I got bored and looked into full disk encryption on Gentoo’s wiki, and now I have a system that doesn’t boot because (IMO) the section isn’t fleshed out well enough.

I was under the impression I could get a LUKS container to unlock with GRUB, but that appears not to be the case, or they don’t clearly note the caveats in the GRUB or LUKS articles I’m reading.

At this point, I’m creating a 1G boot partition for initramfs, and that can take care of the decryption with the way I’ve configured Dracut.

A lot of the Gentoo and Arch wikis feel like they’re super fleshed out in some areas because someone had a special interest in those topics, and others feel neglected due to lack of interest or I don’t know what.

Separate unencrypted /boot worked, and it asked me for my passphrase while loading initramfs!
Hell yeah, I managed full disk encryption while retaining the same install!

Not as easy as how Bitlocker can encrypt a live system, but I made it work.

Shrunk my known-good partition, booted a live Linux distro, created a LUKS container, formatted the partition within, mounted both the existing install and the encrypted partition, ran rsync retaining hard links, and using numeric IDs for permissions, excluding stuff like /dev /sys, etc.

Then I chrooted into the encrypted partition and did what I needed to get it booting, then I deleted the old unencrypted partition and expanded the new encrypted one.

@maddy GRUB does support LUKS, but currently no released version supports Argon2 for key derivation so you have to use PBKDF2 instead. The latest commit on the master branch supports Argon2 (and there were patches sitting on the mailing list for years adding it (which libreboot has used since 2023) which were finally merged a few months ago).

It's also really slow at unlocking disks compared to Linux (maybe it's improved now though, I'm not using the latest commit), so you might not actually want GRUB to unlock your disks if you care about that.

Ooh, new kernel! Fingers crossed I can just update and reboot without any additional intervention. Dracut should be set up to automatically add the proper kernel_cmdline parameters and such.

Yup, rebooted, entered passphrase, booted just fine!

@noisytoot Ah, yeah, I just let Linux take care of it.

@maddy

Shrunk my known-good partition, booted a live Linux distro, created a LUKS container, formatted the partition within, mounted both the existing install and the encrypted partition, ran rsync retaining hard links, and using numeric IDs for permissions, excluding stuff like /dev /sys, etc.

what if I told you about cryptsetup reencrypt --encrypt, which while might require downtime to do LUKS formatting setup (and booting related changes), works even when using the system while re-encrypting? :p

@jacksonchen666 That’s what I learned about a little earlier on the Arch Wiki, and I’m currently attempting on a different machine! ^.^

@maddy neat!