Introduction
In this guide we will show you how you can install arch-linux with full disk encryption and using Logical Volume Manager (LVM) under EFI. We will use LUKS as a disk encryption. Basically we need to setup our hard drive and then we can follow pretty much the standard installation method.
Step 1 – HDD Partition
Run lsblk command to see the partition structure of the hard drive on which you want to install Arch. In my case it’s sda .
To start partitioning, run this command:
|
1 |
cgdisk /dev/sda |
Example output:
Create boot
Remember we are setting a system with EFI. Use keyboard to select the free space
- Hit New -> Enter
- First Sector -> Enter
- Now it will ask you how much space you want to allocate to that partition. In my case I will give boot 1GB
- Size in Sector -> 1GiB –> Enter
- Hex Code of GUID (L to show pres, Enter = 8300) –> EF00 Enter
- Enter partition name – > boot –>Enter
You will notice a 1007.0 KiB BIOS boot partition has also been created. This is normal and needed!
Create LVM Partition
To use encryption on top of LVM, the LVM volumes are set up first and then used as the base for the encrypted partitions. This way, a mixture of encrypted and non-encrypted volumes/partitions is possible as well.
Now here we are going to create only one partition – the LVM partition.
Use keyboard to select the free space
- Hit New -> Enter
- First Sector -> Enter
- Now it will ask you how much space you want to allocate to that partition
Size in Sector -> xGB -> Enter - Hex Code of GUID (L to show pres, Enter = 8300) -> Enter
- Enter partition name – > Enter
Now if you run lsblk you will see the structure:
Step 2 – Preparing the logical volumes
We will first encrypt root and then home and swap partitions!
Now create the LVM partitions root, swap and home. Here
sda2 is the second partition we created, the LVM partition.
|
1 2 3 4 5 |
pvcreate /dev/sda2 vgcreate Vol /dev/sda2 lvcreate -L 10G -n root Vol lvcreate -L 500M -n swap Vol lvcreate -l 100%FREE -n home Vol |
Now encrypt the partition, format it and mount it:
|
1 2 3 |
cryptsetup luksFormat -c aes-xts-plain64 -s 512 /dev/mapper/Vol-root cryptsetup open /dev/mapper/Vol-root root mkfs.ext4 /dev/mapper/root |
Important!! We need to format the
boot partition as well! It has to be FAT32 (EFI requirement):
|
1 |
mkfs.vfat -F32 /dev/sda1 |
Finally mount all partitions:
|
1 2 3 |
mount /dev/mapper/root /mnt mkdir /mnt/boot mount /dev/sda1 /mnt/boot |
Note here that we are not mounting home and swap yet!
Step 3 – Install Arch Linux
Well, here you need to follow the standard arch-linux installation guide! You can find one here:
Step 4 – Post Installation config
Configuring mkinitcpio
Add the
keyboard ,
keymap ,
lvm2 and
encrypt hooks to mkinitcpio.conf:
|
1 |
HOOKS="... keyboard keymap modconf block lvm2 encrypt ... filesystems fsck" |
Generate the initial ramdisk
|
1 |
mkinitcpio -p linux |
Configure Boot-loader
Edit
/etc/default/grub :
|
1 2 3 4 |
... GRUB_CMDLINE_LINUX="... cryptdevice=/dev/Vol/root:root:allow-discards root=/dev/mapper/root ..." GRUB_ENABLE_CRYPTODISK=y ... |
Setup GRUB2 with the following two commands:
|
1 2 |
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB --recheck grub-mkconfig -o /boot/grub/grub.cfg |
Here is an example configuration file for an encrypted root partition (DM-Crypt / LUKS) using the encrypt mkinitcpio hook:
|
1 2 3 4 5 |
# /boot/loader/entries/arch-encrypted.conf title Arch Linux Encrypted linux /vmlinuz-linux initrd /initramfs-linux.img options cryptdevice=UUID=<UUID>:<mapped-name> root=/dev/mapper/<mapped-name> quiet rw |
To find the UUID of the drive use:
|
1 |
blkid -s UUID -o value /dev/mapper/root |
So assuming the above partitions, it can look like this:
|
1 2 3 4 5 |
# /boot/loader/entries/arch-encrypted-lvm.conf title Arch Linux Encrypted LVM linux /vmlinuz-linux initrd /initramfs-linux.img options cryptdevice=UUID=<UUID>:Vol root=/dev/mapper/Vol-root quiet rw |
Encrypting logical volume home
Since this scenario uses LVM as the primary and dm-crypt as secondary mapper, each encrypted logical volume requires its own encryption. We are going to encrypt home with both a password and a keyfile.
Let’s generate the keyfile first:
|
1 2 |
mkdir -m 700 /etc/luks-keys dd if=/dev/random of=/etc/luks-keys/home bs=1 count=256 status=progress |
Encrypt home first using a password and then add the generated keyfile:
|
1 2 |
cryptsetup luksFormat -c aes-xts-plain64 -s 512 /dev/mapper/Vol-home cryptsetup luksAddKey /dev/mapper/Vol-home /etc/luks-keys/home |
Open, format and mount home:
|
1 2 3 |
cryptsetup -d /etc/luks-keys/home open /dev/Vol/home home mkfs.ext4 /dev/mapper/home mount /dev/mapper/home /home |
Configuring fstab and crypttab
Both crypttab and fstab entries are required to both unlock the device and mount the filesystems, respectively. The temporary swap filesystem will be re-encrypted on each reboot.
crypttab
|
1 2 3 4 5 6 |
# edit crypttab nano /etc/crypttab # and add: swap /dev/MyVolGroup/cryptswap /dev/urandom swap,cipher=aes-xts-plain64,size=256 home /dev/linux/home /etc/luks-keys/home |
fstab
|
1 2 3 4 5 6 |
# edit fstab nano /etc/fstab # and add: /dev/mapper/swap none swap defaults,pri=-2 0 0 /dev/mapper/home /home ext4 defaults 0 2 |
Reboot! You are done! Now you can continue installing your favorite desktop environment!
