Skip to content

Instantly share code, notes, and snippets.

@Thrilleratplay

Thrilleratplay/ arch-linux-install.md

Last active November 8, 2024 00:06
Show Gist options
  • Save Thrilleratplay/d83440e9496d5674728ddebbf587c5e1 to your computer and use it in GitHub Desktop.
Save Thrilleratplay/d83440e9496d5674728ddebbf587c5e1 to your computer and use it in GitHub Desktop.
Download ZIP
Installing Arch Linux on a fully encrypted LUKS partition using GRUB
Raw
arch-linux-install.md

Installing Arch Linux on a fully encrypted LUKS partition using GRUB

This is a modified version of Installing Arch Linux on an LUKS Encrypted root and booting from UEFI.

Sources

Before you begin

  • If you have UEFI, you will either need to make modifications or follow the original guide.
  • This is only for a single booted system and am I not sure if dual booting Windows or OSX will work with this configuration
Variables to replace
/dev/sdX    # replace with your drive
MYHOSTNAME  # replace this with your hostname
MYUSERNAME  # single user name
8G          # Swap partition size
  1. If ethernet is plugged in on boot, dhcpcd is run automatically.
  1. Begin by booting into the Arch Linux ISO installation
  2. OPTIONAL BUT RECOMMENDED: Overwrite the whole drive with random data to strengthen encryption. At the same time perform a bad blocks scan to make sure the hard drive is not going to die too soon:
    NOTE: This is intended to ABLITERATE ALL DATA ON THE DRIVE!!!!!
$>  badblocks -c 10240 -s -w -t random -v /dev/sdX
  1. Create partitions
    A MBR parition table is required becasue GPT does not leave enough space for GRUB to install. If you require a GPT partition table, there may be a way around this.
  • Start fdisk:
$>  fdisk /dev/sdX
Partition # FS Hex FS Type Formatted
1 8300 Linux filesystem crypt_luks with ext4 lvm
* Feel free to add additional partitions for unencrypted data or another operating system. However, the scope of this guide is only the one fully encrypted partition to boot Arch Linux.
  1. Setup the encryption of the system on /dev/sdX1
    Information about encryption options here
  • aes - Encryption block cipher
  • xts - Block cipher encryption mode
  • plain64 - the initial vector is the 64-bit little-endian version of the sector number, padded with zeros if necessary.
$>  cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sdX1
# Then open newly created luks partition
$>  cryptsetup luksOpen /dev/sdX1 luks
  1. Create encrypted physical volume, volume group and logical volumes for swap and root partitions
$>  pvcreate /dev/mapper/luks
$>  vgcreate vgcrypt /dev/mapper/luks
# Creates one logic for swap
$>  lvcreate --size 8G vgcrypt --name swap
# All of the remaining space is made into create root
$>  lvcreate -l +100%FREE vgcrypt --name root
  1. Create filesystems on encrypted logical volumes
$>  mkfs.ext4 /dev/mapper/vgcrypt-root
$>  mkswap /dev/mapper/vgcrypt-swap
  1. Mount the new system
# /mnt is the installed system
$>  mount /dev/mapper/vgcrypt-root /mnt
$>  swapon /dev/mapper/vgcrypt-swap # used in fstab generation

# Mount any other partitions created and want to add to fstab
  1. Install the core system and GRUB (zsh is optional)
$>  pacstrap /mnt base base-devel ntp grub zsh linux
  1. Generate fstab
$>  genfstab -pU /mnt > /mnt/etc/fstab
  • To make /tmp a tmpfs ramdisk (add the following line to /mnt/etc/fstab)
tmpfs	/tmp	tmpfs	defaults,noatime,mode=1777	0	0
  1. Enter the new system
$>  arch-chroot /mnt /bin/bash
YOU ARE NOW IN THE CHROOT JAIL
  1. Setup system clock
$>  ln -s /usr/share/zoneinfo/America/New_York /etc/localtime
$>  ntpdate pool.ntp.org
$>  hwclock --systohc --utc
  1. Set the hostname
$>  echo MYHOSTNAME > /etc/hostname
  1. Set password for root
$>  passwd
  1. OPTIONAL: Add user NOTE: if you are not using zsh, change to appropriate shell like bash
$>  useradd -m -g users -G wheel,storage,power -s /bin/zsh MYUSERNAME  
$>  passwd MYUSERNAME
  1. Create a key file to prevent GRUB from needing to login twice on boot
$> dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
$> cryptsetup luksAddKey /dev/sdX1 /crypto_keyfile.bin
$> chmod 000 /crypto_keyfile.bin  # Even root doesn't need to access this
  1. Configure mkinitcpio with modules needed for the initrd image
$>  nano /etc/mkinitcpio.conf
  • Add keymap encrypt lvm2 to HOOKS BEFORE filesystems and shutdown to the end, like the following line:
HOOKS="base udev autodetect modconf block keymap encrypt lvm2 filesystems keyboard fsck shutdown"
  • Add the reference to the crypto key file to FILES
FILES="/crypto_keyfile.bin"
  • Then regenerate initrd image. NOTE: If using a kernel other than the standard Linux kernel, such as linux-libre that comes with Parabola Linux, the preset will be different.
$>  mkinitcpio -p linux
  1. Setup GRUB
  • Modify the GRUB generation config
$>  nano /etc/default/grub
  • Set cryptdevice reference
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdX1:luks-vgroot"

and add the line:

GRUB_ENABLE_CRYPTODISK=y
  • Save and install GRUB
$> grub-mkconfig -o /boot/grub/grub.cfg
$> grub-install /dev/sdX
  1. Exit new system and go into the cd shell
$>  exit

You should now be presented with a prompt for your passphrase when booting into GRUB

YOU ARE NOW LEAVING THE CHROOT JAIL

Unmount all partitions and reboot (don't forget to remove the cd/usb)

umount -R /mnt
reboot

HELP!!! I SCREWED UP

If you have already set up you partitions and need to reenter the chroot jail after rebooting because something is not working:

$> cryptsetup luksOpen /dev/sdX1 luks
$> mount /dev/mapper/vgcrypt-root /mnt
$> arch-chroot /mnt /bin/bash
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment