gentoo lvm on luks install (full-disk encrypt, inc. /boot)

# gentoo lvm on luks install (full-disk encrypt, inc. /boot)
# thanks to https://wycd.net/posts/2015-01-04-gentoo-full-disk-encryption-lvm-on-luks.html
# note: you can't automate this entire script. it's merely a list of commands that you go through 1 by 1
# note: systemd not supported

# download gentoo minimal installation iso from https://www.gentoo.org/downloads, write to USB stick
dd if=install-amd64-minimal-20181213T214502Z.iso of=/dev/sdd bs=1M status=progress

# boot from USB, upon shell prompt, continue with commands.
# note: make sure you have an internet connection

# find which HDD you want to install gentoo to. we're going to assume /dev/sda
lsblk

# create new partition table
dd if=/dev/zero of=/dev/sda bs=512 count=1 conv=notrunc
echo -ne "n\np\n1\n\n\nt 1\n83\nw\n" | fdisk /dev/sda

# create a luks partition
# to state the obvious: DON'T forget the password
modprobe dm-crypt aes sha256
cryptsetup luksFormat /dev/sda1
cryptsetup luksOpen /dev/sda1 main

# create lvm disks, volumes and partitions on top of the luks partition
# feel free to change how you partition your disk. make sure swap partition is
# at least 2 times the size of your memory.
# in this example, we're giving 1gb to /boot, 8gb of swap, and the root takes the rest
pvcreate /dev/mapper/main
vgcreate vg1 /dev/mapper/main
lvcreate -L 1G       -n boot vg1
lvcreate -L 8G       -n swap vg1
lvcreate -l 100%FREE -n root vg1

# initialize filesystems on logical partitions
mkfs.ext2 -L /boot /dev/vg1/boot
mkswap    -L /swap /dev/vg1/swap
mkfs.ext4 -L /     /dev/vg1/root

# mount our HDD partitions so we can write files to disk
mount /dev/vg1/root /mnt/gentoo
mkdir -p /mnt/gentoo/boot
mount /dev/vg1/boot /mnt/gentoo/boot
swapon /dev/vg1/swap

# download stage 3 tarball of your choice from from https://www.gentoo.org/downloads
cd /mnt/gentoo
wget http://distfiles.gentoo.org/releases/amd64/autobuilds/20181213T214502Z/stage3-amd64-20181213T214502Z.tar.xz
tar xf stage3-amd64-20181213T214502Z.tar.xz
rm -rf stage3-amd64-20181213T214502Z.tar.xz
cp -L /etc/resolv.conf /mnt/gentoo/etc/
mount -o bind /proc /mnt/gentoo/proc
mount -o bind /sys /mnt/gentoo/sys
mount -o bind /dev /mnt/gentoo/dev

# down the rabbit hole
chroot /mnt/gentoo /bin/bash
source /etc/profile && export PS1="(chroot) $PS1"

# sync portage
emerge-webrsync

# set profile
eselect profile list
eselect profile set ###

# install vim if you're not a bitch
emerge -av app-editors/vim app-misc/tmux

# set time
ls /usr/share/zoneinfo
echo "America/New_York" > /etc/timezone
emerge --config sys-libs/timezone-data

# set locale
vim /etc/locale.gen
locale-gen
eselect locale list
eselect locale set ###

# add your HDD partitions to fstab:
#     /dev/vg1/root /     ext4 defaults,noatime  0 1
#     /dev/vg1/swap none  swap sw                0 0
#     /dev/vg1/boot /boot ext2 noatime           0 1
vim /etc/fstab

#change root password
passwd

# system tools https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Tools
# dhcpcd       https://wiki.gentoo.org/wiki/Network_management_using_DHCPCD
# note: additional config is required if you use wireless, read dhcpcd article
emerge -av app-admin/syslog-ng sys-process/cronie net-misc/dhcpcd
rc-update add syslog-ng default
rc-update add cronie default
rc-update add sshd default
rc-update add dhcpcd default

# install genkernel with cryptsetup USE flag for luks support
echo "sys-kernel/genkernel cryptsetup" >> /etc/portage/package.use/genkernel
emerge -av sys-fs/cryptsetup sys-kernel/gentoo-sources sys-kernel/genkernel

# in genkernel, make sure the following is set
#     # Don't overwrite /usr/src/linux/.config
#     MRPROPER="no"
#     # Number of logical CPUs
#     MAKEOPTS="-j2"
#     # Ability to open LVM partitions
#     LVM="yes"
#     # Ability to decrypt
#     LUKS="yes"
#     # Default real_root variable (redundant, because it's specified via GRUB2)
#     REAL_ROOT="/dev/vg1/root"
#     # This overlays arbitrary files into the initramfs
#     INITRAMFS_OVERLAY="/boot/overlay"
vim /etc/genkernel.conf

cd /usr/src/linux
# 1. configure the kernel
# https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Kernel
# 2. enable dm-crypt in the kernel config
# https://wiki.gentoo.org/wiki/Dm-crypt#Kernel_Configuration

# as an example, here's my own 4.14.52 config, customize however you like, update it if using a newer kernel.
# note: best to keep a backup of your configs for each kernel version
wget -O .config_4.14.52 https://pastebin.com/raw/6WAuteW1

# to configure the kernel
make menuconfig
# you can load config files, make your modifications, and save them
# loading: https://i.imgur.com/b3fwmnt.png
# saving: https://i.imgur.com/hfKLGKd.png
# assuming you save the new config as .config_4.14.52_modified

# this will take a while
genkernel --lvm --luks --kernel-config=/usr/src/linux/.config_4.14.52_modified all

# grub
echo "sys-boot/grub device-mapper" >> /etc/portage/package.use/grub
emerge -av grub:2
echo 'GRUB_ENABLE_CRYPTODISK=y' >> /etc/default/grub
echo 'GRUB_CMDLINE_LINUX="udev dolvm crypt_root=/dev/sda1 root_key=disk.key real_root=/dev/vg1/root cryptdevice=/dev/sda1:vg1-boot"' >> /etc/default/grub

# install grub bootloader onto disk
mkdir /boot/grub
grub-mkconfig -o /boot/grub/grub.cfg
grub-install /dev/sda

# add key so we don't have to enter luks password twice on boot
# note: At rest, the key will always be safely residing on your encrypted disk.
mkdir -p /boot/overlay/mnt/key
dd bs=1024 count=4 if=/dev/urandom of=/boot/overlay/mnt/key/disk.key
cryptsetup luksAddKey /dev/sda1 /boot/overlay/mnt/key/disk.key

# log out of chroot, remove usb/iso, reboot, login as root, then add a user
useradd -m -G users,wheel,audio,video,usb -s /bin/bash joe
passwd joe

SOME REMAINING RISKS
Someone could still hack your BIOS
Someone could still hack GRUB2
Someone could still hack your hardware
Someone could hold your kneecaps hostage with a $5 wrench