Last active
March 17, 2024 16:54
-
-
Save HardenedArray/d5b70681eca1d4e7cfb88df32cc4c7e6 to your computer and use it in GitHub Desktop.
Efficient Encrypted Arch Linux Guest Installation in VirtualBox with a Full Plasma/KDE Environment. Perfect for Arch Linux Evaluation and Experimentation!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# OBJECTIVES: Install Arch Linux as a VirtualBox Guest with a complete Plasma5/KDE environment. | |
# Provide encrypted root and swap filesystems and UEFI boot our Arch Guest from within VirtualBox. | |
# Note: This install method is specific to VirtualBox (VBox) to allow non-Arch users and Arch testers to evaluate a properly | |
# configured and secure Arch OS while running a fully enabled Plasma/KDE system, and also by concurrently taking advantage | |
# of the multiple isolation safeguards inherently provided by the VBox environment. | |
# For those who want to install Arch on bare metal in a way that supports both dedicated Arch installations and Arch | |
# installation on a SSD/HDD multi-OS-UEFI-booting system, please refer to my Arch System Installation Guide, here: | |
https://gist.github.com/HardenedArray/31915e3d73a4ae45adc0efa9ba458b07 | |
# VirtualBox Installers Note: You **must** have UEFI-booting enabled in VBox's Guest System Settings prior to | |
# Arch installation. I also recommend you fully update your Host OS, VBox, and VBox's Extension Pack prior to proceeding. | |
# The official Arch installation guide contains details that you should refer to during this installation process. | |
# That guide resides at: https://wiki.archlinux.org/index.php/Installation_Guide | |
# If you want to minimize installation, security, and package synchronization issues, **always** download the most recent | |
# archlinux-*.iso image from https://www.archlinux.org/download/ and its GnuPG signature. Feel free to ignore this advice at | |
# your own peril! Use gpg --verify to ensure your archlinux-*.iso is exactly what the Arch developers intended. For example: | |
$ gpg -v archlinux-2019.11.01-x86_64.iso.sig | |
gpg: WARNING: no command supplied. Trying to guess what you mean ... | |
gpg: assuming signed data in 'archlinux-2019.11.01-x86_64.iso' | |
gpg: Signature made Fri Nov 1 16:34:35 2019 UTC | |
gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC | |
gpg: using pgp trust model | |
gpg: Good signature from "Pierre Schmitz <[email protected]>" [unknown] | |
gpg: WARNING: This key is not certified with a trusted signature! | |
gpg: There is no indication that the signature belongs to the owner. | |
Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC | |
gpg: binary signature, digest algorithm SHA256, key algorithm rsa2048 | |
# Since we are installing Arch in VBox, there is no need to burn the archlinux-*.iso to an USB stick. You only need to | |
# attach the verified archlinux-*.iso to your Arch VBox Guest's CD-ROM. | |
# Make sure you have one NAT adapter enabled in your Guest, with the Cable Connected option checked, even if your Host | |
# is connected via WiFi. | |
# UEFI-Boot from your Guest's CD-ROM. It takes several minutes to load the *.iso. | |
# Create and size partitions appropriate to your goals using gdisk. | |
gdisk /dev/sdX | |
# Create the partitions you need: | |
Partition X = 100 MiB EFI partition # Hex code EF00 | |
Partition Y = 250 MiB Boot partition # Hex code 8300 | |
Partition Z = Choose a reasonable size for your encrypted root and swap system partition, or just size it to the | |
last sector of your virtual drive. # Hex code 8300. | |
# Review your partitions with 'p'. | |
# Write your gdisk changes with 'w'. | |
# Reboot, if necessary, so the kernel reads your new partition structure. | |
# Create filesystems for /boot/efi and /boot | |
mkfs.vfat -F 32 /dev/sdXX | |
mkfs.ext2 /dev/sdXY # ext3/4 are also fine here. This small /boot partition only holds our unencrypted kernel(s) and initramfs. | |
# Encrypt and open your system partition | |
cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/sdXZ | |
cryptsetup luksOpen /dev/sdXZ SecureGoodness # (or use any word or phrase you're fond of) | |
