Booting Gentoo with LUKS+LVM2+systemd

I’ve spent quite some time recently trying to get a laptop running Gentoo boot from an encrypted partition with LVM.
I thought that this might be useful for someone else, so here you are:

First things first: I’m assuming you’ve followed Gentoo handbook and are operating from within livecd’s shell.
You’ve done the regular luksFormat + lvm stuff and you’ve come up with a layout similar to this one:

dagrey ~ # lsblk
NAME                          SIZE TYPE  MOUNTPOINT
sda                           55.9G disk
└─sda1                        55.9G part
  └─crypthome (dm-3)          55.9G crypt /home
sdb                           29.8G disk
├─sdb1                       485.4M part  /boot
└─sdb2                        29.4G part
  └─root_sdb2-vg-root (dm-0)  29.3G crypt
    ├─vg-swap (dm-1)             8G lvm   [SWAP]
    └─vg-root (dm-2)          21.3G lvm   /

You need a kernel to boot this, a kernel that understands crypto stuff as well as lvm.

genkernel --symlink --save-config --no-mrproper --luks --lvm --udev --menuconfig all

If you’re using gentoo-sources you’d notice the fancy gentoo-specific menu on top.
Go there and check systemd. Apart from the usual stuff, please make sure to check stuff on this list, and also this one:

Device Drivers
 Multi-device support (RAID and LVM)
 [*] Multiple devices driver support (RAID and LVM)
 <*>  Device mapper support
 <*>  Crypt target support

Cryptographic API 
 <*>  SHA256 digest algorithm
 <*>  AES cipher algorithms

Your setup is so new that you need grub2.
Grub2 is very picky about its configuration. Take this one and avoid hours of reading:

dagrey ~ # cat /etc/default/grub




# Append parameters to the linux kernel command line
GRUB_CMDLINE_LINUX="real_init=/usr/bin/systemd quiet real_root=/dev/mapper/vg-root crypt_root=/dev/sdb2 dolvm acpi_backlight=vendor"

You’re using initrd to set everything up for the kernel, so you need real_root and real_init instead of regular ones. cryptdevice no longer works, use crypt_root
And dolvm is essential, without it only the first part will work, leaving you with open crypt container and kernel panic just afterwards.

Make sure the first partition on the disk you’re installing grub onto is starting at 2048.
If it’s any earlier grub just won’t be able to fit its magic in there.
Finally, install grub

grub2-install --modules="configfile linux crypto search_fs_uuid luks lvm" --recheck /dev/sda
grub2-mkconfig -o /boot/grub/grub.cfg

That should be sufficient to boot the system and initialize root.
What about those other encrypted partitions like /home though ?

Well, init subsystem needs to initialize them,
OpenRC did such by reading /etc/fstab and then /etc/dmcrypt/dmcrypt.conf accordingly.
Systemd is a bit different here. You still need your /etc/fstab entries for it to know which partitions need to be initialized.
The place where you say how to map and decrypt crypto containers, however, is in /etc/crypttab.

dagrey ~ # cat /etc/fstab

/dev/sdb1              /boot     ext2    defaults    1 2
/dev/mapper/vg-root    /         ext4    defaults    0 1
/dev/mapper/vg-swap    none      swap    sw          0 0
/dev/mapper/crypthome  /home     ext4    defaults    0 2

dagrey ~ # cat /etc/crypttab
#crypthome /dev/sda1
crypthome /dev/sda1 /etc/conf.d/dmcrypt.key

The keyfile is available from then already decrypted root partition.
You can also skip the key and the you’ll get a password prompt, sometimes hidden somewhere in systemd messages. Hit enter to reveal it once more

CC BY-SA 4.0
Booting Gentoo with LUKS+LVM2+systemd by Adventurous Computing is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Flattr this!

New dotfiles repository
30C3 day 1
  • ben_bailess

    Dude. This is awesome. I’ve been trying to get this working for… awhile now. I always messed up at the grub / boot stuff. Much appreciated!

    • cyplo

      No problem, I’ve spent couple of hours trying 😉
      Let me know how it went and feel free to leave any questions here or shoot me an email at

  • Malcom York

    Great post cyplo!
    I’ve been trying to do this for awhile, and I still can’t. Could you give me a hand on this?
    My basic scheme would be like this:

    /dev/sda1 — /boot (ext4, unencrypted)
    /dev/sda5 — LUKS encrypted
    /dev/mapper/vg-root — lvm2 root fs

    I was able to do all the configuration as you explained, but there it’s not really working. As soon as I boot, all I get is a “Loading initial ramdisk …” message, no password promt, no kernel panic, nothing.

    • cyplo

      Hi ! thanks for the question :)
      I can try to replicate the result using this post again, using the newest gentoo live cd, I might have some time over the weekend to do so.
      If I find any blockers I will definitely post an update here, if not we can try to setup some remote help session of some sort.
      In the meantime, you can always try hitting the gentoo folks on IRC using one computer and having live session open on the other. The guys and gals there are very helpful. []