Secure Arch Linux Installation

Encrypted Installation.md

Secure Arch Linux Install

Following this guide from YouTube: https://www.youtube.com/watch?v=gB1N00wj3bw

This installation procedure follows installing a secure encrypted lvm version of Arch Linux on my MacBook Pro in Parallels.

Harddisk Setup

Let us start by looking at the naming of harddrives:

fdisk -l

In this particular case, we want to use the /dev/sda harddrive:

fdisk /dev/sda

o # makes a DOS disklabel
n # new partition - Boot
w  <enter> # for default of p
   <enter> # for default of 1
   <enter> # for default of 2048
   +400M # Boot drive, unencrypted
   a # makes partition bootable
n # new partition
   <enter> # for default of p
   <enter> # for default of 2
   <enter> # for default of 821248
   <enter> # for default of 134217727
t # Change type of a partition
   <enter> # for default of 2 (partition 2)
   8E # for LVM
w # for write

Encrypting Partition

We have setup a boot partition as well as a main partition, however it is yet to be encrypted.

cryptsetup luksFormat /dev/sda2
   YES
   <password> # typical pwd for linux servers
   <retype password>

Now we need to install arch linux on that partition. To do that, we need to unencrypt (or "open") that partition:

cryptsetup open --type luks /dev/sda2 lvm # "lvm" is a name, optional what it is, but "lvm" is quite typical in the linux world

Setup LVM

We need to create a physical volume.

IMPORTANT: In the command below, the --dataalignment 1m is optional, however if a system is on an SSD, you really should use it. Will old spinning harddrives, you probably shouldn't use it.

pvcreate --dataalignment 1m /dev/mapper/lvm

Setup volume group:

vgcreate volgroup0 /dev/mapper/lvm # "volgroup0" is an optional name, but that name is quite typical in the linux world

Now we need to create 3 volume groups that will contain the operating system and our failes

lvcreate -L 30GB volgroup0 -n lv_root # root volume
lvcreate -L 4GB volgroup0 -n lv_swap  # swap volume
lvcreate -l 100%FREE volgroup0 -n lv_home # home volume
vgchange -ay # activate volume groups

Format partitions

Start by formatting our boot partition. ext2 is just fine for the boot partition:

mkfs.ext2 /dev/sda1

Format the volume groups:

mkfs.ext4 /dev/volgroup0/lv_root # root volumegroup
mkfs.ext4 /dev/volgroup0/lv_home # home volumegroup

Mount the volume groups

mount /dev/volgroup0/lv_root /mnt # Mount root partition
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot
mkdir /mnt/home
mount /dev/volgroup0/lv_home /mnt/home

Install Arch packages

Let's make sure we have internet

ip a # See ip
# If no ip:
dhcpcd # Get a new ip
ping 4.2.2.1
ping google.com

If wireless access is needed (if the computer is not connected by wire, and it isn't a vm):

cp /etc/netctl/examples/wireless-wpa /etc/netctl/<wireless-name> # "wireless name" can be anything, fx SSID, but doesn't need to be that

Find the name of the wireless card. It could be wlan0 fx. Then "vi" or "nano" /etc/netctl/<wireless-name>.

Let's install arch packages:

pacstrap -i /mnt base
<enter> # all
<enter> # yes

Configuration

Generate fstab

genfstab -U -p /mnt >> /mnt/etc/fstab
cat /mnt/etc/fstab # verify

chroot into our installation

arch-chroot /mnt

We need a few packages:

pacman -S openssh vim tmux grub-bios linux-headers linux-lts linux-lts-headers

Software is used for:

• openssh: For SSH access
• grub-bios: Required
• linux-headers: Optional, but common for compiling stuff
• linux-lts: Long Term Service release for the linux kernel. It's a bit older, but recommended. The kernel can always be switched out
• linux-lts-headers:
• wpa_supplicant & wireless_tools: Optional: For wireless access

After all packages are installed, we need to modify the following file. If we don't, the system won't boot, and we can just start all over:

vim /etc/mkinitcpio.conf

Find a line that says something with HOOKS=(base udev[...]). Place the cursor between block and filesystems and add:

encrypt lvm2

The whole line should be something like:

HOOKS=(base udev autodetect modconf block encrypt lvm2 filesystems keyboard fsck)

Setup the hooks we just created to make sure that the installation supports lvm as well as booting into an encrypted volume

mkinitcpio -p linux

Required if lts-kernel is installted

This step is optional, unless lts-kernel is installed. Then it is required.

mkinitcpio -p linux-lts

Locale and time

Remove the pound (#) form the language that you want to use. Fx en_US.UTF-8:

vim /etc/locale.gen

Then generate the locale:

locale-gen

Then time:

rm /etc/localtime
ln -s /usr/share/zoneinfo/Europe/Copenhagen /etc/localtime
hwclock --systohc --utc # Sync clock

Enable ssh

systemctl enable sshd.service

Password

passwd

Configure grub for the encrypted partition

vim /etc/default/grub

Find the line that says GRUB_CMDLINE_LINUX_DEFAULT="quiet". In the quotes (where it says quiet), enter:

[...] ="cryptdevice=/dev/sda2:volgroup0 quiet"

MAKE sure it is EXCACTLY right. Otherwise it won't boot.

