Goals

Readers are advised to check whether their desired system setup aligns with the goals of this tutorial to decide whether they should follow it.

Configuration

The goal assumed by this tutorial is to set up a Gentoo system with the following configuration:

• A UEFI-based system with an EFI system partition. Throughout this tutorial, this partition will be identified as /dev/sda1. The actual block device for the EFI system partition may be different, e.g. /dev/sdb1, /dev/nvme0n1p1; this is normal and expected. In this case, please replace /dev/sda1 in the instructions with the actual device for the EFI system partition.

  • Some systems may be configured to mount the EFI system partition at /boot, so the EFI system partition also stores the kernel image and initramfs. However, this tutorial assumes that /boot is to be encrypted and the EFI system partition is not mounted at /boot. This allows the kernel image and initramfs to be encrypted and full disk encryption to be implemented to the maximum possible extent.

• A single partition to be used as the LUKS partition. Throughout this tutorial, it will be identified as /dev/sda2. The LUKS partition can be seen and identified as a LUKS partition by some partition manager programs even when it is locked.

  • The LUKS version to be used will obviously be LUKS2.
  • The PBKDF (Password-Based Key Derivation Function) of all unlock keys will be Argon2id.
  • All files, except those necessary for loading up GRUB, will be stored in this partition to achieve full disk encryption. Thus, these files and directories will be stored here:
    • The initramfs (usually installed as /boot/initramfs-*.img)
    • The kernel image (usually installed as /boot/vmlinuz-*)
    • The kernel modules (/lib/modules)
    • All other system files (those under /etc, /usr, /var, and so on)
    • User files (under /home)
  • Another file system may be created on the LUKS partition, and this file system cannot be seen when the LUKS partition is locked. Possible file system choices include but are not limited to:
    • A single ext4 file system
    • A Btrfs volume with one or more subvolumes
    • An LVM physical volume with one or more logical volumes

• GRUB is used as the bootloader.

• systemd is used as the init system.

• dracut is used as the initramfs generator.

  • An initramfs is required for this configuration because unlocking the LUKS partition through the init system requires the cryptsetup user-space program. The only way to make this program available during the boot process is to embed it in an initramfs.

It should be possible to use OpenRC and/or genkernel instead of systemd and/or dracut and achieve an equivalent configuration, but use of these packages is out of this tutorial’s scope. Readers who want to use these packages should merely use this tutorial as a reference rather than follow it to the full extent, and they are recommended to consult these additional resources:

• For OpenRC:
  • Instructions to automatically unlock a LUKS partition on boot on Gentoo Wiki
• For genkernel:
  • Instructions to enable LUKS support for initramfs on Gentoo Wiki
  • The main genkernel article on Gentoo Wiki

Resulting Boot Process

After following this tutorial’s instructions, the user will just need to enter the LUKS partition’s passphrase once in the entire boot process. The user will enter the passphrase in GRUB, before the Linux kernel is loaded.