# Create and allocate space for your encrypted LVM partitions | |
# These steps create a required root partition and an optional partition for swap. | |
# Modify this structure only if you need additional, separate partitions. The sizes used below are only suggestions. | |
# The VG and LV labels 'Arch, root and swap' can be changed to anything memorable to you. Use your labels consistently, below! | |
pvcreate /dev/mapper/SecureGoodness | |
vgcreate Arch /dev/mapper/SecureGoodness | |
lvcreate -L +512M Arch -n swap | |
lvcreate -l +100%FREE Arch -n root | |
# Create filesystems on your encrypted Logical Volumes | |
mkswap /dev/mapper/Arch-swap | |
mkfs.ext4 /dev/mapper/Arch-root | |
# Note that Arch Linux fully supports btrfs, and btrfs is also an excellent filesystem choice for your encrypted root. | |
# If you want a btrfs filesystem on your root logical volume, instead of 'mkfs.ext4 /dev/mapper/Arch-root', do this: | |
mkfs.btrfs /dev/mapper/Arch-root | |
# If you've created a btrfs root filesystem, do not forget to append 'btrfs-progs' to the pacstrap installation command | |
# we use immediately after correctly mounting our partitions below. This is not critical, as btrfs-progs is already included | |
# in the archlinux-*.iso. However, unlike ext4, new filesystem management features are added to btrfs frequently, so it's | |
# always a good idea to run the latest version of btrfs-progs from the official repos. | |
# Mount the new system | |
mount /dev/mapper/Arch-root /mnt | |
swapon /dev/mapper/Arch-swap | |
mkdir /mnt/boot | |
mount /dev/sdXY /mnt/boot | |
mkdir /mnt/boot/efi | |
mount /dev/sdXX /mnt/boot/efi | |
# Install your Arch system | |
# If you read the contents of https://www.archlinux.org/ you would know the Arch developers made significant | |
# changes to the 'base' package in October 2019. | |
# The new base-metapackage does not contain a kernel nor an editor and several other important packages. | |
# We will be addressing those issues in our pacstrap command below. | |
# This installation command provides a decent set of basic system programs which will also support WiFi through | |
# netctl's `wifi-menu` after initially booting into your Arch system. Having WiFi following installation is particularly | |
# critical for anyone running a modern ultrabook, as most are equipped with WiFi-only access to the Net. Recommended, yet | |
# optional: make and enjoy some fresh java while the following command completes. Once completed, you'll only | |
# be a few minutes away from putting your new system to serious work! | |
pacstrap /mnt base base-devel grub efibootmgr dialog wpa_supplicant linux linux-headers dkms nano | |
dhcpcd netctl lvm2 linux-firmware man-pages | |
# Create and review FSTAB | |
genfstab -U /mnt >> /mnt/etc/fstab # The -U option pulls in all the correct UUIDs for your mounted filesystems. | |
nano /mnt/etc/fstab # Check your fstab carefully, and modify it, if required. | |
# Enter the new system | |
arch-chroot /mnt /bin/bash | |
# Set the system clock | |
ln -s /usr/share/zoneinfo/UTC /etc/localtime # This command is unnecessary if you've already set your VBox Guest to UTC. | |
hwclock --systohc --utc | |
# Assign your hostname | |
echo MyHostName > /etc/hostname | |
# Set or update your locale | |
# If English is your native language, you need to edit exactly two lines to correctly configure your locale language settings: | |
a. In /etc/locale.gen **uncomment only**: en_US.UTF-8 UTF-8 | |
b. In /etc/locale.conf, you should **only** have this line: LANG=en_US.UTF-8 | |
# Now run: | |
locale-gen | |
# Set your root password | |
passwd | |
# Create a User, assign appropriate Group membership, and set a User password. 'Wheel' is just one important Group. | |
useradd -m -G wheel -s /bin/bash MyUserName | |
passwd MyUserName | |
# Configure mkinitcpio with the correct HOOKS required for your initrd image | |
nano /etc/mkinitcpio.conf | |
# Use this HOOKS statement: | |
HOOKS="base udev autodetect modconf block keymap encrypt lvm2 resume filesystems keyboard fsck" | |
# Generate your initrd image | |
mkinitcpio -p linux | |
