class="si">}</span><span class="s2">"</span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>mkdir<span class="w"> </span>-p<span class="w"> </span>/home<span class="w"> </span>/media/data <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>/dev/mapper/osvg-gentoo--home<span class="w"> </span>/home <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>/dev/mapper/osvg-data<span class="w"> </span>/media/data <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>swapon<span class="w"> </span>/dev/mapper/osvg-swap </pre></div> <p>Prepare the EFI System Partition. </p> <div class="code"><pre class="code literal-block"><span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>/dev/mapper/luks_boot<span class="w"> </span>/boot <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>mkdir<span class="w"> </span>-p<span class="w"> </span>/boot/efi<span class="w"> </span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>mount<span class="w"> </span>/dev/nvme0n1p3<span class="w"> </span>/boot/efi </pre></div> <p>Synchronise <code>emerge</code>'s software package list with upstream mirrors</p> <div class="code"><pre class="code literal-block"><span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>emerge-webrsync </pre></div> <p>Setup Locale Details</p> <div class="code"><pre class="code literal-block"><span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"Europe/London"</span><span class="w"> </span>&gt;<span class="w"> </span>/etc/timezone <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"C.UTF8 UTF-8"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/locale.gen <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"en_GB ISO-8859-1"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/locale.gen <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"en_GB.UTF-8 UTF-8"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/locale.gen <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>locale-gen <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>env-update </pre></div> <h5>Configuring the <a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Kernel">Linux Kernel</a></h5> <p>Obtain all kernel related gentoo packages. </p> <div class="code"><pre class="code literal-block"><span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>mkdir<span class="w"> </span>-p<span class="w"> </span>/etc/portage/package.license<span class="w"> </span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"sys-kernel/linux-firmware linux-fw-redistributable"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/portage/package.license/kernel <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>emerge<span class="w"> </span>--ask<span class="w"> </span>--quiet-build<span class="w"> </span>sys-kernel/linux-firmware<span class="w"> </span>sys-fs/cryptsetup<span class="w"> </span>sys-kernel/gentoo-sources<span class="w"> </span>sys-kernel/genkernel<span class="w"> </span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>eselect<span class="w"> </span>kernel<span class="w"> </span><span class="nb">set</span><span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="c1"># this should link /usr/src/linux to current kernel source</span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"sys-boot/grub:2 device-mapper"</span><span class="w"> </span>&gt;<span class="w"> </span>/etc/portage/package.use/grub2 <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>emerge<span class="w"> </span>--ask<span class="w"> </span>--quiet-build<span class="w"> </span>sys-boot/grub<span class="w"> </span>sys-fs/genfstab <span class="c1">## Ensure all the relvant drives (including swap are already mounted / turned on</span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>genfstab<span class="w"> </span>-Up<span class="w"> </span>/<span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/fstab<span class="w"> </span> <span class="c1">## add noauto to the /boot and /boot/efi mount-points in /etc/fstab</span> </pre></div> <p>Generate a LUKS key and add the generated key to the block device holding the encrypted partition. In my case, this was <code>luks_boot (/dev/nvme0n1p2)</code> and optionally<code>luks_root (/dev/nvme0n1p4)</code>. This will be the key that is used by the kernel-<em>initramfs</em> to decrypt and mount the encrypted LVM volume and (optionally) the <code>/boot</code> partition. There is a good argument to not