We'll create an encrypted root partition.
At first we measure the performance of encryption:
cryptsetup benchmark
Probably the one of the fastest encoder and decryption is the aes-xts so we format with it:
cryptsetup luksFormat -c aes-xts-plain64 -s 256 -y -v /dev/nvme0n1p3
cryptsetup luksOpen /dev/nvme0n1p3 root
cryptsetup status root
cryptsetup --allow-discards --perf-no_read_workqueue --perf-no_write_workqueue --persistent refresh root
cryptsetup luksDump /dev/nvme0n1p3 | grep Flags
cryptsetup close root # of course you don't have to close here
Now create a F2FS filesystem about this encrypted partition:
mkfs.f2fs -O extra_attr,inode_checksum,sb_checksum,compression /dev/mapper/root
Now install your gentoo following the gentoo handbook.
After install base system you have to set up the following: grub, dracut, fstab.
Query the UUIDs:
lsblk -o name,uuid
You need two UUID one is for filesystem another the LUKS partition (above we named it root).
vim /etc/defaults/grub
GRUB_CMDLINE_LINUX="rootflags=atgc rw rd.luks.uuid=yourLUKS_UUID root=UUID=yourROOT_UUID"
--exit
We added atgc and rw because F2FS by default mount with RO.
Now update fstab, similarly add boot and root as a common ways, be sure not mixed with LUKS UUID.
Update /etc/dracut.conf.d/luks.confadd_dracutmodules+=" crypt dm rootfs-block " kernel_cmdline+=" root=UUID=luksIDD rd.luks.uuid=rootIDD "
Generate initial image:
dracut --kver yourkernelID (you can find it under /lib/modules/)
Now you ready to reboot, of course sync and umount partitions.
Refs.:
https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#LUKS_on_a_partition
https://wiki.archlinux.org/title/F2FS
https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/About
No comments:
Post a Comment