Encrypted Gentoo Setup With LUKS and Btrfs

I was recently struggling to install gentoo on an encrypted rootfs. There are many guides, but somehow I always missed a step. So this is my take on compiling the necessary steps.

Sources:

• https://wiki.gentoo.org/wiki/Handbook:AMD64
• https://wiki.gentoo.org/wiki/Rootfs_encryption

The goal here is to have a single disk partitioned into an EFI partition and a LUKS encrypted root partition. No swap here.

/dev/nvme0n1
 ├── /dev/nvme0n1p1 [EFI]       /boot      1 GB         fat32       Bootloader, bootloader support files, kernel and initramfs
 └── /dev/nvme0n1p2 [LUKS]      (crypt)    ->END        luks        encrypted partition
      └──  rootfs               /          ->END        btrfs       root partition

Please follow the official handbook and apply common sense. At the point where you set up your disks, take a break in the guide and do the following:

root # fdisk /dev/nvme0n1

Welcome to fdisk (util-linux 2.38.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0x81391dbc.

Command (m for help): g
Created a new GPT disklabel (GUID: 8D91A3C1-8661-2940-9076-65B815B36906).

Command (m for help): n

Partition number (1-128, default 1): 
First sector (2048-1953525134, default 2048): 
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-1953525134, default 1953523711): +1G

Created a new partition 1 of type 'Linux filesystem' and of size 1 GiB.

Command (m for help): t

Selected partition 1
Partition type or alias (type L to list all): 1
Changed type of partition 'Linux filesystem' to 'EFI System'.

Command (m for help): n

Partition number (1-128, default 2): 
First sector (1050624-1953525134, default 2048): 
Last sector, +/-sectors or +/-size{K,M,G,T,P} (1050624-1953525134, default 1953523711):

Created a new partition 2 of type 'Linux filesystem' and of size 931 GiB.

Command (m for help):w

The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

Next, encrypt the root partition:

root # cryptsetup luksFormat --key-size 512 /dev/nvme0n1p2

WARNING!
========
This will overwrite data on /dev/nvme0n1p2 irrevocably.

Are you sure? (Type 'yes' in capital letters): 
YES
Enter passphrase for /dev/nvme0n1p2:

Backup your header and put it somewhere safe

root # cryptsetup luksHeaderBackup /dev/nvme0n1p2 --header-backup-file crypt_headers.img

Decrypt the volume and format the partitions (btrfs here)

root # cryptsetup luksOpen /dev/nvme0n1p2 crypt
root # mkfs.vfat -F32 /dev/nvme0n1p1
root # mkfs.btrfs -L rootfs /dev/mapper/crypt
root # mount LABEL=rootfs /mnt/gentoo

Now continue to chroot and follow the guide until setting up the kernel and bootloader. Fill the fstab:

# <fs>                                          <mountpoint>    <type>          <opts>          <dump/pass>
/dev/nvme0n1p1                                  /boot           vfat            noatime         1 2
LABEL=rootfs                                    /               btrfs           defaults        0 1

Compile the kernel (genkernel here) with btrfs and enable the initramfs to mount the LUKS partition.

root # genkernel --luks --mountboot --menuconf --install all

Put the following in your /etc/default/grub with the correct UUID from lsblk -o name,uuid of your encrypted LUKS partition

GRUB_CMDLINE_LINUX="crypt_root=UUID=<LUKS-PARTITION-UUID-HERE> root=/dev/mapper/root root_trim=yes"

Install grub and make config

root # grub-install --target=x86_64-efi --efi-directory=/boot --removable
root # grub-mkconfig -o /boot/grub/grub.cfg

Continue setting up your system and reboot. This should bring up grub, and the LUKS password prompt afterwards.