Introduction
In this guide we will show you how you can install arch-linux with full disk encryption and using Logical Volume Manager (LVM) under EFI. We will use LUKS as a disk encryption. Basically we need to setup our hard drive and then we can follow pretty much the standard installation method.
Step 1 – HDD Partition
Run lsblk command to see the partition structure of the hard drive on which you want to install Arch. In my case it’s sda .
To start partitioning, run this command:
cgdisk /dev/sda
Example output:
Create boot
Remember we are setting a system with EFI. Use keyboard to select the free space
- Hit New -> Enter
- First Sector -> Enter
- Now it will ask you how much space you want to allocate to that partition. In my case I will give boot 1GB
- Size in Sector -> 1GiB –> Enter
- Hex Code of GUID (L to show pres, Enter = 8300) –> EF00 Enter
- Enter partition name – > boot –>Enter
You will notice a 1007.0 KiB BIOS boot partition has also been created. This is normal and needed!
Create LVM Partition
To use encryption on top of LVM, the LVM volumes are set up first and then used as the base for the encrypted partitions. This way, a mixture of encrypted and non-encrypted volumes/partitions is possible as well.
Now here we are going to create only one partition – the LVM partition.
Use keyboard to select the free space
- Hit New -> Enter
- First Sector -> Enter
- Now it will ask you how much space you want to allocate to that partition
Size in Sector -> xGB -> Enter - Hex Code of GUID (L to show pres, Enter = 8300) -> Enter
- Enter partition name – > Enter
Now if you run lsblk you will see the structure:
Step 2 – Preparing the logical volumes
We will first encrypt root
and then home
and swap
partitions!
Now create the LVM partitions root, swap and home. Here sda2 is the second partition we created, the LVM partition.
pvcreate /dev/sda2 vgcreate Vol /dev/sda2 lvcreate -L 10G -n root Vol lvcreate -L 500M -n swap Vol lvcreate -l 100%FREE -n home Vol
Now encrypt the partition, format it and mount it:
cryptsetup luksFormat -c aes-xts-plain64 -s 512 /dev/mapper/Vol-root cryptsetup open /dev/mapper/Vol-root root mkfs.ext4 /dev/mapper/root
Important!! We need to format the boot partition as well! It has to be FAT32 (EFI requirement):
mkfs.vfat -F32 /dev/sda1
Finally mount all partitions:
mount /dev/mapper/root /mnt mkdir /mnt/boot mount /dev/sda1 /mnt/boot
Note here that we are not mounting home
and swap
yet!
Step 3 – Install Arch Linux
Well, here you need to follow the standard arch-linux installation guide! You can find one here:
Step 4 – Post Installation config
Configuring mkinitcpio
Add the keyboard , keymap , lvm2 and encrypt hooks to mkinitcpio.conf:
HOOKS="... keyboard keymap modconf block lvm2 encrypt ... filesystems fsck"
Generate the initial ramdisk
mkinitcpio -p linux
Configure Boot-loader
Edit /etc/default/grub :
... GRUB_CMDLINE_LINUX="... cryptdevice=/dev/Vol/root:root:allow-discards root=/dev/mapper/root ..." GRUB_ENABLE_CRYPTODISK=y ...
Setup GRUB2 with the following two commands:
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB --recheck grub-mkconfig -o /boot/grub/grub.cfg
Here is an example configuration file for an encrypted root partition (DM-Crypt / LUKS) using the encrypt mkinitcpio hook:
# /boot/loader/entries/arch-encrypted.conf title Arch Linux Encrypted linux /vmlinuz-linux initrd /initramfs-linux.img options cryptdevice=UUID=<UUID>:<mapped-name> root=/dev/mapper/<mapped-name> quiet rw
To find the UUID of the drive use:
blkid -s UUID -o value /dev/mapper/root
So assuming the above partitions, it can look like this:
# /boot/loader/entries/arch-encrypted-lvm.conf title Arch Linux Encrypted LVM linux /vmlinuz-linux initrd /initramfs-linux.img options cryptdevice=UUID=<UUID>:Vol root=/dev/mapper/Vol-root quiet rw
Encrypting logical volume home
Since this scenario uses LVM as the primary and dm-crypt as secondary mapper, each encrypted logical volume requires its own encryption. We are going to encrypt home
with both a password and a keyfile.
Let’s generate the keyfile first:
mkdir -m 700 /etc/luks-keys
dd if=/dev/random of=/etc/luks-keys/home bs=1 count=256 status=progress
Encrypt home
first using a password and then add the generated keyfile:
cryptsetup luksFormat -c aes-xts-plain64 -s 512 /dev/mapper/Vol-home
cryptsetup luksAddKey /dev/mapper/Vol-home /etc/luks-keys/home
Open, format and mount home
:
cryptsetup -d /etc/luks-keys/home open /dev/Vol/home home
mkfs.ext4 /dev/mapper/home
mount /dev/mapper/home /home
Configuring fstab and crypttab
Both crypttab and fstab entries are required to both unlock the device and mount the filesystems, respectively. The temporary swap filesystem will be re-encrypted on each reboot.
crypttab
# edit crypttab
nano /etc/crypttab
# and add:
swap /dev/MyVolGroup/cryptswap /dev/urandom swap,cipher=aes-xts-plain64,size=256
home /dev/linux/home /etc/luks-keys/home
fstab
# edit fstab
nano /etc/fstab
# and add:
/dev/mapper/swap none swap defaults,pri=-2 0 0
/dev/mapper/home /home ext4 defaults 0 2
Reboot! You are done! Now you can continue installing your favorite desktop environment!