Skip to content

Instantly share code, notes, and snippets.

@yavorski

yavorski/arch-linux-full-disk-encryption.md

Created November 23, 2024 12:46
Show Gist options
  • Save yavorski/cdb33acbad794cb299294d1c2a84760f to your computer and use it in GitHub Desktop.
Save yavorski/cdb33acbad794cb299294d1c2a84760f to your computer and use it in GitHub Desktop.
Download ZIP
Arch Linux Full Disk Encryption
Raw
arch-linux-full-disk-encryption.md

Arch Linux

SSH Remote Installation

Enable ssh service from the live iso installation media

passwd
ip addr
systemctl status sshd
systemctl start sshd

Create screen session

screen -S share-screen

SSH to remote host and screen session

ssh [email protected]
screen -x share-screen

Arch Linux Install

Arch Linux - full disk encryption install

Remap CAPS-LOCK to CTRL

loadkeys <<EOF
keymaps 0-127
keycode 58 = Control
EOF

Disable beep

sudo rmmod pcspkr

Network

Ensure your network interface is listed and enabled, for example with ip-link(8):

ip link

Connect to wi-fi

wifi-menu -o
iwctl device list
iwctl station <wlan0> scan
iwctl station <wlan0> get-networks
iwctl station <wlan0> connect <SSID>

Connect to ethernet

dhcpcd

Check network

ping 1.1.1.1 -c 4

Configure mirrorlist

curl -L 'https://archlinux.org/mirrorlist/?country=all&protocol=https&ip_version=4' >> /etc/pacman.d/mirrorlist
vim /etc/pacman.d/mirrorlist

Refresh pacman db and install reflector

pacman -Syyy
pacman -S reflector
reflector --protocol https --latest 32 --age 24 --sort rate --sort score --sort country --save /etc/pacman.d/mirrorlist

Install terminus-font

pacman -Sy terminus-font
setfont ter-v18b

Verify the uefi/boot mode

List the efivars directory:

efivar --list
ls /sys/firmware/efi/efivars

Clock

Update the system clock

timedatectl set-ntp true
timedatectl status

Partition the disks

fdisk -l

The following partitions are required full disk encryption with encrypted boot partition.

Mount point Partition Partition type Encryption Size
/mnt/efi /dev/nvme0n1p1 EFI System 2GB
/mnt/boot /dev/nvme0n1p2 Linux filesystem luks1 2GB
/mnt /dev/nvme0n1p3 Linux LVM luks2 256GB

Start fdisk

fdisk /dev/nvme0n1
  1. Create new partition table
  • g - create new GPT partition table
  1. Create EFI partition
  • n - Add new partition
  • 1 - Partition number
  • Enter - For first sector
  • +2G - For last sector
  • t - Change partition type
  • 1 - Partition type - (1) EFI System
  1. Create boot partition
  • n - Add new partition
  • 2 - Partition number
  • Enter - For first sector
  • +2G - For last sector
  • t - Change partition type
  • 2 - Number of partition
  • 20 - Partition type - (20) Linux filesystem
  1. Create LVM partition
  • n - Add new partition
  • 3 - Partition number
  • Enter - For first sector
  • +256G | Enter - For last sector
  • t - Change partition type
  • 3 - Number of partition
  • 44 - Partition type - (44) Linux LVM
  1. Save changes
  • p - print partition table
  • w - write table to disk and exit

Setup lvm & encryption

cryptsetup -y -v luksFormat --type luks1 /dev/nvme0n1p2
cryptsetup open --type luks1 /dev/nvme0n1p2 kboot

cryptsetup -y -v luksFormat /dev/nvme0n1p3
cryptsetup open --type luks /dev/nvme0n1p3 lvm

pvcreate --dataalignment 1m /dev/mapper/lvm
vgcreate vg /dev/mapper/lvm

lvcreate -L 16GB vg -n lv-swap
lvcreate -L 128GB vg -n lv-root
lvcreate -l 100%FREE -n lv-home vg

# load device mapper kernel module
lsmod | grep dm_mod
modprobe dm_mod

vgscan
vgchange -ay

Make fs

mkswap /dev/vg/lv-swap
swapon /dev/vg/lv-swap

mkfs.ext4 /dev/vg/lv-root
mount /dev/vg/lv-root /mnt

mkdir /mnt/boot
mkfs.ext4 /dev/mapper/kboot
mount /dev/mapper/kboot /mnt/boot

mkdir /mnt/home
mkfs.ext4 /dev/vg/lv-home
mount /dev/vg/lv-home /mnt/home

# # -> will mount later
mkfs.vfat -F32 /dev/nvme0n1p1

Install Arch Linux

pacstrap -i /mnt base base-devel vi vim
genfstab -U /mnt >> /mnt/etc/fstab

Add kboot real UUID which is /dev/nvme0n1p2 to /etc/crypttab

echo "kboot UUID=$(blkid --match-tag UUID --output value /dev/nvme0n1p2) none luks1" | tee -a /etc/crypttab