Then install grub:

grub-install --target=i386-pc --recheck /dev/sda

cp /usr/share/locale/en\@quot/LC_MESSAGES/grub.mo /boot/grub/locale/en.mo

grub-mkconfig -o /boot/grub/grub.cfg

There will be a lot of warnings; don't worry about it.

Unmount

Now just exit and unmount everything.

exit
umount /mnt/boot
umount /mnt/home
umount /mnt

Now it's the moment of truth whether or not the installation was successful:

reboot

Post Installation.md

Post installation procedure of arch linux

I'm following this tutorial: https://www.youtube.com/watch?v=GCUmGtCYPWM

Note: It is a good idea to do this part in an ssh session.

Simple fix for a stupid issue. We did set the locale in the installation process, however for some applications, that is just not enough. The symptoms can be that you click something and nothing happens. The command below should fix that.

localctl set-locale LANG="en_US.UTF-8"

We did make a swap partition, but it is not active. This can be seen with the command free -m.

With the command fdisk -l, we can see which partition is the swap. In this particular case it is /dev/mapper/volgroup0-lv_swap

Turn it on:

mkswap /dev/mapper/volgroup0-lv_swap

We get a UUID back which is needed for the next step, so note it down (hence why it was a good idea to set this up using ssh - copy/paste)

In this example, my UUID for my swap is 36304981-57eb-41bd-846b-39eadc2bb68f

This is needed in the fstab:

vim /etc/fstab

Add the following lines:

# /dev/mapper/volgroup0-lv_swap
UUID=36304981-57eb-41bd-846b-39eadc2bb68f   none    swap    defaults    0 0

If you lost the UUID, enter blkid to get all UUID's for all partitions.

Back in the fstab, if you have an SSD (NOT spinning drive), then after the rw value for the root partition and home partition, add discard

fx:

UUID=xxx    /       ext4    rw,discard,relatime[...]
[...]
UUID=yyy    /home   ext4    rw,discard,relatime[...]

Reboot!

After reboot

Make sure to have internet

ip a # check if ip is present
dhcpcd # get new ip if you don't have any

Let's install network manager so we don't have to think about connecting to the internet

pacman -Sy networkmanager network-manager-applet dialog

If you have wireless, include the following packages:

- wireless_tools
- wpa_supplicant
- wpa_actiond

Prepare for graphical user interface

pacman -S xf86-input-libinput xorg-server xorg-xinit xorg-server-utils mesa

xf86-input-libinput is required for trackpads

xorg-server-utils: I couldn't find the package, so I skipped it.

Then we need to install drivers for the video card. If you don't know the video card, run lspci.

Follow the youtube tutorial; there's no need covering this since I'm currently installing on a virtual machine.

I'm using parallels, so I want to follow this guide for installing Parallels Tools: https://wiki.archlinux.org/index.php/parallels.

Install sudo

pacman -S sudo
visudo

Towards the bottom, find the line that says

%wheel ALL=(ALL) ALL

Remove hte comment in front of that

Then create a new account

useradd -m -G wheel -s /bin/bash <username>
passwd <username>

Set hostname

hostnamectl set-hostname <soem name>

Then, remember to enable network automatically:

sudo systemctl enable NetworkManager.service

Parallels Tools

Install parallels tools: https://kb.parallels.com/en/124124

Simple Installation.md

Simple installation guide

Arch Linux Machine

Installation

Make sure it has internet.

cfdisk

Select dos.

New -> 10gb (or so) -> primary -> Bootable -> Write -> yes

Select Free space -> New -> Enter how many gb for swap (i.e. 6192M) -> primary -> Write -> yes

Select Free space -> New -> Enter how many gb for hdd (i.e. all that's left) -> extended

DON'T WRITE YET! We need to make a partition for home

Select Free space -> New -> Enter how many gb for home -> Write -> yes

You should now have:

• /dev/sda1
• /dev/sda2
• /dev/sda3
• [-- /dev/sda5

If you have /dev/sda4 (and it's not indended), you probably wrote when I told you not too....

Quit

Time for formatting the newly created partitions:

mkfs.ext4 /dev/sda1
mkfs.ext4 /dev/sda5

mkswap /dev/sda2
swapon /dev/sda2

Time for installing the OS

mount /dev/sda1 /mnt
mkdir /mnt/home
mount/dev/sda5 /mnt/home
pacstrap /mnt base base-devel

Done! Time for configuration!

Configuration

genfstab /mnt >> /mnt/etc/fstab

Verify fstab:

cat /mnt/etc/fstab

Launch arch base system:

arch-chroot /mnt /bin/bash

Locale:

vi /etc/locale.gen
# Remove comment from locale and save
locale-gen
vi /etc/locale.conf
# Type 'LANG=en_US.UTF-8' (if that is the chosen locale) and save
ls /usr/share/zoneinfo
ln -s /usr/share/zoneinfo/Europe/Copenhagen /etc/localtime
hwclock --systohc --utc
passwd
vi /etc/hostname
systemctl enable dhcpcd

Installing Grub

pacman -S grub os-prober
grub-install /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg
exit
unmount /mnt
unmount /mnt/home
reboot