INSTALLING HARDENED GENTOO WITH LUKS STEP BY STEP

by | Apr 1, 2016 | computers, encrypted partitions, gentoo, guide, hardened gentoo, linux, security | 3 comments

We at PCMarc run all our workstations (except laptops) on Hardened Gentoo with KDE desktop environment.

Today we would like to share our knowledge of how to install it, step by step. You can find full video on our YouTube channel here, or you can see all commands below:

Boot Gentoo from ISO/CD/USB and start typing below:
(type only lines begins with #)

Change installation password
# passwd

Let’s start partitioning
# fdisk /dev/sda

First partition BIOS 2MB EFI
# n,p, 1, Enter, +2M

Change partition type to EFI
# t, hex code: “ef” -EFI Boot

Create boot partition 128MB
# n,p,2,enter,+128M

Make partition bootable
# a, and select partition 2

Create swap partition 512MB (use size of your RAM memory)
# n,p,3,enter,+512M

and then mark it as swap type:
# t, select “3” and type “82” as a hex code (swap)

Create root partition (remaining disk space)
# n,p,4,enter,enter

Save disk structure:
#”w”

Let’s encrypt our partitions
# cryptsetup -v -y -c aes-xts-plain64 -s 512 -h sha512 -i 5000 –use-random luksFormat /dev/sda3
enter passphrase

# cryptsetup luksDump /dev/sda3
# cryptsetup luksOpen /dev/sda3 pcmarc
# lvmdiskscan
# pvcreate /dev/mapper/pcmarc
# pvdisplay
# vgcreate gentoo /dev/mapper/pcmarc
# vgdisplay
# lvcreate -C y -L 4GB gentoo -n lvolswap
# lvcreate -L 20GB gentoo -n lvolroot
# lvcreate -l +100%FREE gentoo -n lvolhome
# lvdisplay
# vgscan
# vgchange -ay

Format partitions using ext4 file type
# mkfs.ext4 /dev/sda2
# mkswap /dev/mapper/gentoo-lvolswap
# mkfs.ext4 /dev/mapper/gentoo-lvolroot
# mkfs.ext4 /dev/mapper/gentoo-lvolhome

Activate swap
# swapon /dev/mapper/gentoo-lvolswap

Let’s mount partitions and start chrooting
# mount /dev/mapper/gentoo-lvolroot /mnt/gentoo
# mkdir /mnt/gentoo/boot
# mount /dev/sda2 /mnt/gentoo/boot
# mkdir /mnt/gentoo/home
# mount /dev/mapper/gentoo-lvolhome /mnt/gentoo/home
# lsblk /dev/sda

Check if date is correct
# date

Navigate to directory below:
# cd /mnt/gentoo

Let’s run our text browser and download stage3 tarball

# links http://www.gentoo.org/main/en/mirrors.xml
download stage3 hardened
# ls

Unpack stage3
# tar xvjpf stage -press tab to finish name

Configure make.conf file
# nano -w /mnt/gentoo/etc/portage/make.conf

Add this line with total CPU threads on your machine
MAKEOPTS=”-j12″

also this:
INPUT_DEVICES=”evdev keyboard mouse

and more, your file should look like the one below:
—————–
ACCEPT_KEYWORDS=”amd64″
MAKEOPTS=”-j12″
CFLAGS=”-march=native -O2 -fforce-addr -pipe”
INPUT_DEVICES=”evdev keyboard mouse
USE=”bindist mmx sse sse2 -jit -gnome kde dbus X consolekit hardened branding pic pax_kernel
chroot secure_delete webrsync-gpg qt4 -suid opengl wayland gles static static-libs symlink cryptsetup crypt ssl gnutls ldap ncurses tcpd pam xml perl python snmp unicode jpeg png readline”
FEATURES=”sandbox sfperms strict buildpkg userfetch parallel-fetch”
————————————-

Copy network settings
# cp -L /etc/resolv.conf /mnt/gentoo/etc/resolv.conf

Mount ‘proc’, ‘sys’ and ‘dev’
# mount -t proc none /mnt/gentoo/proc
# mount –rbind /sys /mnt/gentoo/sys
# mount –rbind /dev /mnt/gentoo/dev

Get in:
# chroot /mnt/gentoo /bin/bash

# source /etc/profile
# export PS1=”(chroot) $PS1″

Install emerge
# time emerge-webrsync
# emerge –sync

Change time zone and locale
# echo “Europe/London” > /etc/timezone
# emerge –config sys-libs/timezone-data
# nano -w /etc/locale.gen and add
en_GB ISO-8859-1
en_GB.UTF-8 UTF-8
# locale-gen

# eselect locale list
Set only en_GB (3)
# eselect locale set 3
# env-update && source /etc/profile

Let’s emerge linux kernel
# emerge -av hardened-sources
# ls -l /usr/src/linux

Download genkernel tool
# emerge -av genkernel

Compile the kernel
# time genkernel all (build kernel with all default settings)

Copy kernel to boot partition:
# cp arch/x86_64/boot/bzImage /boot/kernel-3.4.9-gentoo (use uname -a to get version)

Edit fstab file
# nano -w /etc/fstab and change ROOT BOOT SWAP to sdaX (boot=sda2, root=sda3)

Change hostname in file:
# nano -w /etc/conf.d/hostname

Activate network at boot:
# nano -w /etc/conf.d/net
add line: config_eth0=”dhcp”

# cd /etc/init.d
# ln -s net.lo net.eth0
# rc-update add net.eth0 default

Add some great tools
# emerge –noreplace netifrc
# emerge lvm2
# emerge flaggie
# emerge fail2ban gentoolkit

Change password (important) otherwise you won’t be able to log in and will have to chroot again.
# passwd

Change keyboard layout
# nano -w /etc/conf.d/keymaps – change to uk

Add some necessary tools:
# emerge syslog-ng
# rc-update add syslog-ng default
# emerge cronie
# rc-update add cronie default
# emerge dhcpcd
# rc-update add dhcpcd default
# rc-update add sshd default

Download bootloader
# emerge sys-boot/grub
# grub2-install /dev/sda
# grub2-mkconfig -o /boot/grub/grub.cfg

# exit

Unmount partitions and reboot to your Gentoo installation.
# cd
# umount -l /mnt/gentoo/dev{/shm,/pts,}
# umount -l /mnt/gentoo{/boot,/proc,}
# reboot

We will add KDE installation guide soon.


PCMarc Team

3 Comments

  1. John
    John on August 5, 2016 at 6:50 pm

    Thanks for the guide! I just wanted to say that I’m looking forward to a Gentoo Hardened KDE installation guide. I plan on switching my workstation to a hardened profile if I can get it working with KDE and Nvidia Drivers.

    Reply
  2. Red
    Red on November 4, 2016 at 3:14 pm

    Your instructions show you making a swap partition and then installing the logical volumes inside that swap partition, /dev/sda3 just fyi.

    Reply
  3. Claudiu
    Claudiu on September 14, 2018 at 1:23 pm

    You’re already have a swap partition outside the LVM…

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *