Ever since I discovered the concept of full disk encryption (which happened to be when i had long hair and no job) I had this fetish of storing and running my stuff in a secure environment (think spy sh*t).
The logic/reasoning behind full disk encryption is to limit someone’s access to your data in case they manage to steal your drives because when your machine is online your data will be accessible in one way or another (so this will not protect you from ppl that hack your running machine, for that you need to read other articles)
Most ppl don’t really need this because ppl are good (in general) and don’t store on their personal computers illegal stuff (they use third party services for that) but if you’re a sys admin trying to do a good job and want to give your customers the level of security that makes them happy enough to pay you for it then you want to do it and I’m going to share how to do this on Gentoo. (Some Linux operating systems allow you to do this during the installation process – not using the most secure ciphers but good enough – Gentoo is not on that list and it is my personal favorite so we’re doing it my way)
For this exercise i used a desktop with 6 drives and here’s how I did it:
boot the Gentoo Minimal Installation CD
at the prompt set a password, configure networking, start sshd (this stuff is in the guide) and ssh to the gentoo machine (so that you can copy paste from this page)
once logged in run: “screen -S gentoo” to move your operation inside a virtual screen so that you’re able to detach / attach whenever you feel like it and not loose your work due to some shady network issue
Prepare the storage
parted /dev/sda –script mklabel gpt
parted /dev/sdb –script mklabel gpt
parted /dev/sdc –script mklabel gpt
parted /dev/sdd –script mklabel gpt
parted /dev/sde –script mklabel gpt
parted /dev/sdf –script mklabel gpt
//gpt boot partition
parted -s -a optimal /dev/sda mkpart primary 1M 3M
parted -s /dev/sda name 1 grub
parted -s /dev/sda set 1 bios_grub on
parted -s -a optimal /dev/sdb mkpart primary 1M 3M
parted -s /dev/sdb name 1 grub
parted -s /dev/sdb set 1 bios_grub on
parted -s -a optimal /dev/sdc mkpart primary 1M 3M
parted -s /dev/sdc name 1 grub
parted -s /dev/sdc set 1 bios_grub on
parted -s -a optimal /dev/sdd mkpart primary 1M 3M
parted -s /dev/sdd name 1 grub
parted -s /dev/sdd set 1 bios_grub on
parted -s -a optimal /dev/sde mkpart primary 1M 3M
parted -s /dev/sde name 1 grub
parted -s /dev/sde set 1 bios_grub on
parted -s -a optimal /dev/sdf mkpart primary 1M 3M
parted -s /dev/sdf name 1 grub
parted -s /dev/sdf set 1 bios_grub on
//boot – where we store grub and kernels
parted -s -a optimal /dev/sda mkpart primary 3M 1027M
parted -s /dev/sda name 2 boot
parted -s /dev/sda set 2 BOOT on
parted -s -a optimal /dev/sdb mkpart primary 3M 1027M
parted -s /dev/sdb name 2 boot
parted -s /dev/sdb set 2 BOOT on
parted -s -a optimal /dev/sdc mkpart primary 3M 1027M
parted -s /dev/sdc name 2 boot
parted -s /dev/sdc set 2 BOOT on
parted -s -a optimal /dev/sdd mkpart primary 3M 1027M
parted -s /dev/sdd name 2 boot
parted -s /dev/sdd set 2 BOOT on
parted -s -a optimal /dev/sde mkpart primary 3M 1027M
parted -s /dev/sde name 2 boot
parted -s /dev/sde set 2 BOOT on
parted -s -a optimal /dev/sdf mkpart primary 3M 1027M
parted -s /dev/sdf name 2 boot
parted -s /dev/sdf set 2 BOOT on