Enter arch-chroot

Install base system

arch-chroot /mnt

pacman-key --init
pacman-key --populate archlinux

pacman -S grub efibootmgr os-prober linux linux-headers linux-firmware mkinitcpio lvm2 terminus-font ttf-dejavu

echo KEYMAP=us > /etc/vconsole.conf
echo FONT=ter-v18b >> /etc/vconsole.conf

Configure mkinitcpio

vim /etc/mkinitcpio.conf
  • Add to BINARIES -> setfont
  • Add to HOOKS -> consolefont before block
  • Add to HOOKS -> encrypt lvm2 between block and filesystems

File /etc/mkinitcpio.conf should look like this:

# /etc/mkinitcpio.conf
BINARIES=(setfont)
HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems fsck)

Generate initial ramdisk environment for booting the Linux kernel based on the specified preset:

mkinitcpio -p linux

Edit/Configure grub config

vim /etc/default/grub
  • Uncomment GRUB_ENABLE_CRYPTODISK=y
  • Add to cmd line linux default -> cryptdevice=/dev/nvme0n1p3:vg
  • Add GRUB_EARLY_INITRD_LINUX_STOCK="" in order to not load microcode with GRUB, it will be handled later with by initramfs
GRUB_ENABLE_CRYPTODISK=y
GRUB_EARLY_INITRD_LINUX_STOCK=""
GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p3:vg"

Mount EFI

mkdir /boot/EFI
mount /dev/nvme0n1p1 /boot/EFI

Install GRUB

grub-install --target=x86_64-efi --bootloader-id=grub_uefi --recheck

mkdir /boot/grub/locale
cp /usr/share/locale/en\@quot/LC_MESSAGES/grub.mo /boot/grub/locale/en.mo

grub-mkconfig -o /boot/grub/grub.cfg

Setup GRUB Font

pacman -S freetype2
grub-mkfont --output /boot/grub/fonts/ter.pf2 --size 20 /usr/share/fonts/misc/ter-x20b.pcf.gz
echo "GRUB_FONT=/boot/grub/fonts/ter.pf2" >> /etc/default/grub
grub-mkconfig --output /boot/grub/grub.cfg

Configure password

passwd

Configure locale

ln -sf /usr/share/zoneinfo/Europe/Sofia /etc/localtime

hwclock --systohc
hwclock --systohc --utc

vim /etc/locale.gen

>> `en_US.UTF-8 UTF-8`
>> `en_GB.UTF-8 UTF-8`
>> `bg_BG.UTF-8 UTF-8`

locale-gen
echo LANG=en_US.UTF-8 > /etc/locale.conf
echo LC_TIME=en_GB.UTF-8 >> /etc/locale.conf

Configure network

Configure network with iwd or networkmanager

pacman -S iwd
echo arch > /etc/hostname
vim /etc/hosts
#/etc/hosts
::1 localhost
127.0.0.1 localhost
127.0.1.1 arch.local arch
vim /etc/resolv.conf
#/etc/resolv.conf
nameserver 1.1.1.1
nameserver 1.0.0.1
nameserver 8.8.8.8
nameserver 8.8.8.4
vim /etc/iwd/main.conf
#/etc/iwd/main.conf
[General]
EnableNetworkConfiguration=true

[Network]
NameResolvingService=systemd

Enable Network Services

systemctl enable iwd
systemctl enable systemd-networkd
systemctl enable systemd-resolved

Exit arch-chroot

exit

Reboot

umount -R /mnt
reboot

Arch Linux Post Install

pacman -Syu

Microcode

  • For AMD processors, install the amd-ucode package.
  • For Intel processors, install the intel-ucode package.
  • Add microcode hook in /etc/mkinitcpio.conf
  • Delete ALL_microcode=(/boot/*-ucode.img) from /etc/mkinitcpio.d/linux.preset
  • Arch wiki -> https://wiki.archlinux.org/index.php/Microcode
pacman -S amd-ucode | intel-ucode !
grub-mkconfig -o /boot/grub/grub.cfg

Install GPU drivers

PipeWire

pacman -S pipewire
pacman -S pipewire-alsa
pacman -S pipewire-audio
pacman -S pipewire-jack
pacman -S pipewire-pulse
pacman -S wireplumber

