# Linux(Gentoo) Encrypted setup Install Commands
## Intro
these commands are written with gentoo in mind. Most of them Are translatable to any other linux install with little or no effort. Gentoo uses basic available by default infrastructure and tools so even if not default on your distro of choice chances are the tooling provided by your distro still use thiee commands under the hood.

## Preparation
### starting
```bash
su -c 'nohup konsole & '
byobu # or tmux\
```

### Consts:
-> change these accordingly
```bash
export SIZE_GBSECTORS=$((1024*1024*1024/512))
export ROOT_NEW="/mnt/gentoo"
export ROOT_OLD="/"
export SIZE_ESP=4
export ESPDEV="/dev/sdi"
export LUKSVOLLABEL="GENTOOCRYPT"
export VOLUMELABEL="GENTOO"
export MAPPERLABEL="GENTOO"
export ROOTVOLLABEL="GENTOO"
export INSTALLROOTDIR="gentoo"
export ROOTSIZEGB="512"
export SWAPSIZEGB="64"
```
### Variables (gentoo only):
```bash
export MIRROR="http://mirror.yandex.ru/gentoo-distfiles/releases/amd64/autobuilds/"
# export LATEST="latest-stage3-amd64-desktop-systemd-mergedusr.txt"
export LATEST="latest-stage3-amd64-desktop-systemd.txt"
export STAGE3_URL="${MIRROR}$(curl  --silent $MIRROR$LATEST | tail -n1 |awk '{print $1}')"
export STAGE3_URL="${MIRROR}$(curl  --silent $MIRROR$LATEST | grep systemd |awk '{print $1}')"

```
### Folders :
```bash
install -m 777 -d "$ROOT_OLD"/mnt/{"${INSTALLROOTDIR}"/,install/}
```

## Creating BootDrive:

For booting a kernel existing not on the system(portable usb ,sdcard,smartphone,eg...) 
this will hold :
- Signed Linux Kernel
- LUKS keys
- LUKS headers (backup)
- EFI keys (backup)

### Gdisk:
run `gdisk` on usb boot drive 
note: you can use any partition program but i suggest you at the verry least use one that lets you create plain partitions(=without FS) and one that lets you set GUIDs
aside from `gdisk` , this includes `gnu parted`, `fdisk`(and sfdisk,cfdisk) . the instructions below use gdisk also known as fdisk for gpt , or gpt-fdiksk 

```bash
sgdisk -c 1:ESP
sgdisk --new=1:34:$(( 34+SIZE_ESP*SIZE_GBSECTORS )) --change-name=1:ESP --partition-guid=1:EF00 "${ESPDEV}"
mkfs.vfat -F32 -n ESV /dev/disk/by-partlabel/ESP
```

### Mounting

```bash
mkdir -v /tmp/efiboot
mount -v -t vfat /dev/disk/by-label/ESV /tmp/efiboot
```

## Encrypted storage

Run gdisk on target drive create 1 partition for everything type linux-luks PARTLABEL :GENTOOCRYPT
pause

### Variables
```bash
export LUKSVOLLABEL="GENTOOCRYPT"
export VOLUMELABEL="GENTOO"
export MAPPERLABEL="GENTOO"
export ROOTVOLLABEL="GENTOO"
export GPGKEYCYPHER="AES256"
export CRYPTCYPHER="aes-xts-plain64"
export CRYPTHASH="whirlpool"
```

```bash
export GPG_TTY=$(tty) 

dd if=/dev/urandom bs=8388607 count=1 | gpg --symmetric --cipher-algo "${GPGKEYCYPHER}" --output /tmp/efiboot/luks-key.gpg 
gpg --decrypt /tmp/efiboot/luks-key.gpg | cryptsetup --cipher "${CRYPTCYPHER}" --key-size 512 --hash "${CRYPTHASH}" --key-file - luksFormat "/dev/disk/by-label/${LUKSVOLLABEL}"

cryptsetup luksDump /dev/disk/by-partlabel/"${LUKSVOLLABEL}"
cryptsetup luksHeaderBackup "${ESPDEV}" --header-backup-file /tmp/efiboot/luks-header.img 

mkfifo /tmp/gpgpipe 
echo RELOADAGENT | gpg-connect-agent 
echo open a new tab and run after pressing enter here:
``` 

```bash
cryptsetup --key-file /tmp/gpgpipe luksAddKey /dev/disk/by-label/"${LUKSVOLLABEL}"
```

```bash
gpg --decrypt /tmp/efiboot/luks-key.gpg | cat - >/tmp/gpgpipe 
pause
cryptsetup luksDump /dev/disk/by-label/"${LUKSVOLLABEL}"
rm -vf /tmp/gpgpipe 

gpg --decrypt /tmp/efiboot/EFI/luks/keys/luks-key.gpg | cryptsetup --key-file - luksOpen /dev/dev/disk/by-partlabel/"${LUKSVOLLABEL}" "${VOLUMELABEL}"
ls /dev/mapper
pvcreate /dev/mapper/"${MAPPERLABEL}" 
vgcreate vg1 /dev/mapper/"${MAPPERLABEL}" 
lvcreate --size "${ROOTSIZEGB}"G --name root vg1 
lvcreate --size "${SWAPSIZEGB}"G --name swap vg1 
lvcreate --extents 95%FREE --name home vg1 
pvdisplay 
vgdisplay 
lvdisplay 
vgchange --available y 

ls /dev/mapper 
swapon -v /dev/mapper/vg1-swap 
```
#### Creating filesystems
I will be using F2FS ,wich is good for speed on NVME drives, read the manpages for the fs of your choice. Iwould avoid BTRFS for the root aswel as ZFS, and EXT2,  and pick what suits your needs best out of F2FS,XFS,NILFS2,JFS
```bash
mkfs.f2fs -f -l "${ROOTVOLLABEL}" -O extra_attr,inode_checksum,sb_checksum,flexible_inline_xattr -w 4096 /dev/mapper/vg1-root 
mkfs.f2fs -f -l HOME -O extra_attr,inode_checksum,sb_checksum,flexible_inline_xattr -w 4096 /dev/mapper/vg1-home
mount -t f2fs -o rw,relatime,lazytime,background_gc=on,discard,no_heap,inline_xattr,inline_data,inline_dentry,flush_merge,extent_cache,mode=adaptive,active_logs=6,alloc_mode=default,checkpoint_merge,fsync_mode=posix,discard_unit=block  /dev/mapper/"vg1-${VOLUMELABEL}" "${INSTALLROOTDIR}"
```