Contents
Introduction
In this guide we will show you how you can install arch-linux with full disk encryption and using Logical Volume Manager (LVM) under EFI. We will use LUKS as a disk encryption. Basically we need to setup our hard drive and then we can follow pretty much the standard installation method.
Step 1 – HDD Partition
Run lsblk command to see the partition structure of the hard drive on which you want to install Arch. In my case it’s sda .
To start partitioning, run this command:
|
1 |
cgdisk /dev/sda |
Example output:
Create boot
Remember we are setting a system with EFI. Use keyboard to select the free space
- Hit New -> Enter
- First Sector -> Enter
- Now it will ask you how much space you want to allocate to that partition. In my case I will give boot 1GB
- Size in Sector -> 1GiB –> Enter
- Hex Code of GUID (L to show pres, Enter = 8300) –> EF00 Enter
- Enter partition name – > boot –>Enter
You will notice a 1007.0 KiB BIOS boot partition has also been created. This is normal and needed!
Create LVM Partition
To use encryption on top of LVM, the LVM volumes are set up first and then used as the base for the encrypted partitions. This way, a mixture of encrypted and non-encrypted volumes/partitions is possible as well.
Now here we are going to create only one partition – the LVM partition.
Use keyboard to select the free space
- Hit New -> Enter
- First Sector -> Enter
- Now it will ask you how much space you want to allocate to that partition
Size in Sector -> xGB -> Enter - Hex Code of GUID (L to show pres, Enter = 8300) -> Enter
- Enter partition name – > Enter
Now if you run lsblk you will see the structure:
Step 2 – Preparing the logical volumes
Now create the LVM partitions root, swap and home. Here
sda2 is the second partition we created, the LVM partition.
|
1 2 3 4 5 |
pvcreate /dev/sda2 vgcreate Vol /dev/sda2 lvcreate -L 10G -n root Vol lvcreate -L 500M -n swap Vol lvcreate -l 100%FREE -n home Vol |
Now encrypt the partition, format it and mount it:
|
1 2 3 |
cryptsetup luksFormat -c aes-xts-plain64 -s 512 /dev/mapper/Vol-root cryptsetup open /dev/mapper/Vol-root root mkfs.ext4 /dev/mapper/root |
Important!! We need to format the
boot partition as well! It has to be FAT32 (EFI requirement):
|
1 |
mkfs.vfat -F32 /dev/sda1 |
Finally mount all partitions:
|
1 2 3 |
mount /dev/mapper/root /mnt mkdir /mnt/boot mount /dev/sda1 /mnt/boot |
Step 3 – Install Arch Linux
Well, here you need to follow the standard arch-linux installation guide! You can find one here:
Step 4 – Post Installation config
Configuring mkinitcpio
Add the
keyboard ,
lvm2 and
encrypt hooks to mkinitcpio.conf:
|
1 |
HOOKS="... keyboard block lvm2 encrypt ... filesystems ..." |
Configure Boot-loader
Edit
/etc/default/grub :
|
1 2 3 4 |
... GRUB_CMDLINE_LINUX="... cryptdevice=UUID=<device-UUID>:lvm ..." GRUB_ENABLE_CRYPTODISK=y ... |
Setup GRUB2 with the following two commands:
|
1 2 |
grub-mkconfig -o /boot/grub/grub.cfg grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck |
Here is an example configuration file for an encrypted root partition (DM-Crypt / LUKS) using the encrypt mkinitcpio hook:
|
1 2 3 4 5 |
# /boot/loader/entries/arch-encrypted.conf title Arch Linux Encrypted linux /vmlinuz-linux initrd /initramfs-linux.img options cryptdevice=UUID=<UUID>:<mapped-name> root=/dev/mapper/<mapped-name> quiet rw |
To find the UUID of the drive use:
|
1 |
blkid -s UUID -o value /dev/mapper/root |
So assuming the above partitions, it can look like this:
|
1 2 3 4 5 |
# /boot/loader/entries/arch-encrypted-lvm.conf title Arch Linux Encrypted LVM linux /vmlinuz-linux initrd /initramfs-linux.img options cryptdevice=UUID=<UUID>:Vol root=/dev/mapper/Vol-root quiet rw |
Reboot! You are done! Now you can continue installing your favorite desktop environment!
