Things I Learned the Hard Way Doing Full Disk Encryption on Gentoo with DM-Crypt LUKS

The documentation for setting up full disk encryption on Gentoo is specific at best, spotty at worst and confusing in general. Without re-living the immense pain it was to configure over again in detail, here are some of the things I wish I knew before I started:

  • The 2TB partition size limit is not a Windows-only limitation. It comes from the old BIOS style partition scheme. You can either use parted to create >2T GPT partitions or use the whole raw disk if you plan on using it for a single mount point or if you fancy putting DM/LVM on top. Obviously that isn't an option if you plan on booting from this device.
  • If you don't think you need LVM you probably don't, especially if this is a workstation or personal computer. It's way easier to skip all of that and use old-fashioned device nodes directly.
  • Having a newline character in your keyfile is deadly. The init script that genkernel rolls into your initramfs uses cryptsetup luksOpen /dev/whatever whatever -d - or --keyfile - instead of simply piping the output of gpg as the wiki article has you do when you luksFormat. The former stops reading the input at a newline, the latter incorporates it into your key. This is a problem if, say, you took the output of openssl rand -base64 96 because you wanted to generate a 512 bit or larger key. There is already a newline in the middle of the cleartext, so I thought I was clever when I removed it. Not so; nano and many other text editors will always leave a newline at the end of the file. If you cat the cleartext and your command prompt doesn't run on to the end of it you still have a newline in there. Pipe your keyfile through tr -d '\n' before you do anything to be safe.
  • genkernel will make mrproper unless you use the --no-clean or --no-mrproper flags. It will back up your .config and start building your kernel the way it wants to unless you specify ramdisk.
  • The plain64 IV doesn't take arguments, specifying sha512 as the hash is redundant.
  • Genkernel will not magically read /etc/conf.d/dmcrypt and import your keyfiles or their locations. You may need to add the following to your kernel command line, replacing {UUID} with the UUID of your /boot partition (or wherever you are keeping the keyfile). You can obtain the UUID by running blkid. Using a UUID instead of a path will allow you to store your keyfile on removable media which may not have the same device node from time to time.
    real_root=/dev/mapper/root crypt_root=/dev/sda2 root_key=root.gpg root_keydev=UUID={UUID}

    If you are using grub2 append this to your GRUB_CMDLINE_LINUX variable in /etc/default/grub and if you are booting Xen remember to ALSO append it to your GRUB_CMDLINE_LINUX_XEN_DEFAULT variable.

  • Non-root partitions will be luksOpened and mounted during bootup by the dmcrypt init script.


There are no comments for this item.