Skip to content

Instantly share code, notes, and snippets.

@physics-sec

physics-sec/arch-install_2-disks_LUKS-on-LVM_UEFI.sh

Created May 20, 2020 03:30
Show Gist options
  • Save physics-sec/0b76f2e0601fd042ced257781363125b to your computer and use it in GitHub Desktop.
Save physics-sec/0b76f2e0601fd042ced257781363125b to your computer and use it in GitHub Desktop.
Download ZIP
Install Arch Linux on an SSD, add a HDD as an extra directory, encrypt everything.
Raw
arch-install_2-disks_LUKS-on-LVM_UEFI.sh
# The idea is install arch in a SSD and add a HDD disk as an 'extra' folder.
# Encript everything with LUKS on LVM
# Use UEFI
# Use a very simple layout, almost no disk partitioning
# select the correct keyboard layout
loadkeys la-latin1 # la-latin1 is just an example
# get an internet connection
wifi-menu
# set ntp
timedatectl set-ntp true
# get the disk layout
fdisk -l
# format the fisrt disk (small SSD)
fdisk /dev/sda
# show current partitions
p
# create EFI partition
g # to create an empty GPT partition table
n
enter
enter
+300M
t
1 # for EFI
# create boot partition
n
enter
enter
+400M
# create LVM partition
n
enter
enter
enter
t
enter
30
# show current partitions again
p
# finalize partition changes
w
# format the second disk (big SSD)
fdisk /dev/sdb
# show current partitions
p
# create LVM partition
g # to create an empty GPT partition table
n
enter
enter
enter
t
30
# show current partitions again
p
# finalize partition changes
w
# format the EFI partition
mkfs.fat -F32 /dev/sda1
# format the boot partition
mkfs.ext4 /dev/sda2
# preparing the logical volumes
pvcreate /dev/sda3
vgcreate volgroup1 /dev/sda3
lvcreate -l 100%FREE -n lv_root volgroup1 # I don't separate in root, home, etc.
# set up encryption
cryptsetup -y luksFormat /dev/volgroup1/lv_root
cryptsetup open /dev/volgroup1/lv_root root
# format the root partition
mkfs.ext4 /dev/mapper/root
# mount the root partition
mount /dev/mapper/root /mnt
# create the boot partition mount directory
mkdir /mnt/boot
# mount the boot partition
mount /dev/sda2 /mnt/boot
# choose the best mirror
pacman -Sy reflector
reflector --verbose --latest 100 --sort rate --save /etc/pacman.d/mirrorlist
# install the main system
pacstrap /mnt base base-devel linux linux-firmware
# generate the fstab file
genfstab -U /mnt >> /mnt/etc/fstab
# chroot into the syetem
arch-chroot /mnt
# set up the timezone
ln -sf /usr/share/zoneinfo/<?>/<?> /etc/localtime
# set up the hardware clock
hwclock --systohc
# install vim
pacman -S vim
# set up the locale
vim /etc/locale.gen # uncomment your locale
locale-gen
# set up the hostname
echo your_hostname > /etc/hostname
vim /etc/hosts
## write:
# 127.0.0.1 localhost
# ::1 localhost
# 127.0.1.1 your_hostname.localdomain your_hostname
# install and enable the network manager
pacman -S networkmanager
systemctl enable NetworkManager
# install the lvm2 package
pacman -S lvm2
# set up the kernel hooks
vim /etc/mkinitcpio.conf
## replace:
# MODULES=()
## for
# MODULES=(dm-mod)
## replace:
# HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)
## for
# HOOKS=(base udev autodetect keyboard keymap modconf block lvm2 encrypt filesystems fsck)
# run mkinitcpio
mkinitcpio -p linux
# set the password of the root user
passwd
# create a normal user and set the password
useradd -m -G wheel,storage,power -s /bin/bash user
passwd user
# allow the wheel group to run sudo
EDITOR=vim visudo
## replace
# #%wheel ALL=(ALL) ALL
## for
# %wheel ALL=(ALL) ALL
# install GRUB on UEFI
pacman -S grub efibootmgr
mkdir /boot/efi
mount /dev/sda1 /boot/efi
grub-install --target=x86_64-efi --bootloader-id=GRUB --efi-directory=/boot/efi
# configure the boot loader
vim /etc/default/grub
## replace
# #GRUB_ENABLE_CRYPTODISK=y
## for
# GRUB_ENABLE_CRYPTODISK=y
## Add to the GRUB_CMDLINE_LINUX_DEFAULT line:
# cryptdevice=/dev/volgroup1/lv_root:root root=/dev/mapper/root
# create the GRUB config file
grub-mkconfig -o /boot/grub/grub.cfg
# create the swap file
fallocate -l 2G /swapfile
chmod 600 /swapfile
mkswap /swapfile
echo '/swapfile none swap sw 0 0' | tee -a /etc/fstab # don't forget the '-a'
# install gnome (you might want something different)
pacman -S gdm
systemctl enable gdm
pacman -S gnome gnome-extra gnome-terminal nautilus gnome-tweaks gnome-control-center gnome-backgrounds arc-gtk-theme
# install firefox (why not?)
pacman -S firefox
# install microcode
pacman -S amd-ucode # ONLY for AMD
pacman -S intel-ucode # ONLY for INTEL
grub-mkconfig -o /boot/grub/grub.cfg # for both
# exit the instalation
exit
# unmount everything
umount -R /mtn # if you see errors that's ok
# reboot
reboot
# after the first boot...
# create the key directory
mkdir -m 700 /etc/luks-keys
# create the key
dd if=/dev/random of=/etc/luks-keys/extra bs=1 count=256
# set up LVM on the second disk
pvcreate /dev/sdb1
vgcreate volgroup2 /dev/sdb1
lvcreate -l 100%FREE -n lv_extra volgroup2
# set up LUKS on the second disk
cryptsetup luksFormat -v -s 512 /dev/volgroup2/lv_extra /etc/luks-keys/extra
cryptsetup -d /etc/luks-keys/extra open --type luks /dev/volgroup2/lv_extra extra
# format the second disk
mkfs.ext4 /dev/mapper/extra
# mount the second disk in the /extra directory
mkdir /extra
mount /dev/mapper/extra /extra
# set up crypttab so that arch knows how to decrypt it
vim /etc/crypttab
## add this line at the end
# extra /dev/volgroup2/lv_extra /etc/luks-keys/extra
# set up fstab so that arch knows how to mount it
vim /etc/fstab
## add this line at the end
# /dev/mapper/extra /extra ext4 defaults 0 2
# reboot and enjoy
reboot
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment