To add my 2¢: I have 3 working setups almost done by this http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS guide which results in either unencrypted /boot on drive or booting from stick resulting layout is following: /dev/sda1 /boot /dev/sda2 dm-crypt container with lvm vg atop of it In vg is: vg-root vg-swap vg-home
All you need is build initram and pass it as a argument to pre configured kernel (with needed encryption and hash algorithms built in) Initram scripts are on github here https://github.com/tokiclover/mkinitramfs-ll Hope it helps if not contact me (first time I needed to reinstall the system three times before successful boot but that time I was complete noob in gentoo) S Neil Bothwick <n...@digimed.co.uk> wrote: >On Tue, 04 Sep 2012 22:45:07 +0200, Florian Philipp wrote: > >> >> I just have to make sure to leave nothing private on root, /usr >> >> or /etc. >> > >> > Like your passwd and shadow files? > >> *g*, good point. However, I'm willing to take the risk on just these >> two: passwd doesn't contain anything of considerable interest. shadow >> contains exactly two passwords, both as sha256-sums (or similar, did >not >> really check). The passwords themselves are in excess of 90 bit >entropy, >> depending on how you estimate it. >> >> Most of the rest which might be of interest and is usually in /etc >can >> be symlinked there from a safe location in /var. > >I used to do that, but as the number of sensitive directories grew - >samba, wicd, etc. - I decided it was less hassle to set up an encrypted >/ >and forget about it. > > >-- >Neil Bothwick > >When you go to court you are putting yourself in the hands of 12 people >that were not smart enough to get out of jury duty. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.