Skip to content

Instantly share code, notes, and snippets.

@calebreister

calebreister/ArchInstall-Encrypted.md

Last active January 9, 2017 04:47
Show Gist options
  • Save calebreister/346c05dabb5f6a8ac543eb4550ea66f2 to your computer and use it in GitHub Desktop.
Save calebreister/346c05dabb5f6a8ac543eb4550ea66f2 to your computer and use it in GitHub Desktop.
Download ZIP
This file contains my notes from installing Arch Linux on my new(er) computer. It uses dm-crypt and LUKS to encrypt the entire hard drive (including /boot). So far, it has preformed well. NOTE: some of this is specific to my machine, but the encryption and filesystem setup is not.
Raw
ArchInstall-Encrypted.md

Arch Linux w/ Encryption Installation Notes

These are my notes for installing Arch Linux with full-disk encryption on a HDD. The installation process changes significantly for an SSD.

Install system

$ lsblk #list devices
$ timedatectl set-ntp true

I will create the following partition layout...

+---------------------------------------+
| /dev/sda3 LVM, LUKS encrypted         |
+---------+------------+----------------+
| swap    | ext4       | btrfs          |
| 16GB    | 64GB       | Remaning space |
| vg-swap | vg-winvm   | vg-root        |
+---------+------------+----------------+

NOTE: vg-winvm is for a Windows virtual machine.

Create & Configure Partition Types

$ parted /dev/sda
    (parted) mklabel msdos
    (parted) mkpart primary 0% 100%
    (parted) set 1 lvm on

Configure Partitions

Encrypt...

$ cryptsetup luksFormat /dev/sda1
$ cryptsetup open --type luks /dev/sda1 lvm

Create physical volume & volume group...

$ pvcreate /dev/mapper/lvm
$ vgcreate vg /dev/mapper/lvm

Create logical volumes in /dev/sda3...

$ lvcreate -L 16G vg -n swap
$ lvcreate -L 64G vg -n winvm
$ lvcreate -l 100%FREE vg -n root

Format logical volumes...

$ mkswap /dev/mapper/vg-swap
$ mkfs.ext4 /dev/mapper/vg-winvm
$ mkfs.btrfs /dev/mapper/vg-root

Mount partitions & volumes for installation

Configure root volume...

$ mount /dev/mapper/vg-root /mnt
$ btrfs sub create /mnt/@
$ mkdir -p /mnt/@/home /mnt/@/var/cache/pacman/pkg /mnt/@/var/abs /mnt/@/var/tmp /mnt/@/srv
$ btrfs sub create /mnt/@home
$ btrfs sub create /mnt/@var-cache-pacman-pkg
$ btrfs sub create /mnt/@var-abs
$ btrfs sub create /mnt/@var-tmp
$ btrfs sub create /mnt/@srv
$ umount /mnt

Mount for installation...

$ swapon /dev/mapper/vg-swap
$ mount /dev/mapper/vg-root -t btrfs -o subvol=@ /mnt
$ mount /dev/mapper/vg-root -t btrfs -o subvol=@home /mnt/home
$ mount /dev/mapper/vg-root -t btrfs -o subvol=@var-cache-pacman-pkg /mnt/@/var/cache/pacman/pkg
$ mount /dev/mapper/vg-root -t btrfs -o subvol=@var-abs /mnt/@/var/abs
$ mount /dev/mapper/vg-root -t btrfs -o subvol=@var-tmp /mnt/@/var/tmp
$ mount /dev/mapper/vg-root -t btrfs -o subvol=@srv

NOTE: while this process is very tedious during installation, it makes recovering from a backup significantly easier. Creating subvolumes for temporary system files and pacman caches significantly reduces the backup size.

Installdescribing how to create an Arch Linux installation with full-disk encryption.

$ echo "Server = http://mirrors.cat.pdx.edu/archlinux/\$repo/os/\$arch" > /etc/pacman.d/mirrorlist
$ pacstrap -i /mnt base base-devel
$ genfstab -L /mnt > /mnt/etc/fstab #Generate fstab, use -U for UUID
$ cat /mnt/etc/fstab

Do NOT reboot.

Configure New System

chroot into new system and install necessary packages...

$ arch-chroot /mnt /bin/bash
$ pacman -S grub intel-ucode btrfs-progs

Set locale & time zone...

$ nano /etc/locale.gen
    en_US.UTF-8 UTF-8
    en_DK.UTF-8 UTF-8
$ locale-gen
$ nano /etc/locale.conf
    LANG=en_US.UTF-8
    LC_TIME=en_DK.UTF-8
    LC_MEASUREMENT=en_DK.UTF-8
    LC_NUMERIC=en_US.UTF-8
    LC_COLLATE=C
$ ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
$ hwclock --systohc --utc

Configure initramfs...

# NOTE: It appears that the name `crypto_keyfile.bin` matters.
# I couldn't get `keyfile.bin` to work.
$ dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
$ chmod 000 /crypto_keyfile.bin
$ cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
$ nano /etc/mkinitcpio.conf
    BINARIES="/usr/bin/btrfsck"
    FILES="/crypto_keyfile.bin"
    HOOKS="... keyboard block encrypt lvm2 resume filesystems btrfs ..." # ORDER MATTERS!
$ mkinitcpio -p linux

Install & Configure GRUB...

$ nano /etc/default/grub
    GRUB_TIMEOUT=0
    GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:lvm"
    GRUB_ENABLE_CRYPTODISK=y
    GRUB_PRELOAD_MODULES="... cryptodisk luks"
$ grub-mkconfig -o /boot/grub/grub.cfg
# Ignore WARNING: Failed to connect to lvmetad.
$ grub-install /dev/sda --recheck

Set hostname...

$ echo MYHOSTNAME > /etc/hostname # set hostname

Configure networking...

# (CHOOSE ONE)
$ pacman -S networkmanager network-manager-applet #the applet is optional
$ systemctl enable NetworkManager.service
###OR###
$ systemctl enable [email protected] # INTERFACE is a device from `ip link`
###OR###
$ pacman -S connman
$ systemctl enable connman.service

Set password and exit...

$ passwd
$ exit

Unmount & Reboot...

$ umount -R /mnt
$ reboot

To make sure intel-ucode is working, use dmesg | grep microcode after reboot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment