Hello everyone, I am working on my Gentoo installation and am currently setting up my partition scheme. My goal for this installation is to focus on security, privacy, minimalism and overall efficiency. I have been reading a lot of different material on partitioning, Gentoo Handbook, Archwiki and many different guides. I also watched a few different videos to see the different schemes people use and how they actually set them up. After watching Irish Luck's tutorial I went through and using his example wrote out a base for my partition scheme. A lot of it clicked really quick from back when I did my Void Linux, Arch Linux and other system installs. I, however, want to ask for some help doing a few things. The questions I have are as follows.
Is my current scheme correct? If not, what is incorrect and why?
How can I secure this more? What are more secure encryption options as well as partitioning schemes? (I have looked at the Gentoo Handbook page on dm-encrypt, but am just curious as to what you all recommed)
I really want to break this up more. For example, I want to move all root directories such as /etc/, /usr/ etc. to their own logical partition (using LVM). How would I do this? I have done this with /var/, /home/ and /swap/, but am not sure how to do it with all of these. I know /usr/ and /etc/ for example require more work than simply making them with LVM.
I am wanting to make a nice and secure system, I would love nothing more to have a setup where I do something like below.
Move the keys needed to boot to a boot partition stored on a USB, do the same LVM setup (with all directories setup as logical volumes) and still require a passphrase in order to finally decrypt the system.
The reason I can not to that is that I A) don't have a proper USB to dedicate to that and B) would like a more compact laptop before I do that (Also one without any closed source firmware such as IME, which sadley can't be removed from my T420 completly). Speaking of laptops, I should outline my setup a bit for better understanding. My main laptop is a Thinkpad T420 which currently runs OpenBSD and I have a spare laptop which is an OLD Toshiba. I am installing Gentoo to my old Toshiba right now as I need my T420 for work and school and am waiting to install Gentoo to my T420 unti I am more confident on it. With all this said here is my current partitioning scheme.
Code:
# start partitioning on /dev/sda:
parted -a optimal /dev/sda
# use GPT for the partition table:
mklabel gpt
# use mebibytes for unit size:
unit mib
# create a new partition (primary):
mkpart primary 1 3
# name partition 1 "bios_grub":
name 1 bios_grub
# set partiton one on:
set 1 bios_grub on
# create a new partition (primary):
mkpart primary 3 515
# name partition 2 boot:
name 2 boot
# set partition 2 on:
set 2 BOOT on
# create a parition (primary):
mkpart primary 515 -1
# name partition 3 "lvm":
name 3 lvm
# set partition 3 on:
set 3 lvm on
# print the partition scheme:
print (make sure boot and esp is there)
# format partiton one in FAT32:
mkfs.vfat /dev/sda1
# format partition two in ext2:
mkfs.ext2 /dev/sda2
# encrypt partition three with luks:
cryptsetup -v -y -c aes-xts-plain64 -s 512 -h sha512 -i 5000 --use-random luksFormat /dev/sda3
# verify the encryption:
YES
# eneter decrypt passphrase:
type in passphrase
# dump LUKS header to /dev/sda3:
cryptsetup luksDump /dev/sda3
# initialize the volume set an initial key/passphrase:
cryptsetup luksOpen /dev/sda3 gentoolv
# initialize partition for LVM:
pvcreate /dev/mapper/gentoolv
# display attributes of the physical volume:
pvdisplay
# create a volume group named "gentoovg":
vgcreate gentoovg /dev/mapper/gentoolv
# display attributes of volume group "gentoovg":
vgdisplay
## create logical volumes in existing group "gentoovg":
# create logical volume swap:
lvcreate -C y -L 4G gentoovg -n swap
# create logical volume root:
lvcreate -C y -L 70G gentoovg -n root
# create logical volume var:
lvcreate -C y -L 20G gentoovg -n var
# create logical volume home:
lvcreate -C y -L +100%FREE gentoovg -n home
# display attributes of a logical volumes:
lvdisplay
# scan all disks for volume groups and rebuild caches:
vgscan
# change attributes of a volume group and make the volume group known to the kernal:
vgchange -ay
# set up a Linux swap area:
mkswap /dev/mapper/gentoovg-swap
# enable device for paging and swapping:
swapon /dev/mapper/gentoovg-swap
# display amount of free and used memory in the system in mebibytes:
free -m
# format gentoovg-root in ext4:
mkfs.ext4 /dev/mapper/gentoovg-root
# format gentoovg-var in ext4:
mkfs.ext4 /dev/mapper/gentoovg-var
# format gentoovg-home in ext4:
mkfs.ext4 /dev/mapper/gentoovg-home
# mount gentoovg-root to /mnt:
mount /dev/mapper/gentoovg-root /mnt
# make boot directory on /mnt/gentoo:
mkdir /mnt/gentoo/boot
# make home directory on /mnt/gentoo:
mkdir /mnt/gentoo/home
# make var directory on /mnt/gentoo:
mkdir /mnt/gentoo/var
# mount /dev/sda2 on /mnt/gentoo/boot:
mount /dev/sda2 /mnt/gentoo/boot
# mount gentoovg-home on /mnt/gentoo/home:
mount /dev/mapper/gentoovg-home /mnt/gentoo/home
# mount gentoovg-var on /mnt/gentoo/var:
mount /dev/mapper/gentoovg-var /mnt/gentoo/var
# list block devices:
lsblk
Let me explain some parts of this a bit more. I am using GPT as I want to get use to using GPT for when I get a bigger drive. The Toshiba system I am using to test out Gentoo and learn Gentoo does not support UEFI and only supports classic BIOS booting. I am using (or going to use) Grub2 as my bootloader and runit as my init system (only Grub2, no Plymoth and only runit no OpenRC). I am only wanting to ask about partitioning in this part however. Thank you all so much in advance, I am excited to get this partition scheme setup. I am also writting a little guide for myself as I work through the install. So far I only have setting up networking, looking forward to adding this. Thank you for reading.
EDIT: This has been solved on the official Gentoo forum.
EDIT II: Scratch that, this doesn't work. I goofed. The above questions still apply, but another issue has been found. Once I do mount /dev/mapper/gentoovg-root /mnt this breaks. I no longer have any commands except cd and can't finish my partitioning at all. Please help
. I am just trying to get a good encrypted partition scheme that works, I am very bad at partitioning.
