# Encrypted install

## Fulgurance

Hello, i have question. I would like to test to encrypte gentoo installation, but i have questions. How is it possible to encrypte my all system with just one Password ? (I have 2 internal disks, hdd and ssd, and i need efi partition and tmpfs partitions) and how i configure GRUB ?

----------

## khayyam

 *Fulgurance wrote:*   

> Hello, i have question. I would like to test to encrypte gentoo installation, but i have questions. How is it possible to encrypte my all system with just one Password ? (I have 2 internal disks, hdd and ssd, and i need efi partition and tmpfs partitions) and how i configure GRUB ?

 

Fulgurance ... the ESP (EFI System Partition) can't be encrypted, and so you could use this to host your kernel and initramfs (required for encrypted root). As for two disks one password, the first disk is unlocked with the passphrase, and the second is unlocked with a key read from the first disk (at the initramfs stage). This requires you modify your initframfs to do this ... 

best ... khay

----------

## Fulgurance

For the second disk with read key, have you got example please ?

----------

## khayyam

 *Fulgurance wrote:*   

> For the second disk with read key, have you got example please ?

 

Fulgurance ... I don't, no, but it would simply be a case of having the 'init' within the initramfs call cryptsetup with the path to the key once the first disk is unlocked. I'm sure there are examples of this on the forum ... at least I seem to remember threads with this as the subject.

best ... khay

----------

## johngalt

Sakaki's EFI install makes use of an external key (with a fallback) that would be very similar to this, right?

----------

## khayyam

 *johngalt wrote:*   

> Sakaki's EFI install makes use of an external key (with a fallback) that would be very similar to this, right?

 

johngalt ... without looking I couldn't say, but the the use of a keyfile is staightforward, all you need do is modify the 'init' within whatever initramfs you use so that 'cryptsetup luksOpen' is run ... or, alternately,  have it unlocked as part of /etc/init.d/dmcrypt (see: /etc/conf.d/dmcrypt).

HTH & best ... khay

----------

## Fulgurance

I have problème, i have finish to make all encrypted luks partition, and i have installed gentoo base, but when i launch grub-install command, GRUB fail and ask me group home and root dont exist. Its strange because i dont use LVM.

For information, i have 3 partitions, efi partitions, home mapper and root mapper

----------

## Elleni

Maybe this can help you. It helped me setting up encrypted system. 

http://blog.guya.de/linux-gentoo-encrypted-boot-partition/

----------

## ayeyes

Bliss-Initramfs makes doing an encrypted with boot install easy. Look at his guide for encrypted ZFS on how to add a keyfile. Dunno if it works for an EFI install though.

----------

## Fulgurance

I haven't solved my problem, look this log of grub:

```
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Zohran

Installation pour la plate-forme x86_64-efi.

File descriptor 3 (/dev/nvme0n1p1) leaked on vgs invocation. Parent PID 21250: grub-install

  WARNING: Failed to connect to lvmetad. Falling back to device scanning.

  Volume group "root" not found

  Cannot process volume group root

File descriptor 3 (/dev/nvme0n1p1) leaked on vgs invocation. Parent PID 21250: grub-install

  WARNING: Failed to connect to lvmetad. Falling back to device scanning.

  Volume group "root" not found

  Cannot process volume group root

grub-install��: erreur��: disque ����lvm/root���� non disponible.
```

Grub search lvm volume but i don't use LVM ... why ???

----------

## khayyam

 *Fulgurance wrote:*   

> Grub search lvm volume but i don't use LVM ... why ???

 

Fulgurance ... I'm not a grub user, but perhaps you have the 'device-mapper' useflag set:

```
% equery -NC uses =sys-boot/grub-2.02-r1 | grep lvm2

 - - device-mapper   : Enable support for device-mapper from sys-fs/lvm2
```

It seems that sys-fs/lvm2 is a dependency regardless:

```
% equery -NC depgraph =sys-boot/grub-2.02-r1 | grep lvm2 

   `--  sys-fs/lvm2-2.02.103  (>=sys-fs/lvm2-2.02.45) x86
```

best ... khay

----------

## Fulgurance

Thanks for your help. But no, sorry, this use flag isn’t enabled   :Crying or Very sad: 

----------

## khayyam

 *Fulgurance wrote:*   

> Thanks for your help. But no, sorry, this use flag isn’t enabled  :cry:

 

Fulgurance ... it wouldn't matter, because as I showed sys-fs/lvm2 is a hard dependency ... so you get it whether you're using lvm or not.

Again, I'm not a grub user, and looking at the grub-install manpage, and the gentoo wiki, I don't see what you might be doing wrong, or an obvious solution.

Can you post the output of 'lsblk -o +fstype,label'

best ... khay

----------

## Fulgurance

I have emerged GRUB with this use flag, and its good, GRUB make boot entry !

But now, when i boot, i enter partition password, when i start linux on GRUB startscreen, i have kernel panic...

I thing i forget configure something...

----------

## khayyam

 *Fulgurance wrote:*   

> But now, when i boot, i enter partition password, when i start linux on GRUB startscreen, i have kernel panic...

 

Fulgurance ... again, I have no experience with grub2, but that seems like the wrong order: boot => grub2 => kernel/initramfs => cryptsetup luksOpen => password => init.

best ... khay

----------

## abduct

I suggest starting over and following https://wiki.gentoo.org/wiki/Full_Disk_Encryption_From_Scratch_Simplified

It sounds like you have made some bad assumptions which is hampering your install. A FDE setup is not this complicated.

I also suggest increasing the partition sizes of /, 25GB is kind of small.

I also suggest using:

```
Cipher name:      aes

Cipher mode:      xts-plain64

Hash spec:        sha512

```

----------

## Fulgurance

 *khayyam wrote:*   

> Fulgurance ... again, I have no experience with grub2, but that seems like the wrong order: boot => grub2 => kernel/initramfs => cryptsetup luksOpen => password => init.
> 
> best ... khay

 

Sorry, but enter password before grub is mandatory. Impossible to change that... i think i have problem with my configuration, but where ? I don't understand ...

 *abduct wrote:*   

> I suggest starting over and following https://wiki.gentoo.org/wiki/Full_Disk_Encryption_From_Scratch_Simplified
> 
> It sounds like you have made some bad assumptions which is hampering your install. A FDE setup is not this complicated.
> 
> I also suggest increasing the partition sizes of /, 25GB is kind of small. 

 

I use your recommended crypt settings, and my root partition have 125Go xD

Would you like i post my configurations files ?

----------

## khayyam

 *khayyam wrote:*   

> [...] again, I have no experience with grub2, but that seems like the wrong order: boot => grub2 => kernel/initramfs => cryptsetup luksOpen => password => init.

 

 *Fulgurance wrote:*   

> Sorry, but enter password before grub is mandatory. Impossible to change that... i think i have problem with my configuration, but where ? I don't understand ...

 

Fulgurance ... huh? So you're expecting grub to luksOpen the encypted root?

best ... khay

----------

## Fulgurance

Its good thanks ! I have just Forget to build initrams with luks support

----------

