Instantly share code, notes, and snippets.

Embed
What would you like to do?
An effcient method to install Arch Linux with encrypted root and swap filesystems and boot from UEFI. Multi-OS, and VirtualBox, UEFI-booting are also supported.
# OBJECTIVE: Install Arch Linux with encrypted root and swap filesystems and boot from UEFI. Optionally, we will also encrypt
/boot and then decrypt and mount our entire encrypted system using a single LUKS passphrase entry.
# Note: This method supports both dedicated Arch installs and those who wish to install Arch on a multi-OS-UEFI booting system.
# External USB HDD/SSD Installers Notes: Encrypted Arch installs can be booted and run from an external USB HDD or SSD, but
# only when the installation is correctly set up. There are several necessary changes to my standard procedure you'll want
# to make during the install process. Read my External USB HDD/SSD Installation section below before proceeding.
# VirtualBox Installers Notes: This installation method can also be used to install Arch Linux as an UEFI-booting
# Guest system in VirtualBox. You must have UEFI-booting enabled in VBox's Guest System Settings prior to installation.
# I have written a separate guide dedicated to the specifics of achieving an encrypted Arch Linux VirtualBox installation.
# My Arch Linux VirtualBox Guest installation guide is available at:
https://gist.github.com/HardenedArray/d5b70681eca1d4e7cfb88df32cc4c7e6
# The official Arch installation guide contains details that you should refer to during this installation process.
# That guide resides at: https://wiki.archlinux.org/index.php/Installation_Guide
# Download the archlinux-*.iso image from https://www.archlinux.org/download/ and its GnuPG signature.
# Use gpg --verify to ensure your archlinux-*.iso is exactly what the Arch developers intended. For example:
$ gpg --verify archlinux-2017.01.01-dual.iso.sig
gpg: assuming signed data in 'archlinux-2017.01.01-dual.iso'
gpg: Signature made Sun 01 Jan 2017 04:06:24 PM UTC
gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC
# Burn the archlinux-*.iso to a 1+ Gb USB stick. On linux, do something like:
dd if=archlinux-*.iso of=/dev/sdX bs=16M && sync
# If running Windows, use Rufus to burn the archlinux-*.iso to your USB stick in DD mode.
# Also, if you are running BitLocker to encrypt your Windows system, read my BitLocker notes below, before proceeding.
# UEFI-Boot from your USB stick. If your USB stick fails to boot, ensure that Secure Boot is disabled in your UEFI configuration.
# Set your keymap only if not you are not using the default English language.
# It is typically wiser to be hard wired to the Net during installation. However, Arch supports WiFi-only installs.
# Connect to WiFi using:
wifi-menu
# It is possible to access this guide from within your Arch installation environment using the built-in elinks text browser.
# For those interested, open a new terminal at tty2 using ctrl-alt-f2, then use elinks to search for 'HardenedArray Gists'
# which should return the URL of my Arch installation guide:
https://gist.github.com/HardenedArray/31915e3d73a4ae45adc0efa9ba458b07
# You can then return to your installation terminal using ctrl-alt-f1.
# Create and size partitions appropriate to your goals using gdisk.
# Carefully Note: Multi-OS booters who have an existing EFI partition on their drive should NOT create a new EFI partition.
# Instead, we will append Arch as another OS to your existing EFI partition. See my Multi-OS-Booting Notes, below.
gdisk /dev/sdX
# Create the partitions you need:
Partition X = 100 MiB EFI partition # Hex code EF00
Partition Y = 250 MiB Boot partition # Hex code 8300
Partition Z = Choose a reasonable size for your encrypted root and swap system partition, or just size it to the
last sector of your drive. # Hex code 8300.
# Review your partitions with 'p'.
# Write your gdisk changes with 'w'.
# Reboot, if necessary, so the kernel reads your new partition structure.
,
# I strongly recommend you zero-out each of of your new partitions prior to creating filesystems on them. Obviously, multi-OS
# booters should NEVER zero-out an existing EFI partition. You can either use the Arch installer's ddrescue or, if you don't
# mind not having a progress indicator, it's more efficient to run:
cat /dev/zero > /dev/sdXY followed by
cat /dev/zero > /dev/sdXZ
# Create filesystems for /boot/efi and /boot
mkfs.vfat -F 32 /dev/sdXX
mkfs.ext2 /dev/sdXY # Note that ext4 or btrfs are also fine choices for your /boot partition.
# Encrypt and open your system partition
cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/sdXZ
cryptsetup luksOpen /dev/sdXZ 2016-Global-OpSec-Champion-LyingHillary # (or use any word or phrase you're fond of)
# Create encrypted LVM partitions
# These steps create a required root partition and an optional partition for swap. Note that using a swap file with BTRFS is
# a very poor idea. Swap partitions are not controlled by BTRFS so they work fine. Read the BTRFS ArchWiki before proceeding.
