Installation notes for encrypted root partition install

[makefile]

Hello everybody,

I am currently attempting an encrypted Gentoo install for which I am writing install notes.

I am still very much unfamiliar with advanced Linux installs and have mostly relied on Gentoo wiki user tutorials and YT videos. It'd be of great assistance if someone were to add a few suggestions to my still incomplete installation guide. It's somewhat clear to me what steps need to be included, I see the greatest difficulties in proper sequencing. Initramfs is yet to be understood.

Credit where credit is due: I took a great deal of my steps from this guide (https://wiki.gentoo.org/wiki/User:Netsw ... fs_install)

Many of the available guides out there seem to be either outdated or decontextualised to the extend of being of little use to complete beginners, i.e. there seems to be no integration into the handbook.

Cheers!

Code: Select all

#THINKPAD

sed '4d' -i /home/{user}/.ssh/known_hosts



#{installpc}

keymap '{lang}'

passwd
ssh

/etc/init.d/sshd start



#THINKPAD SSH TERMINAL

ssh-keygen -R livecd

ssh root@livecd
ssh

###

lsblk

wipefs -af /dev/nvme0n1

fdisk /dev/nvme0n1

    g
    n
    return
    return
    +1G
    t
    1

    n
    return
    return
    return
    t
    23
    w

cryptsetup -s 512 luksFormat /dev/nvme0n1p2

cryptsetup luksOpen /dev/nvme0n1p2 crypt

vgcreate vg0 /dev/mapper/crypt

lvcreate --name root -L 24G vg0

lvcreate --name swap -L 16G vg0

lvcreate --name -l 90%free vg0

mkfs.vfat -F32 /dev/nvme0n1p1

mkfs.xfs /dev/vg0/root

mkswap /dev/vg0/swap

###

mount /dev/vg0/root /mnt/gentoo

mkdir /mnt/gentoo/{boot,home}

mount /dev/nvme0n1p1 /mnt/gentoo/boot

mount /dev/vg0/home /mnt/gentoo/home

swapon /dev/vg0/swap

###

cd /mnt/gentoo

wget https://distfiles.gentoo.org/releases/amd64/autobuilds/20260322T154603Z/stage3-amd64-hardened-openrc-20260322T154603Z.tar.xz

tar xpvf stage3-*.tar.xz --xattrs-include='*.*' --numeric-owner -C /mnt/gentoo

cp /etc/resolv.conf /mnt/gentoo/etc

arch-chroot /mnt/gentoo

###

emerge-webrsync && getuto

emerge --ask sys-fs/lvm2 sys-fs/cryptsetup

rc-update add lvm boot

echo "sys-kernel/installkernel ugrd systemd-boot systemd uki ukify sys-apps/systemd-utils kernel-install boot ukify dracut" >> /etc/portage/package.use/kernelinstall

mkdir /etc/kernel

echo "root=UUID={ROOTFS_UUID}" >> /etc/kernel/cmdline

echo 'hostonly="yes"
add_dracutmodules=" crypt lvm "' >> /etc/dracut.conf

emerge -av lvm2 cryptsetup

emerge -av gentoo-kernel-bin

emerge --ask --oneshot -v installkernel

###

lsblk -f

genfstab

nano /etc/fstab

echo {installpc} > /etc/hostname

emerge --ask net-misc/dhcpcd

ifconfig    # Take first router name

echo "config_{routername}=dhcp" >> /etc/conf.d/net

cd /etc/init.d

ln -s net.lo net net.{routername}

rc-update add net.{routername} default

###

passwd root

useradd -m -G users,wheel,audio,video -s /bin/bash {account}

passwd {account}

grub-install --efi-directory=/boot/efi

grub-mkconfig -o /boot/grub/grub.cfg

exit

umount /mnt/gentoo

reboot

[NeddySeagoon]

makefile,

Rather than posting another guide here, which will drop off the radar quite quickly, give some thought to improving the wiki page.
If you are not confident editing the wiki, put your suggestions on the 'talk' page.
The Wiki will email other contributors.

Moved from Installing Gentoo as its not a support request.

[pietinger]

Moved from Installing Gentoo as its not a support request.

Neddy, I understood the original post to mean that @makefile was asking whether this approach is correct. So I'm moving it back... and replying to him.