automatically decrypt the <code>/boot</code> partition. This is why I have decided it is optional. <strong>Remember</strong>: We are adding this newly generated key to <em>Key-slot:0</em> of <code>luks_root</code> -- this is why we carefully added the original-key during disk-partitioning in <em>Key-slot:1</em>. Using <em>Key-slot:0</em> will make it faster during actual booting and each key is tried in sequence. <a href="http://www.dcs.gla.ac.uk/~jacobd/posts/2025/01/an-encrypted-boot-gentoo-installation-story/#partitioning-the-storage-disks">link</a>. </p> <div class="code"><pre class="code literal-block"><span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>mkdir<span class="w"> </span>-p<span class="w"> </span>/etc/luks/mnt/key <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>dd<span class="w"> </span><span class="k">if</span><span class="o">=</span>/dev/urandom<span class="w"> </span><span class="nv">of</span><span class="o">=</span>/etc/luks/mnt/key/boot_os.keyfile<span class="w"> </span><span class="nv">bs</span><span class="o">=</span><span class="m">4096</span><span class="w"> </span><span class="nv">count</span><span class="o">=</span><span class="m">1</span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>chmod<span class="w"> </span><span class="nv">u</span><span class="o">=</span>rx,go-rwx<span class="w"> </span>/etc/luks <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>chmod<span class="w"> </span><span class="nv">u</span><span class="o">=</span>r,go-rwx<span class="w"> </span>/etc/luks/mnt/key/boot_os.keyfile <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>cryptsetup<span class="w"> </span>--key-slot<span class="o">=</span><span class="m">0</span><span class="w"> </span>/dev/nvme0n1p4<span class="w"> </span>/etc/luks/mnt/key/boot_os.keyfile<span class="w"> </span><span class="c1"># luks_root</span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>cryptsetup<span class="w"> </span>--key-slot<span class="o">=</span><span class="m">1</span><span class="w"> </span>/dev/nvme0n1p2<span class="w"> </span>/etc/luks/mnt/key/boot_os.keyfile<span class="w"> </span><span class="c1"># luks_boot</span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"luks_boot UUID=</span><span class="k">$(</span>blkid<span class="w"> </span>-s<span class="w"> </span>UUID<span class="w"> </span>-o<span class="w"> </span>value<span class="w"> </span>/dev/nvme0n1p2<span class="k">)</span><span class="s2"> /etc/luks/mnt/key/boot_os.keyfile luks,discard"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/crypttab <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"luks_root UUID=</span><span class="k">$(</span>blkid<span class="w"> </span>-s<span class="w"> </span>UUID<span class="w"> </span>-o<span class="w"> </span>value<span class="w"> </span>/dev/nvme0n1p4<span class="k">)</span><span class="s2"> /etc/luks/mnt/key/boot_os.keyfile luks,discard"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/crypttab </pre></div> <p><strong>NOTE</strong>: The key should be generated in a directory with the following pattern <code>${INITRAMFS_OVERLAY}/mnt/key</code>. The <code>genkernel</code> tool when provided the <code>INITRAMFS_OVERLAY</code> variable will use this overlay within its filesystem. The kernel will then look for the internal key in <code>/mnt/key</code>. </p> <p>While you could spend a long time configuring the kernel, I think it is easier to use <code>genkernel</code> to generate a kernel with a lot of options. We can always slim down the kernel afterwards. We can see the list of kernels with <code>eselect kernel list</code>. </p> <div class="code"><pre class="code literal-block"><span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>eselect<span class="w"> </span>kernel<span class="w"> </span><span class="nb">set</span><span class="w"> </span><span class="m">1</span><span class="w"> </span> </pre></div> <p>Set-up the following configurations in <code>/etc/genkernel.conf</code>. <strong>NOTE</strong>: Without the <code>INITRAMFS_OVERLAY</code>, the initramfs kernel cannot decrypt the enncrypted block device holding the LVMs for <code>/root, /home</code> etc. </p> <div class="code"><pre class="code literal-block"><span class="nv">NOCOLOR</span><span class="o">=</span><span class="s2">"false"</span> <span class="nv">LVM</span><span class="o">=</span><span class="s2">"yes"</span> <span