# Also note that BTRFS fully supports, detects, and properly configures settings for all modern SSDs, which is the drive type
# almost everyone should be running when installing ArchLinux! HDDs are only useful for infrequently accessed data, and
# for storing your SSD's critical directories as encrypted backups.
# Modify this structure only if you need additional, separate partitions. The sizes used below are only suggestions.
# The VG and LV labels 'Arch, root and swap' can be changed to anything memorable to you. Use your labels consistently, below!
pvcreate /dev/mapper/2016-Global-OpSec-Champion-LyingHillary
vgcreate Arch /dev/mapper/2016-Global-OpSec-Champion-LyingHillary
lvcreate -L +512M Arch -n swap
lvcreate -l +100%FREE Arch -n root
# Create filesystems on your encrypted partitions
mkswap /dev/mapper/Arch-swap
mkfs.ext4 /dev/mapper/Arch-root
# Note that Arch Linux fully supports btrfs, and btrfs is also an excellent filesystem choice for your encrypted root.
# If you want a btrfs filesystem on your root logical volume, instead of 'mkfs.ext4 /dev/mapper/Arch-root', do this:
mkfs.btrfs /dev/mapper/Arch-root
# If you've created a btrfs root filesystem, do not forget to append 'btrfs-progs' to the pacstrap installation command
# we use immediately after correctly mounting our partitions below.
# Mount the new system
mount /dev/mapper/Arch-root /mnt
swapon /dev/mapper/Arch-swap
mkdir /mnt/boot
mount /dev/sdXY /mnt/boot
mkdir /mnt/boot/efi
mount /dev/sdXX /mnt/boot/efi
# Optional - Edit the Mirrorlist To Optimize Package Download Speeds
nano /etc/pacman.d/mirrorlist
# Copy one or two mirrors near your physical location to the top of the mirrorlist.
# Install your Arch system
# This installation command provides a decent set of basic system programs which will also support WiFi when initially
# booting into your Arch system. Recommended, yet optional: make and enjoy some fresh java while the following
# command completes. Once completed, you'll only be a few minutes away from putting your new system to serious work!
pacstrap /mnt base base-devel grub-efi-x86_64 efibootmgr dialog wpa_supplicant
# Create and review FSTAB
genfstab -U /mnt >> /mnt/etc/fstab # The -U option pulls in all the correct UUIDs for your mounted filesystems.
cat /mnt/etc/fstab # Check your fstab carefully, and modify it, if required.
# Enter the new system
arch-chroot /mnt /bin/bash
# Set the system clock
ln -s /usr/share/zoneinfo/UTC /etc/localtime # This will harmlessly fail if your system's CMOS clock is already set to UTC.
hwclock --systohc --utc
# Assign your hostname
echo MyHostName > /etc/hostname
# Set or update your locale
# If English is your native language, you need to edit exactly two lines to correctly configure your locale language settings:
a. In /etc/locale.gen **uncomment only**: en_US.UTF-8 UTF-8
b. In /etc/locale.conf, you should **only** have this line: LANG=en_US.UTF-8
# Now run:
locale-gen
# Set your root password
passwd
# Create a User, assign appropriate Group membership, and set a User password. 'Wheel' is just one important Group.
useradd -m -G wheel -s /bin/bash MyUserName
passwd MyUserName
# Configure mkinitcpio with the correct HOOKS required for your initrd image
nano /etc/mkinitcpio.conf
# Use this HOOKS statement:
HOOKS="base udev autodetect modconf block keymap encrypt lvm2 resume filesystems keyboard fsck"
# Note that recent ArchLinux installation images have shipped with a new version of /etc/mkinitcpio.conf. The
# only difference is that the new version uses '(' and ')' instead of dual double quotation marks: ' " " '. Therefore,
# the current HOOKS statement should be:
HOOKS=(base udev autodetect modconf block keymap encrypt lvm2 resume filesystems keyboard fsck)
# You do not need or want 'resume' in your HOOKS statement if you are not using swap.
# Generate your initrd image
mkinitcpio -p linux
# Install and Configure Grub-EFI
# The correct way to install grub on an UEFI computer, irrespective of your use of a HDD or SSD, and whether you are
# installing dedicated Arch, or multi-OS booting, is:
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchLinux
# Edit /etc/default/grub so it includes a statement like this:
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdYZ:MyDevMapperMountpoint resume=/dev/mapper/MyVolGroupName-MyLVSwapName"
# Maintaining consistency with the examples provided above, you would use something like:
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdXZ:2016-Global-OpSec-Champion-LyingHillary resume=/dev/mapper/Arch-swap"