[makefile]

makefile,

Rather than posting another guide here, which will drop off the radar quite quickly, give some thought to improving the wiki page.
If you are not confident editing the wiki, put your suggestions on the 'talk' page.
The Wiki will email other contributors.

Moved from Installing Gentoo as its not a support request.

I unfortunately cannot say that I have the knowledge to contribute effectively to any guide. These are notes for the purpose of achieving a successful encrypted rootfs installation on my workstation. I do however understand your move.

[pietinger]

makefile,

As I understand it, your approach was to combine the information in our handbook with other information. That only works to a limited extent ...

(but I think your approach of asking here first is very good and the right thing to do).

Let me address the following points:

[...] Initramfs is yet to be understood. [...]

1. Please read this: https://wiki.gentoo.org/wiki/User:Pieti ... s_Overview

2. Do you really need RootFS encryption? Check with: https://wiki.gentoo.org/wiki/User:Pieti ... _Beginners

3. If you only want RootFS encryption for learning purposes, that’s perfectly fine, of course. You’ll need our handbook and this wiki article:
https://wiki.gentoo.org/wiki/Rootfs_encryption

4. If you don't want to configure a static IP address but just want to use DHCP, it's much easier to do this:

Code: Select all

emerge --ask net-misc/dhcpcd
rc-update add dhcpcd default

... instead of:

Code: Select all

echo "config_{routername}=dhcp" >> /etc/conf.d/net
cd /etc/init.d
ln -s net.lo net net.{routername}
rc-update add net.{routername} default

5. To create an initramfs, you can use either dracut or ugrd. If you use ugrd, you don't need all the settings for dracut. The first line is incorrect, because there are actually two lines. Read more here:
* https://wiki.gentoo.org/wiki/UgRD
* https://wiki.gentoo.org/wiki/Installkernel

Code: Select all

echo "sys-kernel/installkernel ugrd systemd-boot systemd uki ukify sys-apps/systemd-utils kernel-install boot ukify dracut" >> /etc/portage/package.use/kernelinstall

mkdir /etc/kernel

echo "root=UUID={ROOTFS_UUID}" >> /etc/kernel/cmdline

echo 'hostonly="yes"
add_dracutmodules=" crypt lvm "' >> /etc/dracut.conf

[zen_desu]

The initramfs is often a bit opaque, but if you want to understand it, there are a few guides on the wiki for making your own.

if you use ugrd, it leaves the initramfs build dir around so you can explore/modify it if you want to learn how it works or adjust it. ugrd makes a simple init script using posix shell while dracut is a bit more complex and based around "events", making it a bit harder to understand if you look at a "cold" image without booting it

[NeddySeagoon]

makefile,

I unfortunately cannot say that I have the knowledge to contribute effectively to any guide.

You do but you don't realise it.
The guides are written by people who know the process they are attempting to guide you through. They are not tested on users who have never done it before.
Its easy for guide writers to miss something that seems trivial/obvious but throws a newcomer off the path.

Asking questions is "contributing effectively". There is no need to edit the guide yourself.
Questions from new users will influence the original contributors.
That may be too late for you :) but it will help those that follow in your footsteps.

[makefile]

As I understand it, your approach was to combine the information in our handbook with other information. That only works to a limited extent ...

I noticed this rather quickly!

4. If you don't want to configure a static IP address but just want to use DHCP, it's much easier to do this:

Code: Select all

emerge --ask net-misc/dhcpcd
rc-update add dhcpcd default

(...) If you use ugrd, you don't need all the settings for dracut (...)

These are exactly the sorts of suggestions I was looking for. Thank you! I will change adjust notes accordingly and see if it makes the process faster.
–

if you use ugrd, it leaves the initramfs build dir around so you can explore/modify it if you want to learn how it works or adjust it. ugrd makes a simple init script using posix shell while dracut is a bit more complex and based around "events", making it a bit harder to understand if you look at a "cold" image without booting it

This is very good to know
–

You do but you don't realise it.
The guides are written by people who know the process they are attempting to guide you through. They are not tested on users who have never done it before.
Its easy for guide writers to miss something that seems trivial/obvious but throws a newcomer off the path.

Asking questions is "contributing effectively". There is no need to edit the guide yourself.
Questions from new users will influence the original contributors.
That may be too late for you but it will help those that follow in your footsteps.

I can't argue with that. That is a clever way of looking at it. I'll keep it in mind for the future for the things that I am to learn outside of the installation process.