class="nv">LUKS</span><span class="o">=</span><span class="s2">"yes"</span> <span class="nv">GK_SHARE</span><span class="o">=</span><span class="s2">"</span><span class="si">${</span><span class="nv">GK_SHARE</span><span class="k">:-</span><span class="p">/usr/share/genkernel</span><span class="si">}</span><span class="s2">"</span> <span class="nv">CACHE_DIR</span><span class="o">=</span><span class="s2">"/var/cache/genkernel"</span> <span class="nv">DISTDIR</span><span class="o">=</span><span class="s2">"</span><span class="si">${</span><span class="nv">GK_SHARE</span><span class="si">}</span><span class="s2">/distfiles"</span> <span class="nv">LOGFILE</span><span class="o">=</span><span class="s2">"/var/log/genkernel.log"</span> <span class="nv">LOGLEVEL</span><span class="o">=</span><span class="m">1</span> <span class="nv">ZFS</span><span class="o">=</span><span class="s2">"no"</span> <span class="nv">BTRFS</span><span class="o">=</span><span class="s2">"no"</span> <span class="nv">XFSPROGS</span><span class="o">=</span><span class="s2">"no"</span> <span class="nv">DEFAULT_KERNEL_SOURCE</span><span class="o">=</span><span class="s2">"/usr/src/linux"</span> <span class="nv">INITRAMFS_OVERLAY</span><span class="o">=</span><span class="s2">"/etc/luks"</span> </pre></div> <p>Now execute <code>genkernel</code> and prune as much of the kernel config that you don't need before executing. (Ensure that <code>/boot</code> and <code>/boot/efi</code> are mounted)!</p> <div class="code"><pre class="code literal-block"><span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>genkernel<span class="w"> </span>--menuconfig<span class="w"> </span>--luks<span class="w"> </span>--lvm<span class="w"> </span>--no-zfs<span class="w"> </span>all </pre></div> <h5><a href="https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Bootloader#Default:_GRUB">Configuring the GRUB bootloader</a></h5> <p>Ensure the following settings are inserted into the <em>Grub</em> configuration file in <code>/etc/default/grub</code></p> <div class="code"><pre class="code literal-block"><span class="nv">GRUB_DISTRIBUTOR</span><span class="o">=</span><span class="s2">"Gentoo"</span> <span class="nv">GRUB_TIMEOUT</span><span class="o">=</span><span class="m">3</span> <span class="nv">GRUB_TIMEOUT_STYLE</span><span class="o">=</span>menu <span class="nv">GRUB_DISABLE_LINUX_PARTUUID</span><span class="o">=</span><span class="nb">false</span> <span class="nv">GRUB_PRELOAD_MODULES</span><span class="o">=</span><span class="s2">"part_gpt part_msdos lvm"</span> <span class="nv">GRUB_CMDLINE_LINUX_RECOVERY</span><span class="o">=</span><span class="s2">"recovery"</span> <span class="nv">GRUB_ENABLE_CRYPTODISK</span><span class="o">=</span>y </pre></div> <p>Also add the commandline for the linux kernel during boot before downloading and installing <code>grub</code></p> <div class="code"><pre class="code literal-block"><span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">GRUB_CMDLINE_LINUX</span><span class="o">=</span><span class="se">\"</span><span class="nv">keymap</span><span class="o">=</span>uk<span class="w"> </span>dolvm<span class="w"> </span><span class="nv">crypt_root</span><span class="o">=</span><span class="nv">UUID</span><span class="o">=</span><span class="k">$(</span>blkid<span class="w"> </span>-s<span class="w"> </span>UUID<span class="w"> </span>-o<span class="w"> </span>value<span class="w"> </span>/dev/nvme0n1p4<span class="k">)</span><span class="w"> </span><span class="nv">root_key</span><span class="o">=</span>boot_os.keyfile<span class="w"> </span><span class="nv">root_trim</span><span class="o">=</span>yes<span class="w"> </span><span class="nv">resume</span><span class="o">=</span>/dev/osvg/swap<span class="se">\"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/default/grub <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>emerge<span class="w"> </span>--ask<span class="w"> </span>--quiet-build<span class="w"> </span>sys-boot/grub <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>mkdir<span class="w"> </span>/boot/grub <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>grub-mkconfig<span class="w"> </span>-o<span class="w"> </span>/boot/grub/grub.cfg<span class="w"> </span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>grub-install<span class="w"> </span>--target<span class="o">=</span>x86_64-efi<span class="w"> </span>--efi-directory<span class="o">=</span>/boot/efi<span class="w"> </span>--bootloader-id<span class="o">=</span><span class="s2">"grub"</span> </pre></div> <p>This should install various bootloader stages in their respective locations. Set <code>keymap=uk</code> in the file <code>/etc/conf.d/keymaps</code>. Otherwise, a recovery shell dropping you into a different keymap can be frustrating for passwords and debugging in a shell. </p> <h5>Preparing to reboot into our newly installed bare-bones system.