Linux (gentoo) encrypted boot partition

The common way of linux encrypting your harddrive is using LVM, DM and Luks. You’ll find most of the implementations used by popular distributions leaving the boot partition unencrypted as the kernel modules needed for opening the luks partition must first be loaded somehow. However, there is a way to encrypt the the whole disk including the boot partition and kernel: Make use of grubs cryptodisk feature.

Here is a rough sample how to setup full disk encryption with gentoo, LVM and Luks.

We use only one Luks-encrypted partition containing /boot and /root.

Before installing grub we take the following steps.

Get the UUID of the encrypted partition
# blkid /dev/sda1
/dev/sda1: UUID="057f8bad-c4d2-419c-95a0-f57aaa785a25" TYPE="crypto_LUKS" PARTUUID="0001c2d5-01"

Edit /etc/default/grub as follows
# Append parameters to the linux kernel command line
GRUB_CMDLINE_LINUX="root=/dev/ram0 crypt_root=UUID=057f8bad-c4d2-419c-95a0-f57aaa785a25 real_root=/dev/mapper/vg-root rootfstype=ext4 root_key=key dolvm"

Is this case our volume group is named „vg“ and the partition is „root“. Also we need „root_key“ set for the next steps.

Now we can install grub the usual way into the MBR.
# grub2-install /dev/sda
# grub2-mkconfig -o /boot/grub/grub.cfg

At this point grub will prompt for a passphrase for the encrypted partition just before loading the normal boot menu. By selecting the boot entry it will proceed with loading the kernel. But grub will not pass the passphrase to the kernel, meaning that the kernel will ask again for the key to open the luks partition.
To avoid the need of entering the password twice, we will place a keyfile in another key slot of our partition. And the trick: We will place the keyfile in the initramfs and tell the boot scripts to look for it. Sounds silly? Yes! But as the entire partition including the /boot directory is encrypted, the initramfs will be encrypted, too.

Gentoos boot script for luksOpen will look in /mnt/key/ for the keyfile. As we set the name „key“ in the kernel parameters, our keyfile in the initramfs will be /mnt/key/key.
The genkernel scripts know a parameter called „INITRAMFS_OVERLAY“ to put our own files in the initramfs. We create the folders /key/mnt/key/, put our keyfile in /key/mnt/key/key and tell genkernel to overlay the folder /key.

Edit /etc/genkernel.conf

Genkernel will now copy the directory structure of /key/ in the initramfs and our keyfile will be placed in /mnt/key/key.
While booting the script will try to mount a key device but as we have not set one, it will simply use the key file in the initramfs. Dirty, but it works and seems to be update-save.

This article is just a quick summery but will be extended soon. Comments are appreciated.