This is my personal reference and installation sequence. The following steps outline my approach to setting up a secure, encrypted Gentoo system.
For the official documentation and comprehensive guides, refer to the Gentoo Handbook and Full Disk Encryption From Scratch
First, partition the disk using cfdisk:
cfdisk /dev/nvme0n1
Create the EFI boot partition:
mkfs.vfat -F32 /dev/nvme0n1p1
Create the boot partition:
mkfs.ext4 /dev/nvme0n1p2
Setup LUKS2 encryption with Argon2id for the root partition:
cryptsetup luksFormat --type luks2 --pbkdf argon2id /dev/nvme0n1p3 cryptsetup luksOpen /dev/nvme0n1p3 root mkfs.ext4 /dev/mapper/root
Mount the encrypted root partition:
mount /dev/mapper/root /mnt/gentoo
Create and mount boot directory:
mkdir -p /mnt/gentoo/boot mount /dev/nvme0n1p2 /mnt/gentoo/boot
Create and mount EFI directory:
mkdir -p /mnt/gentoo/boot/efi mount /dev/nvme0n1p1 /mnt/gentoo/boot/efi
Download and extract stage3 tarball:
cd /mnt/gentoo wget https://distfiles.gentoo.org/releases/amd64/autobuilds/current-stage3-amd64/stage3-amd64-*.tar.xz tar xpf stage3-*.tar.xz --xattrs-include='*.*' --numeric-owner
Next, proceed with the standard Gentoo installation steps following the official handbook: mounting filesystems, extracting stage3, configuring portage, chrooting, setting timezone, configuring locale, and installing kernel (I use Gentoo-kernel-bin).
Install and configure Dracut for LUKS2 boot:
emerge sys-kernel/dracut
lsblk -o name,uuid
Configure Dracut for encrypted root:
echo 'add_dracutmodules+=" crypt dm rootfs-block "' >> /etc/dracut.conf
Configure kernel command line parameters:
echo 'kernel_cmdline+=" root=UUID=<root_filesystem_uuid> rd.luks.uuid=<luks_device_uuid> "' >> /etc/dracut.conf
Generate initramfs:
dracut --kver=$(ls /lib/modules/)
Configure /etc/fstab with proper UUIDs:
# /etc/fstab: static file system information. # # <fs> <mountpoint> <type> <opts> <dump/pass> # Root filesystem (encrypted) UUID=<root_filesystem_uuid> / ext4 defaults 0 1 # Boot partition (unencrypted) UUID=<boot_filesystem_uuid> /boot ext4 defaults 0 2 # EFI System Partition UUID=<efi_partition_uuid> /boot/efi vfat defaults 0 2
For the remaining steps including bootloader installation (GRUB), user management, and system finalization, follow the official Gentoo Handbook.
Btw you don't need to set GRUB_ENABLE_CRYPTODISK=y in GRUB configuration since GRUB will not prompt for decryption. The /boot partition remains unencrypted, so GRUB can directly access the kernel and initramfs. The LUKS decryption is handled by Dracut during the initramfs stage after GRUB has already loaded the kernel.