Booting Gentoo with LUKS+LVM2+systemd


I’ve spent quite some time recently trying to get a laptop running Gentoo boot from an encrypted partition with LVM. I thought that this might be useful for someone else, so here you are: First things first: I’m assuming you’ve followed Gentoo handbook and are operating from within livecd’s shell. You’ve done the regular luksFormat + lvm stuff and you’ve come up with a layout similar to this one:

dagrey ~ # lsblk
NAME                          SIZE TYPE  MOUNTPOINT
sda                           55.9G disk
└─sda1                        55.9G part
    └─crypthome (dm-3)          55.9G crypt /home
sdb                           29.8G disk
├─sdb1                       485.4M part  /boot
└─sdb2                        29.4G part
    └─root_sdb2-vg-root (dm-0)  29.3G crypt
    ├─vg-swap (dm-1)             8G lvm   [SWAP]
    └─vg-root (dm-2)          21.3G lvm   /

You need a kernel to boot this, a kernel that understands crypto stuff as well as lvm.

genkernel --symlink --save-config --no-mrproper --luks --lvm --udev --menuconfig all

If you’re using gentoo-sources you’ll notice the fancy gentoo-specific menu on top. Go there and check systemd. Apart from the usual stuff, please make sure to check stuff on this list, and also this one:

Device Drivers
    Multi-device support (RAID and LVM)
    [*] Multiple devices driver support (RAID and LVM)
    <*>  Device mapper support
    <*>  Crypt target support

Cryptographic API
    <*>  SHA256 digest algorithm
    <*>  AES cipher algorithms

Your setup is so new that you need grub2. Grub2 is very picky about its configuration. Take this one and avoid hours of reading:

dagrey ~ # cat /etc/default/grub

GRUB_DISTRIBUTOR="Gentoo"

GRUB_DEFAULT=0
GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=3

GRUB_PRELOAD_MODULES=lvm
GRUB_CRYPTODISK_ENABLE=y
GRUB_DEVICE=/dev/ram0

# Append parameters to the linux kernel command line
GRUB_CMDLINE_LINUX="real_init=/usr/bin/systemd quiet real_root=/dev/mapper/vg-root crypt_root=/dev/sdb2 dolvm acpi_backlight=vendor"

You’re using initrd to set everything up for the kernel, so you need real_root and real_init instead of regular ones. cryptdevice no longer works, use crypt_root And dolvm is essential, without it only the first part will work, leaving you with open crypt container and kernel panic just afterwards. Also notice GRUB_DEVICE, GRUB_CRYPTODISK_ENABLE and GRUB_PRELOAD_MODULES. Make sure the first partition on the disk you’re installing grub onto is starting at 2048. If it’s any earlier grub just won’t be able to fit its magic in there. Finally, install grub

grub2-install --modules="configfile linux crypto search_fs_uuid luks lvm" --recheck /dev/sda
grub2-mkconfig -o /boot/grub/grub.cfg

That should be sufficient to boot the system and initialize root. What about those other encrypted partitions like /home though ? Well, init subsystem needs to initialize them, OpenRC did such by reading /etc/fstab and then /etc/dmcrypt/dmcrypt.conf accordingly. Systemd is a bit different here. You still need your /etc/fstab entries for it to know which partitions need to be initialized. The place where you say how to map and decrypt crypto containers, however, is in /etc/crypttab.

dagrey ~ # cat /etc/fstab

/dev/sdb1              /boot     ext2    defaults    1 2
/dev/mapper/vg-root    /         ext4    defaults    0 1
/dev/mapper/vg-swap    none      swap    sw          0 0
/dev/mapper/crypthome  /home     ext4    defaults    0 2

dagrey ~ # cat /etc/crypttab
#crypthome /dev/sda1
crypthome /dev/sda1 /etc/conf.d/dmcrypt.key

The keyfile is available from then already decrypted root partition. You can also skip the key and the you’ll get a password prompt, sometimes hidden somewhere in systemd messages. Hit enter to reveal it once more.

See also