# Install and configure Grub-EFI | |
# The correct way to install grub on an UEFI computer, irrespective of your use of a HDD or SSD, and whether you are | |
# installing dedicated Arch, or multi-OS booting, is: | |
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchLinux | |
# Edit /etc/default/grub so it includes a statement like this: | |
# GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdYZ:MyDevMapperMountpoint resume=/dev/mapper/MyVolGroupName-MyLVSwapName" | |
# Maintaining consistency with the examples provided above, you would use something like: | |
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdXZ:SecureGoodness resume=/dev/mapper/Arch-swap" | |
# Generate Your Final Grub Configuration: | |
grub-mkconfig -o /boot/grub/grub.cfg | |
# Exit Your New Arch System | |
exit | |
# Unmount all partitions | |
umount -R /mnt | |
swapoff -a | |
# Reboot so we can transform our base encrypted Arch Linux Guest into a powerful production system! | |
poweroff | |
then, remove the *.iso from your Arch VBox Guest's CD-ROM. | |
Fire up Arch! | |
__________________________ | |
When UEFI booting an Arch Guest in VBox, you will get dropped to the EFI Shell prompt when powering up Arch Linux. | |
Do the following: | |
At the Shell prompt, type the following entries, as indicated (also remember we used --bootloader-id=ArchLinux, above): | |
Shell> fs0: | |
fs0:> \EFI\ArchLinux\grubx64.efi | |
Hit Enter and now you should see your graphical grub Arch Linux menu. Note my atypical use of backslashes. | |
To prevent being dropped to the EFI Shell prompt in the future, enter your Arch Linux system, become root, and do: | |
# nano /boot/efi/startup.nsh | |
In your startup.nsh file, add these two lines: | |
fs0: | |
\EFI\ArchLinux\grubx64.efi | |
Save and exit nano. To test that you will no longer be dropped to the EFI Shell prompt, poweroff, not reboot, and fire up | |
your Arch Linux system again. | |
If you simply cannot bear the agony of the EFI Shell's five second wait prior to its loading of startup.nsh, hit any key, | |
except for 'esc', and you should be immediately directed to your (hopefully, beautifully configured) grub graphical | |
Arch Linux boot screen. | |
__________________________ | |
# Now, it's time to get your Plasma5-KDE system installed correctly. When complete, your Arch Guest should initially occupy | |
# about 8-10 GiB of space on your Host's SSD/HDD. When you are presented with a choice of repos in the steps below, **always** | |
# choose the default repository(ies) offered. Defaults become defaults for damn good reasons! | |
# Perform the installation steps below in this order, and not another way! | |
# Log in as root, and not as a user | |
# To fully update your Arch Guest, do: | |
pacman -Syu | |
# If you don't have network connectivity in your Arch Guest, do this: | |
systemctl start dhcpcd | |
systemctl enable dhcpcd | |
# Now that you have an updated system, do: | |
pacman -S linux-headers | |
pacman -S dkms | |
reboot | |
__________________________ | |
# Log in as root, and not as a user, and do: | |
pacman -S virtualbox-guest-utils | |
pacman -S xorg | |
pacman -S xorg-apps | |
pacman -S xorg-server # If pacman asks to reinstall the X Server, there is no need to do this, but X is mandatory! | |
reboot | |
__________________________ | |
# Log in as root, and not as a user, and do: | |
pacman -S plasma-meta # This large package set will also provide us with sddm, the recommended Plasma5 login manager. | |
systemctl enable sddm | |
systemctl enable NetworkManager | |
pacman -S kde-applications-meta | |
pacman -S xdg-user-dirs | |
# If you want full (US English) spelling support for your applications, do: | |
pacman -S hunspell-en_US hyphen-en libmythes mythes-en aspell-en | |
# Everyone has their own font preferences, but I agree with Arch's initial ttf-font recommendation because they look great!: | |
pacman -S ttf-dejavu ttf-liberation | |
reboot | |
__________________________ | |
# Log in to sddm's GUI as your user | |
# Go ROCK your fully enabled Plasma DE, and your properly encrypted Arch Linux system!!! | |
__________________________ | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment