Created
September 6, 2019 08:46
-
-
Save jkauppinen/f0b9ffdd46d75bdf5b77abdc25441f7e to your computer and use it in GitHub Desktop.
Arch linux installation with FDE (=Full disk encryption) via dm-crypt + LUKS
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This installation guide will create basic working arch linux installatio with encryption. | |
| # Encryption is implemented with dm-crypt + LUKS on a single disk. | |
| # +-----------------------+------------------------+-----------------------+ | |
| # | Boot/EFI partition | LUKS encrypted root | Rest of the space | | |
| # | (unencrypted) | partition | allocated to home | | |
| # | | | partition | | |
| # | /boot | / | | | |
| # | | | | | |
| # | | /dev/mapper/cryptroot | /dev/mapper/crypthome | | |
| # | |------------------------| | | |
| # | /dev/nvme0n1p1 | /dev/nvme0n1p2 | /dev/nvme0n1p2 | | |
| # +-----------------------+------------------------+-----------------------+ | |
| # -------------- Preparing USB installer ------------------------ | |
| # Get arch linux image from https://www.archlinux.org/download/ | |
| # Make bootable USB | |
| dd bs=4M if=path/to/archlinux.iso of=/dev/sdx status=progress oflag=sync | |
| # -------------- Once arch installer is booted ------------------ | |
| # Load finnish keyman | |
| loadkeys fi-latin1 | |
| # Access wifi | |
| wifi-menu | |
| # Securely wipe enite disk with shred (https://wiki.archlinux.org/index.php/Securely_wipe_disk) | |
| shred -v /dev/nvme0n1 | |
| # Check what partitions and what type their are | |
| fdisk -l /dev/nvme0n1 | |
| # Create partitions to device in interactive mode for each partition individually. Changes wont be made until saved in interactive mode. | |
| # 250MB Boot partition # Hex code 8300 | |
| # 100% size partiton # (to be encrypted) Hex code 8300 | |
| # For /boot partition | |
| # type: EFI System | |
| # size: +512MB | |
| # For / partition | |
| # type: Linux x86-64 root (/) | |
| # size : +50G | |
| # For /home partition use partition type: | |
| # type: Linux /home | |
| # size: (press enter for default and use rest of size) | |
| fdisk /dev/nvme0n1 | |
| # Format /boot partition for EFI | |
| mkfs.fat -F32 /dev/nvme0n1p1 | |
| # Create mount point for /boot. This will be used directly by booting EFISTUB kernel FROM UEFI | |
| mkdir /mnt/boot | |
| # Mount that shit | |
| mount /dev/nvme0n1p1 /mnt/boot | |
| # Create encrypted partitions | |
| cryptsetup -y -v luksFormat /dev/nvme0n1p2 | |
| cryptsetup open /dev/nvme0n1p2 cryptroot | |
| mkfs.ext4 /dev/mapper/cryptroot | |
| mount /dev/mapper/cryptroot /mnt | |
| # Check the mapping works as intended: | |
| umount /mnt | |
| cryptsetup close cryptroot | |
| cryptsetup open /dev/nvme0n1p2 cryptroot | |
| mount /dev/mapper/cryptroot /mnt | |
| cryptsetup -y -v luksFormat /dev/nvme0n1p3 | |
| cryptsetup open /dev/nvme0n1p3 crypthome | |
| mkfs.ext4 /dev/mapper/crypthome | |
| mount /dev/mapper/crypthome /mnt/home | |
| # Check the mapping works as intended: | |
| umount /mnt/home | |
| cryptsetup close crypthome | |
| cryptsetup open /dev/nvme0n1p3 crypthome | |
| mount /dev/mapper/crypthome /mnt/boot | |
| # Update mkinitcpio hooks with (keyboard, keymap and encrypt) following line | |
| # HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt filesystems fsck) | |
| vim /mnt/etc/mkinitcpio.conf | |
| # Check device UUIDs/names | |
| blkid | |
| # Add kernel parameters for efibootmgr | |
| # The root= parameter specifies the device of the actual (decrypted) root file system. | |
| # Since the file system is formatted directly on the decrypted device file this will be /dev/mapper/cryptroot | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment