Skip to content

3. Disk Setup

3.1. Wiping Disks expects the disks, where you want to install Gentoo Linux on, to be completely empty. If that's not the case continue reading. Otherwise, continue with 3.2. Partitioning And Formating.

If you use SSD(s) I recommend a Secure Erase. Alternatively, you can do a fast wipe the following way given that no LUKS, MDADM, SWAP etc. device is open on the disk (copy&paste one command after the other):

# Change disk name to the one you want to wipe

for i in $(lsblk -npo kname "${disk}" | grep "^${disk}" | sort -r); do
    read -r -p "Do you want to wipe \"$i\"? Type uppercase \"yes\" to confirm. " wipe

    if [[ ${wipe} == YES ]]; then
        wipefs -a "$i"


If you have confidential data stored in a non-encrypted way on HDD(s) and don't want to risk the data landing in foreign hands I recommend the use of something like dd, e.g.!

3.2. Partitioning And Formating


You may want to execute the following codeblock outside screen and execute clear right after in order for confidential data not to show up when scrolling up.

Prepare the disks (copy&paste one command after the other):

# list devices
fdisk -l

# lookup all options
bash /tmp/ -h

# disable bash history
set +o history

# adjust to your liking
bash /tmp/ -f fallbackfallback -r rescuerescue -d "/dev/sda /dev/sdb etc." -s 12

# enable bash history
set -o history

Info creates the user "meh" which will be used later on to act as non-root.

3.3. /mnt/gentoo Content

After executing "", the btrfs subvolume "@root" mounted by "" at "/mnt/gentoo/" should contain:

four disks content

three disks content

two disks content

single disk content

3.4. Tarball Extraction


A recent stage3-amd64-hardened-systemd-<timestamp>.tar.xz file was downloaded and verified by which itself was called by If you work on another architecture, download and verify the correct stage3 tarball (recommended: stage3-<architecture>-hardened-systemd-<timestamp>.tar.xz and stage3-<architecture>-hardened-systemd-<timestamp>.tar.xz.asc) manually and adjust below commands accordingly.

After download of the stage3 tarball, my script verifies the files by default. You can also verify the OpenPGP signature on your own as shown in the following codeblock. Make sure to compare the long key IDs printed out by following `gpg --list-keys" command with those posted on the release media signatures page. Copy&paste one command after the other:

[root@sysrescue ~]# su -l meh -c "gpg --homedir=/tmp/gpg_home_dir_gentoo --list-keys"
pub   dsa1024 2004-07-20 [SC] [expires: 2025-07-01]
uid           [ unknown] Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <>
sub   elg2048 2004-07-20 [E] [expires: 2025-07-01]

pub   rsa4096 2009-08-25 [SC] [expires: 2024-07-01]
uid           [ultimate] Gentoo Linux Release Engineering (Automated Weekly Release Key) <>
sub   rsa2048 2019-02-23 [S] [expires: 2024-07-01]

[root@sysrescue ~]# su -l meh -c "gpg --homedir=/tmp/gpg_home_dir_gentoo --verify /mnt/gentoo/stage3-amd64-hardened-systemd-*.tar.xz.asc /mnt/gentoo/stage3-amd64-hardened-systemd-*.tar.xz"
gpg: Signature made Mon 25 Mar 2024 05:01:19 AM UTC
gpg:                using RSA key 534E4209AB49EEE1C19D96162C44695DB9F6043D
gpg: Good signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <>" [ultimate]

[root@sysrescue ~]# su -l meh -c "gpgconf --homedir=/tmp/gpg_home_dir_gentoo --kill all"

Extract the stage3 tarball and copy custom files:

tar -C /mnt/gentoo/ -xpvf /mnt/gentoo/stage3-*.tar.xz --xattrs-include='*.*' --numeric-owner && \
rsync -a --numeric-ids --chown=0:0 --chmod=u=rwx,go=r /tmp/firewall.nft /mnt/gentoo/usr/local/sbin/ && \
rsync -a /tmp/portage_hook_kernel /mnt/gentoo/root/ && \
mkdir -p /mnt/gentoo/etc/gentoo-installation && \
echo -e "\e[1;32mSUCCESS\e[0m"

(Optional) If you want to use Clevis, copy my overlay:

rsync -av --numeric-ids --chown=250:250 /tmp/overlay/duxsco /mnt/gentoo/var/db/repos/ && \
mkdir /mnt/gentoo/etc/portage/repos.conf && \
echo '[duxsco]
location = /var/db/repos/duxsco
auto-sync = false' > /mnt/gentoo/etc/portage/repos.conf/duxsco.conf && \
echo -e "\e[1;32mSUCCESS\e[0m"

3.5. Mounting

Mount filesystems for the later chroot to work:

mkdir /mnt/gentoo/var/db/repos/gentoo && \
touch /mnt/gentoo/var/db/repos/gentoo/.keep && \
mount -o noatime,subvol=@ebuilds /mnt/gentoo/mapperSystem /mnt/gentoo/var/db/repos/gentoo && \
chown 250:250 /mnt/gentoo/var/db/repos/gentoo && \

mount -t tmpfs -o noatime,nodev,nosuid,mode=1777,uid=root,gid=root tmpfs /mnt/gentoo/tmp && \

mount --types proc /proc /mnt/gentoo/proc && \
mount --rbind /sys /mnt/gentoo/sys && \
mount --make-rslave /mnt/gentoo/sys && \
mount --rbind /dev /mnt/gentoo/dev && \
mount --make-rslave /mnt/gentoo/dev && \
mount --bind /run /mnt/gentoo/run && \
mount --make-slave /mnt/gentoo/run && \

# I put /home, /var/cache/binpkgs, /var/cache/distfiles and /var/tmp
# on separate btrfs subvolumes to keep backups separate.

mount -o noatime,subvol=@home /mnt/gentoo/mapperSystem /mnt/gentoo/home && \

touch /mnt/gentoo/var/cache/binpkgs/.keep && \
mount -o noatime,subvol=@binpkgs /mnt/gentoo/mapperSystem /mnt/gentoo/var/cache/binpkgs && \

touch /mnt/gentoo/var/cache/distfiles/.keep && \
mount -o noatime,subvol=@distfiles /mnt/gentoo/mapperSystem /mnt/gentoo/var/cache/distfiles && \

touch /mnt/gentoo/var/tmp/.keep && \
mount -o noatime,subvol=@var_tmp /mnt/gentoo/mapperSystem /mnt/gentoo/var/tmp && \
chmod 1777 /mnt/gentoo/var/tmp && \

echo -e "\e[1;32mSUCCESS\e[0m"