//swap – the virtual memory for your system
parted -s -a optimal /dev/sda mkpart primary 1027M 9219M
parted -s /dev/sda name 3 swap
parted -s /dev/sda set 3 raid on
parted -s -a optimal /dev/sdb mkpart primary 1027M 9219M
parted -s /dev/sdb name 3 swap
parted -s /dev/sdb set 3 raid on
parted -s -a optimal /dev/sdc mkpart primary 1027M 9219M
parted -s /dev/sdc name 3 swap
parted -s /dev/sdc set 3 raid on
parted -s -a optimal /dev/sdd mkpart primary 1027M 9219M
parted -s /dev/sdd name 3 swap
parted -s /dev/sdd set 3 raid on
parted -s -a optimal /dev/sde mkpart primary 1027M 9219M
parted -s /dev/sde name 3 swap
parted -s /dev/sde set 3 raid on
parted -s -a optimal /dev/sdf mkpart primary 1027M 9219M
parted -s /dev/sdf name 3 swap
parted -s /dev/sdf set 3 raid on
//root partition – where OS and other stuff usually is
parted -s -a optimal /dev/sda mkpart primary 9219M 111619M
parted -s /dev/sda name 4 root
parted -s /dev/sda set 4 raid on
parted -s -a optimal /dev/sdb mkpart primary 9219M 111619M
parted -s /dev/sdb name 4 root
parted -s /dev/sdb set 4 raid on
parted -s -a optimal /dev/sdc mkpart primary 9219M 111619M
parted -s /dev/sdc name 4 root
parted -s /dev/sdc set 4 raid on
parted -s -a optimal /dev/sdd mkpart primary 9219M 111619M
parted -s /dev/sdd name 4 root
parted -s /dev/sdd set 4 raid on
parted -s -a optimal /dev/sde mkpart primary 9219M 111619M
parted -s /dev/sde name 4 root
parted -s /dev/sde set 4 raid on
parted -s -a optimal /dev/sdf mkpart primary 9219M 111619M
parted -s /dev/sdf name 4 root
parted -s /dev/sdf set 4 raid on
//creating the raid arrays
mdadm –create –verbose –level=1 –raid-devices=6 /dev/md1 /dev/sda2 /dev/sdb2 /dev/sdc2 /dev/sdd2 /dev/sde2 /dev/sdf2
mdadm –create –verbose –level=10 –raid-devices=6 /dev/md2 /dev/sda3 /dev/sdb3 /dev/sdc3 /dev/sdd3 /dev/sde3 /dev/sdf3
mdadm –create –verbose –level=10 –raid-devices=6 /dev/md3 /dev/sda4 /dev/sdb4 /dev/sdc4 /dev/sdd4 /dev/sde4 /dev/sdf4
//formatting the drives
mkfs.xfs /dev/md1
mkfs.xfs /dev/md3
//loading the modules i need to get support for encryption on the live cd
modprobe dm-crypt
modprobe serpent
//encrypting the drives (root and swap, boot needs to stay unencrypted)
cryptsetup -y –cipher serpent-cbc-essiv:wp256 -h sha512 -i 5000 –key-size 256 luksFormat /dev/md2
cryptsetup -y –cipher serpent-cbc-essiv:wp256 -h sha512 -i 5000 –key-size 256 luksFormat /dev/md3
//now we need to open them
cryptsetup luksOpen /dev/md2 swap
cryptsetup luksOpen /dev/md3 root
//now we format
mkswap /dev/mapper/swap
swapon /dev/mapper/swap
mkfs.xfs /dev/mapper/root
mount /dev/mapper/root /mnt/gentoo/
mkdir /mnt/gentoo/boot
mount /dev/md1 /mnt/gentoo/boot/
Installing gentoo
cd /mnt/gentoo
wget http://distfiles.gentoo.org/releases/amd64/autobuilds/20190703T214502Z/hardened/stage3-amd64-hardened-20190703T214502Z.tar.xz
tar xfv stage3-.tar.xz –xattrs-include=’.*’ –numeric-owner
nano -w /mnt/gentoo/etc/portage/make.conf (adjust some params like ones below)
COMMON_FLAGS=”-march=native -O2 -pipe”
MAKEOPTS=”-j4″
ACCEPT_LICENSE=”*”
mirrorselect -i -o >> /mnt/gentoo/etc/portage/make.conf (to specify some mirrors)
mkdir –parents /mnt/gentoo/etc/portage/repos.conf
cp /mnt/gentoo/usr/share/portage/config/repos.conf /mnt/gentoo/etc/portage/repos.conf/gentoo.conf
cp –dereference /etc/resolv.conf /mnt/gentoo/etc/
mount –types proc /proc /mnt/gentoo/proc
mount –rbind /sys /mnt/gentoo/sys
mount –make-rslave /mnt/gentoo/sys
mount –rbind /dev /mnt/gentoo/dev
mount –make-rslave /mnt/gentoo/dev
chroot /mnt/gentoo /bin/bash
source /etc/profile
export PS1=”(chroot) ${PS1}”
emerge-webrsync
emerge –sync –quiet
eselect news list
eselect news read
eselect profile list (i did not need to change my profile, should you need to you can do so with eselect profile set $x where $x is the number in front of the entries in the list)
emerge -uavDN world
echo “Europe/London” > /etc/timezone
emerge –config sys-libs/timezone-data
nano -w /etc/locale.gen
locale-gen
eselect locale list
eselect locale set 6 (utf8)
env-update && source /etc/profile && export PS1=”(chroot) $PS1″
emerge -uavDN pciutils
emerge -uavDN genkernel gentoo-sources
emerge -uavDN cryptsetup mdadm e2fsprogs xfsprogs procinfo-ng
emerge -uavDN sys-kernel/linux-firmware
emerge -uavDN genkernel grub
emerge -uavDN syslog-ng
emerge -uavDN logrotate vixie-cron
emerge -uavDN sudo
mdadm –detail –scan >> /etc/mdadm.conf
rc-update add mdadm default
rc-update add syslog-ng default
rc-update add sshd default
passwd root
genkernel –menuconfig –install –luks –lvm –mdadm –mdadm-config=/etc/mdadm.conf –e2fsprogs –bootloader=grub –disklabel –firmware –firmware-dir=/lib/firmware/ –makeopts=-j4 all
make sure to enable serpent and other stuff you need in the kernel!!! -> i usually get all the crypto stuff built in and some extra drives for network adapters and netfilter stuff but that’s just me
echo “sys-boot/grub:2 device-mapper” >> /etc/portage/package.use/sys-boot
emerge -uavDN grub
//get grub in your mbr – on all disks
grub-install –no-floppy /dev/sda
grub-install –no-floppy /dev/sdb
grub-install –no-floppy /dev/sdc
grub-install –no-floppy /dev/sdd
grub-install –no-floppy /dev/sde
grub-install –no-floppy /dev/sdf
grub-mkconfig -o /boot/grub/grub.cfg
in file /etc/conf.d/dmcrypt, swap section make sure it looks like this:
swap=swap
target=swap
source=’/dev/md2′
which will add it to boot seq and make Gentoo ask for pwd then mount swap (if you skip this one you will boot the OS but have no swap)
here’s how fstab looks like in my case
UUID=8d339125-6096-4d9d-a8a1-e4ec37f0b98e /boot xfs noauto,noatime 1 2
UUID=1bb29e5b-727f-47af-9b09-7d5e4f1a5f37 / xfs noatime 0 1
UUID=71f1c21e-d049-41d4-a606-1e0237bc7aae none swap sw 0 0
get them uuids using blkid
in file /etc/default/grub
adjust line starting with GRUB_CMDLINE_LINUX to looks something like: GRUB_CMDLINE_LINUX=”domdadm dolvm luks enc_root=/dev/md3 crypt_root=UUID=e833aded-3d48-4a49-ad33-881ef9a11f5c root=/dev/mapper/root”
where uuid comes from
blkid
/dev/md3: UUID=”e833aded-3d48-4a49-ad33-881ef9a11f5c” TYPE=”crypto_LUKS”
Now you can either exit your screen and reboot the machine OR look at the official guide for more stuff to add to your installation before rebooting BUT you’re pretty much done with this setup
In general Gentoo is real pain for your average sys admin BUT the rewards that come after you do these things are priceless … you end up having a deeper understanding of how stuff is done compared to using a fancy interface that does it for you also Gentoo comes with the advantages of building everything from source meaning you can easily maintain your own flavor of Linux with them much wanted /needed features that don’t always come with the standard packages on other distros.