</h5> <p>We are now ready to shutdown and reboot into our newly installed system. Unmount all the mount points, bind-mounts and dmcrypt. First set a root password for the new system. Then unmount all our devices. </p> <div class="code"><pre class="code literal-block"><span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>passwd<span class="w"> </span><span class="c1">#Set new password</span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>umount<span class="w"> </span>/boot/efi <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>umount<span class="w"> </span>/boot <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>cryptsetup<span class="w"> </span>close<span class="w"> </span>luks_boot<span class="w"> </span> <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>swapoff<span class="w"> </span>/dev/mapper/osvg-swap <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span>umount<span class="w"> </span>/media/data<span class="w"> </span>/home <span class="o">(</span>chroot<span class="o">)</span><span class="w"> </span>livecd<span class="w"> </span>~#<span class="w"> </span><span class="nb">exit</span> livecd<span class="w"> </span>~#<span class="w"> </span>umount<span class="w"> </span>/mnt/gentoo/root/proc livecd<span class="w"> </span>~#<span class="w"> </span>umount<span class="w"> </span>--recursive<span class="w"> </span>/mnt/gentoo/root/dev<span class="w"> </span>/mnt/gentoo/root/sys<span class="w"> </span>/mnt/gentoo/root/run livecd<span class="w"> </span>~#<span class="w"> </span>shutdown<span class="w"> </span>-Ph<span class="w"> </span>now<span class="w"> </span> </pre></div> <p>Now reboot into the newly installed system and put in the password for grub. This should then drop you into a prompt for the root password for the new system. </p> <p>(<strong>Optional</strong>): It might be a good idea to automatically decrypt the encrypted <code>/boot</code> block device so that we can very simply just use a <code>mount /boot</code> command that was earalier set up in <code>/etc/fstab</code>. We add entries for the <em>dmcrypt</em> service to automatically decrypt <code>/boot</code> during bootup and start the dmcrypt service</p> <div class="code"><pre class="code literal-block">hostname<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"target=luks_boot"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/conf.d/dmcrypt hostname<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="nv">source</span><span class="o">=</span><span class="nv">UUID</span><span class="o">=</span><span class="se">\"</span><span class="k">$(</span>blkid<span class="w"> </span>-s<span class="w"> </span>UUID<span class="w"> </span>-o<span class="w"> </span>value<span class="w"> </span>/dev/nvme0n1p2<span class="k">)</span><span class="se">\"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/conf.d/dmcrypt hostname<span class="w"> </span>~#<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"key=/etc/luks/mnt/key/boot_os.keyfile"</span><span class="w"> </span>&gt;&gt;<span class="w"> </span>/etc/conf.d/dmcrypt hostname<span class="w"> </span>~#<span class="w"> </span>rc-update<span class="w"> </span>add<span class="w"> </span>dmcrypt<span class="w"> </span>boot hostname<span class="w"> </span>~#<span class="w"> </span>rc-service<span class="w"> </span>dmcrypt<span class="w"> </span>start </pre></div> <h3>Conclusion</h3> <p>This will get gentoo booting into a shell. Modern desktop computing is however a lot more. <del>I will chronicle my system setup in a further post.</del> My <strong>gentoo</strong> desktop installation saga continues in <a href="http://www.dcs.gla.ac.uk/~jacobd/posts/2025/01/a-gentoo-installation-story-continued">Part-II</a>. </p>gentooinstalllinuxsecurityhttp://www.dcs.gla.ac.uk/~jacobd/posts/2025/01/an-encrypted-boot-gentoo-installation-story/Sat, 11 Jan 2025 12:15:49 GMT