Okay, I have setup so far this: /dev/sda1 - /boot (unencrypted) /dev/sda2 - swap (not yet setup, will be encrypted) /dev/sda3 - / (encrypted)
/dev/sda3 is the underlaying drive, where I used gpg: # gpg --decrypt key.gpg | cryptsetup --verbose luksFormat /dev/sda3 # gpg --decrypt key.gpg | cryptsetup --verbose luksOpen /dev/sda3 encVol # dd if=/dev/zero of=/dev/mapper/encVol bs=100M (to avoid filesystem corruption) # mkfs.ext4 -L root /dev/mapper/encVol Now I continued as usual with the Gentoo handbook (mount all, copy things on it, etc.) After I compiled the kernel, emerged cryptsetup on the new system, I editied /boot/grub/grub.conf: ----------------------------------------------- default 0 timeout 30 splashimage=(hd0,0)/boot/grub/splash.xpm.gz title Gentoo Linux root (hd0,0) kernel /boot/kernel-genkernel-x86-3.3.8-gentoo root=/dev/ram0 crypt_root=/dev/sda3 initrd /boot/initramfs-genkernel-x86-3.3.8-gentoo ----------------------------------------------- (I read not to use real_root, but crypt_root instead?) Then I emerged grub as usual (also: # cat /proc/mounts > etc/mtab ) and did: # grub-install --no-floppy /dev/sda Still as usual. Now it is downloading plymouth (to have some cool things) + dracut (easiest way as I read in wiki). I also had to expand /etc/make.conf (not /etc/portage/make.conf ??? Is this a mistake in handbook?): ----------------------------------------------- DRACUT_MODULES="crypt_gpg plymouth" ----------------------------------------------- Now I really hope, that after I installed dracut on it, that I can boot it and the initrd will be updated. It needs at least some kernel modules (e.g. dm_crypt, ext4, sha512_generic, aes_generic) plus gpg and cryptsetup tools to actually decrypt the hard drive. Regards, Roland