Improve SSD perf and lifespan

sudo systemctl enable --now fstrim.timer

Security

Basic Firewall

pacman -S ufw
ufw enable
ufw status verbose
systemctl enable ufw

DNS with DNSSEC validation

pacman -S unbound expat

Check for errors

systemctl --failed
journalctl -p 3 -xb

Add user

useradd -m -g users -G wheel <user>
passwd <user>
EDITOR=vim visudo
# # >> -> uncomment %wheel group
pacman -S sudo

Additions

Install crontab & powertop

Powertop

pacman -S powertop
powertop --auto-tune

Cronie

pacman -S cronie
crontab -e
crontab -l

Cron list

@reboot sleep 60 && powertop --auto-tune
@reboot sleep 10 && brightnessctl --device platform::micmute set 0

Dev Tools

pacman -S git git-delta
pacman -S curl wget rsync
pacman -S procs htop bottom
pacman -S bat man tldr
pacman -S tree eza lsd zoxide
pacman -S duf dust
pacman -S fx tokei
pacman -S fd fzf skim ripgrep the_silver_searcher
pacman -S helix neovim neovide
pacman -S starship
pacman -S alacritty kitty
pacman -S llvm gcc clang cmake python rust nodejs npm typescript

pacman -S xorg-xdpyinfo xorg-xprop xorg-xrandr xorg-xwininfo
pacman -S fastfetch neofetch catimg chafa feh imagemagick jp2a libcaca nitrogen

Fonts

pacman -S
  terminus-font
  gnu-free-fonts
  cantarell-fonts
  powerline-fonts
  otf-font-awesome
  noto-fonts-emoji
  adobe-source-code-pro-fonts

pacman -S
  ttf-ibm-plex
  ttf-jetbrains-mono
  ttf-ubuntu-font-family
  AUR ttf-intel-one-mono

pacman -S
  ttf-font-nerd
  ttf-ubuntu-mono-nerd
  ttf-ibmplex-mono-nerd
  ttf-jetbrains-mono-nerd #alacritty fallback
  ttf-nerd-fonts-symbols-mono # alacritty fallback
  ttf-nerd-fonts-symbols-common # alacritty fallback

Sway Window Manager

pacman -S sway swaybg swayimg swayidle swaylock swaync waybar nwg-bar

Hyprland Window Manager

pacman -S hyprland hypridle hyprlock hyprcursor hyprutils hyprpaper hyprwayland-scanner
pacman -S wofi fuzzel cosmic-files
pacman -S waybar nwg-bar nwg-look swaync
pacman -S xdg-desktop-portal-gtk xdg-desktop-portal-hyprland
pacman -S brightnessctl power-profiles-daemon
pacman AUR -S hyprsysteminfo hyprlauncher

Login / Display Manager

Ly

pacman -S ly
systemctl enable ly.service
systemctl disable [email protected]

Lemurs

pacman -S lemurs
systemctl disable display-manager.service
systemctl enable lemurs.service

Info pacman

  • pacman -Ss <keyword> - search pacakge
  • pacman -R <package-name> - remove pkg
  • pacman -Rs <package-name> - remove pkg with dependencies
  • pacman -Q - list all install packages
  • pacman -Qi <package-name> - info and reason for installation
  • pacman -Qm <package-name> - look for foreign dependencies
  • pacman -Qdt - list all packages no longer required as dependencies
  • pacman -Qet - list all packages explicitly installed and not required as dependencies
  • pacman -R $(pacman -Qdtq) - remove all of these unnecessary packages
  • pactree <package-name> - view the dependency tree of a package

Options:

  • pacman has a color option. -> Uncomment the Color line in /etc/pacman.conf
  • pacman has a ParallelDownloads option. -> Set the ParallelDownloads line in /etc/pacman.conf

Info paccache

A pacman cache cleaning utility

  • paccache -d - Perform a dry-run and show the number of candidate packages for deletion
  • paccache -r - Remove all but the 3 most recent package versions from the pacman cache
  • paccache -rk 3 - Set the number of package versions to keep

Misc

Auto update mirror list

Make bootable usb with dd

λ dd if=<file> of=<device> bs=4M; sync
λ dd if=arch-linux.iso of=/dev/sda1 bs=4M status=progress; sync

Update uefi-bios

λ geteltorito.pl -o <image>.img <image>.iso
λ geteltorito.pl -o uefi_bios.img r10ur26w.iso
λ sudo dd if=uefi_bios.img of=/dev/sda bs=512K
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment