Arch linux installation with full disk encryption via dm-crypt + LUKS

arch-uefi-luks-installation.txt

# This installation guide will create basic working arch linux installation with encryption.
# Encryption is implemented with dm-crypt + LUKS on a single disk.

# Following articles/posts/gists were used as reference
# https://www.happyassassin.net/2014/01/25/uefi-boot-how-does-that-actually-work-then/
# https://wiki.archlinux.org/index.php/Installation_guide
# https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration
# https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption
# https://blog.tinned-software.net/automount-a-luks-encrypted-volume-on-system-start/
# https://gist.github.com/mattiaslundberg/8620837
# https://gist.github.com/HardenedArray/31915e3d73a4ae45adc0efa9ba458b07
# https://bbs.archlinux.org/viewtopic.php?id=198754


# +-----------------------+------------------------+-----------------------+
# | Boot/EFI partition    | LUKS encrypted root    | Rest of the space     |
# | (unencrypted)         | partition              |                       |
# |                       |                        |                       |
# | /boot                 | /                      | /home                 |
# |                       |                        |                       |
# |                       | /dev/mapper/cryptroot  | /dev/mapper/crypthome |
# |-----------------------|------------------------|-----------------------|
# | /dev/nvme0n1p1        | /dev/nvme0n1p2         | /dev/nvme0n1p3        |
# +-----------------------+------------------------+-----------------------+


# | ------------------------- Preparing USB installer ------------------------- |

# Get arch linux image from https://www.archlinux.org/download/

# Make bootable USB
dd bs=4M if=path/to/archlinux.iso of=/dev/sdx status=progress oflag=sync

# | ------------------------- System configuration (once arch installer is booted) ------------------------- |

# Load finnish keymap
loadkeys fi

# Connec to to wifi
iwctl
device list
station wlan0 scan
station wlan0 list
station wlan0 get-networks
station wlan0 connect MyNetwork

# Double check disks
lsblk

# Securely wipe entire disk with shred (https://wiki.archlinux.org/index.php/Securely_wipe_disk)
shred -v /dev/nvme1n1

# Check current partitions on device
fdisk -l /dev/nvme1n1

# Create partitions to device in interactive mode for each partition individually. Changes wont be made until saved in interactive mode.

# First create GPT partition table on the disk by pressing "g" in interactive mode
fdisk /dev/nvme1n1

# For /boot partition
#     type:   EFI System (1)
#     size:   +512MB       
# For / partition
#     type:   Linux x86-64 root (24) 
#     size :  +50G
# For /home partition use partition type:     
#     type:   Linux /home (28)
#     size:   (press enter for default and use rest of size)


# | ------------------------- Create /boot partition ------------------------- |
# TODO: add separate EFI and boot partition

# Format EFI partition 

mkfs.fat -F32 /dev/nvme1n1p1

mkfs.ext4 /dev/nvme1n1p2

# Create mount points
mkdir -p /mnt/boot/efi
mkdir /mnt/home

# Mount that shit (should be after encryption
mount /dev/nvme0n1p1 /mnt/boot/efi
mount /dev/nvme0n1p2 /mnt/boot

# | ------------------------- Encryption ------------------------- |

cryptsetup -y -v luksFormat /dev/nvme0n1p2
cryptsetup open /dev/nvme1n1p2 cryptroot
mkfs.ext4 /dev/mapper/cryptroot
mount /dev/mapper/cryptroot /mnt

# Check the mapping works as intended:
umount /mnt
cryptsetup close cryptroot
cryptsetup open /dev/nvme1n1p2 cryptroot
mount /dev/mapper/cryptroot /mnt

cryptsetup -y -v luksFormat /dev/nvme0n1p3
cryptsetup open /dev/nvme0n1p3 crypthome
mkfs.ext4 /dev/mapper/crypthome
mount /dev/mapper/crypthome /mnt/home

# Check the mapping works as intended:
umount /mnt/home
cryptsetup close crypthome
cryptsetup open /dev/nvme0n1p3 crypthome
mount /dev/mapper/crypthome /mnt/home

cryptsetup close crypthome

# create luks-keys dir for holding keys and add LUKS keyfile for /home partition that is placed inside root partition. This allows /home partition mountpoint to be booted once root partition is mounted and booted.
mkdir -p /mnt/etc/luks-keys & dd bs=512 count=4 if=/dev/random of=/mnt/etc/luks-keys/homefile iflag=fullblock

# deny any access for other users than root
chmod 600 /mnt/etc/luks-keys/homefile

# Map keyfile to /home partition (Previously entered passphrase will be asked)
cryptsetup -v luksAddKey /dev/nvme0n1p3 /mnt/etc/luks-keys/homefile

# Device already exists or busy error !! <----------------->

# Check that newly created keyfile works
cryptsetup -v open /dev/nvme0n1p3 crypthome --key-file /mnt/etc/luks-keys/homefile

# Get the UUID of the encrypted LUKS volume for both devices
cryptsetup luksDump /dev/nvme0n1p2
cryptsetup luksDump /dev/nvme0n1p3

# Create crypttab entry which is loaded before fstab. And add following lines formatted accordingly with your device UUIDs
# https://www.freedesktop.org/software/systemd/man/crypttab.html
echo "/dev/mapper/crypthome UUID=0a5f4c0e-7659-4278-a1a5-d27fc24296d5 /etc/luks-keys/homefile" >> /mnt/etc/crypttab

# | ------------------------- Kernel & package installation ------------------------- |

# Install linux kernel and basic arch system and other software to root mountpoint
pacstrap /mnt base base-devel vim git efibootmgr dialog wpa_supplicant

# Update mkinitcpio hooks with (keyboard, keymap and encrypt) following line
# HOOKS=(base udev keyboard autodetect keymap consolefont modconf block encrypt filesystems fsck)
vim /mnt/etc/mkinitcpio.conf

genfstab -U /mnt >> /mnt/etc/fstab

# Generate an fstab file with UUIDs
genfstab -U /mnt >> /mnt/etc/fstab

# chroot to new system
arch-chroot /mnt

# Change root passwordder on the encrypted device: this scenario exploits this feature to set up a system on an unpartitioned, en
passwd

# | ------------------------- Time ------------------------- |
# Time zone
 ln -sf /usr/share/zoneinfo/Europe/Helsinki /etc/localtime
 # Set hardware clock to UTC
 hwclock --systohc
 
# | ------------------------- Localization ------------------------- |
 # Uncomment required localizations.
 # en_US.UTF-8 UTF-8
 # fi_FI.UTF-8 UTF-8
 vim /etc/locale.gen
  
# Change system lang to LANG=en_US.UTF-8
echo "LANG=en_US.UTF-8" >> /etc/locale.conf

# Make keyboard layout persistent
echo "KEYMAP=fi" > /etc/vconsole.conf

 # Regenerate locales
locale-gen

# | ------------------------- Network configuration ------------------------- |
# Update hostname
# Add myhostname
echo "myhostname" > /etc/hostname
#Add maching entries to /etc/hosts
# 127.0.0.1	localhost
# ::1		localhost
# 127.0.1.1	myhostname.localdomain	myhostname
vim /etc/hosts

# Generate your initrd image

mkinitcpio -p linux

# | ------------------------- Kernel parameters ------------------------- |
# Add kernel parameters for efibootmgr 
# The root= parameter specifies the device of the actual (decrypted) root file system. 
# Since the file system is formatted directly on the decrypted device file this will be /dev/mapper/cryptroot
# Check efibootmgr documentation for more details https://linux.die.net/man/8/efibootmgr

# Kernel headers for encryption
# Check efibootmgr documentation for more details https://linux.die.net/man/8/efibootmgr
efibootmgr --disk /dev/nvme0n1 --part 1 --create --label "Arch Linux" --loader /boot/vmlinuz-linux --unicode 'cryptdevice=UUID=7b8b37df-d0df-42ca-9e8e-79dd2b462e07:cryptroot root=UUID=ac2e8489-3768-4a87-bd0a-8876325921ba rw initrd=/boot/initramfs-linux.img' --verb