# If you are not using swap, eliminate the 'resume' statement above.
# I have also noticed that recent releases of grub2 now offer this new option within /etc/default/grub:
# Uncomment to enable booting from LUKS encrypted devices
# GRUB_ENABLE_CRYPTODISK=y
# Note that you do NOT need to enable that cryptodisk statement to boot your LUKS encrypted / and swap ArchLinux system,
# assuming you are **NOT** trying to decrypt an encrypted /boot. If you want to encrypt /boot, continue reading.
# Generate Your Final Grub Configuration:
grub-mkconfig -o /boot/grub/grub.cfg
# If you are not interested in encrypted /boot, you are almost done! Skip down to: # Exit Your New Arch System, below.
++++++++++++++++++++++++++++++++++
**OPTIONAL** Encrypted /boot Configuration and Installation
# Booting from an encrypted /boot is entirely optional, but, if you expect to maintain data privacy, unlike having (almost)
# mandatory encrypted / and swap, booting from an encrypted /boot provides an extra layer of security for the truly paranoid!
# I spent a great deal of time discussing this topic with a very intelligent Arch developer. I will hide you from the
# enormous complexity underlying how grub's code actually achieves this seamless dual encrypted booting and mounting
# outcome, but this encrypted /boot sub-procedure is known to work!
# Setting up an encrypted /boot requires further configuration.
# ASSUMING you have followed **ALL** of the above installation steps, now do:
nano /etc/default/grub
# and enable, by uncommenting:
GRUB_ENABLE_CRYPTODISK=y
# then:
nano /etc/mkinitcpio.conf
# Make certain your FILES statement matches this:
FILES=(/crypto_keyfile.bin)
# Ensure that /boot and /boot/efi and / are all mounted with:
df -h
# then ensure your 'pwd' is at / with:
cd /
# Now run these four commands in succession:
dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin
chmod 000 /crypto_keyfile.bin
chmod 600 /boot/initramfs-linux*
cryptsetup luksAddKey /dev/sdX# /crypto_keyfile.bin
# Obviously, adjusting /dev/sdaX# to your current root partition on your physical HDD/SSD.
# When prompted for your passphrase with 'luksAddKey' be certain to enter ONLY your current LUKS passphrase,
# This will add your (second) new LUKS random key, now protecting /boot, to Key Slot #1.
# Verify your new key has been correctly added with something like:
cryptsetup luksDump /dev/sda23
# Now run to verify the partition where /boot is mounted on your physical drive:
df -h
# Then run and record the EXACT UUID of your Arch /boot partition:
ls -l /dev/disk/by-uuid
# Now run:
nano /etc/crypttab
# Add a new line in precisely this format:
encryptedBOOT UUID=YourArch/bootUUIDgoeshere none luks,timeout=180
# Of course, alternatively, it is trivial to point /etc/crypttab at a REQUIRED_TO_BE_PRESENT_AT_BOOT external USB stick, etc.
# I will leave that part up to you to figure out.
# Now run:
mkinitcpio -p linux
# then, re-install grub, and YES, I DO MEAN, a second time:
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchLinux --modules="part_gpt part_msdos"
# and finally:
grub-mkconfig -o /boot/grub/grub.cfg
# FINISHED! Now you are completely re-synced with the non-encrypted /boot installers. Merely exit and umount, as below!
# Enjoy the decryption magic upon your next, and all subsequent, reboots! Bad Actors will be most uphappy, as if I cared!
++++++++++++++++++++++++++++++++++
# Exit Your New Arch System
exit
# Unmount all partitions
umount -R /mnt
swapoff -a
# Reboot and Enjoy Your Encrypted Arch Linux System!
reboot
# After you are satisfied that your Arch system is running well, if you are like most people not running an Arch server,
# you'll want a Desktop Environment so you can begin using your new system productively. See my: 'Installing a
# Plasma-KDE Desktop Post Arch Install' section below for some ideas and an efficient DE installation process.
__________________________
If you ever get dropped to the EFI Shell prompt when powering up Arch Linux, which I most often notice within
VirtualBox when running Arch Linux as UEFI-enabled Guest System, do the following:
At the Shell prompt, type the following entries, as indicated (also remember we used --bootloader-id=ArchLinux, above):
Shell> fs0:
fs0:> \EFI\ArchLinux\grubx64.efi
Hit Enter and now you should see your graphical grub Arch Linux menu. Note my atypical use of backslashes.
To prevent being dropped to the EFI Shell prompt in the future, enter your Arch Linux system, become root, and do:
# nano /boot/efi/startup.nsh
In your startup.nsh file, add these two lines:
fs0:
\EFI\ArchLinux\grubx64.efi
Save and exit nano. To test that you will no longer be dropped to the EFI Shell prompt, poweroff, not reboot, and fire up
your Arch Linux system again.
If you simply cannot bear the agony of the EFI Shell's five second wait prior to its loading of startup.nsh, hit any key,
except for 'esc', and you should be immediately directed to your (hopefully, beautifully configured) grub graphical
Arch Linux boot screen.
This solution also works when you have installed Arch Linux as an UEFI-enabled Guest system within VirtualBox.
__________________________
External USB HDD/SSD Encrypted Arch Installation:
Almost all of my standard Arch install procedure can be followed without modification when installing Arch to an external device.
However, if you already have an encrypted Arch installation on a system HDD/SSD, you must ensure the names assigned to your
PV, VG and LVs are different than whatever you used on your system drive's Arch installation. Failure to use different names
will cause major udev and therefore, /dev/mapper, assignment problems for you, especially when you try to mount your
multiple encrypted Arch drives!
Additionally, we don't want to instruct grub to use standard device names as these are very likely to change when using an
external USB drive. For example, our external SSD may be assigned /dev/sdc by udev during installation, but when we try to
initially boot from it, udev may assign that external SSD to /dev/sdb, resulting in an unbootable system.
The solution is to use PARTUUID, as opposed to a standard device name, in the cryptdevice statement in /etc/default/grub.
Therefore, instead of using this example from above:
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdXZ:2016-Global-OpSec-Champion-LyingHillary resume=/dev/mapper/Arch-swap"
Run 'blkid' as root, and find the correct PARTUUID for your external device's encryted partition.
N.B.: PARTUUIDs are completely unrelated to UUIDs.
Substitute the correct PARTUUID for the standard device name. You should end up with a statement that looks similar to this:
GRUB_CMDLINE_LINUX="cryptdevice=PARTUUID=4d2aed94-92d4-7b5e-b8df-81d7554495cf4:ArchUSBSSD resume=/dev/mapper/ArchSSD-swap"
Now regardless of the device name assigned by udev to your external drive, the kernel will be able to find the
correct cryptdevice.
All other parts of my installation procedure should be followed without modification.
__________________________
One Post-Install Recommendation To Optimize the Speed of All Your Future Installs - Rank Your Mirrors, First!
It's a very simple procedure, and will save you a lot of downloading time over your Arch Linux lifetime, particularly
if you are planning on doing any mass-installs, like gnome, gnome-extra, kde-meta or similar.
As root, run:
cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.bak
rankmirrors -n 6 /etc/pacman.d/mirrorlist.bak > /etc/pacman.d/mirrorlist
That will test all the mirrors and grab the six fastest from your location. It takes a while to complete,
so go grab a cup of java.
Upon your return, you'll be ready to put pacman to serious work, as it was intended: Crazy Fast!
Cheers, and now it is time to Go Rock Your Arch!
HardenedArray
__________________________
Multi-OS-Booting Notes:
I UEFI boot and run more than five operating systems from my SSD.
All of my OSes UEFI boot from my single, 100 MiB, EFI partition.
All of my OSes have encrypted root and swap, utilizing my SSD's native hardware-based AES-256-bit encryption support
with BitLocker or Linux's software-based LUKS on LVM encryption to secure my data, when at rest.
My Arch Linux install is just another encrypted Linux OS installation that happens to reside on my SSD.
If you multi-boot, ensure you mount Arch's /boot/efi at your existing ESP partition.
If you installed Windows 10 first, your EFI partition is likely to be /dev/sda2.
In all cases, /boot, /boot/efi, and '/' partitions, at a minimum, are required to be mounted during Arch installation.
As an example, an EFI-addicted, multi-OS booter might be doing something like:
mount /dev/mapper/Arch-root /mnt
swapon /dev/mapper/Arch-swap
mkdir /mnt/boot
mount /dev/sda17 /mnt/boot
mkdir /mnt/boot/efi
mount /dev/sda2 /mnt/boot/efi
In this example, the user is likely to be using /dev/sda18 as the physical drive partition where their encrypted
Arch root and swap filesystems will reside. Note the user's re-use of their existing EFI partition which resides
at /dev/sda2.
Adapt, as necessary, for your drive's partition structure.
Following successful Arch system installation, the path to your Arch-EFI boot file should be:
/boot/efi/EFI/ArchLinux/grubx64.efi
When you are multi-OS booting correctly, you should have one directory per operating system, each residing at:
/boot/efi/EFI/
__________________________
BitLocker Users on Windows Notes:
If you are running hardware-based BitLocker encryption on Windows, I recommend you Turn Off BitLocker encryption prior to
installing Arch, or any other operating system.
As I don't use software-based BitLocker, I cannot say whether leaving it enabled during Arch installation will cause problems.
Obviously, if you experience issues, you could turn BitLocker off temporarily.
You can tell if you are using AES-256 bit hardware-based BitLocker encryption when you run from within PowerShell,
as an Administrator:
PS C:\WINDOWS\system32> manage-bde -status
You see this line:
Encryption Method: Hardware Encryption - 1.3.111.2.1619.0.1.2
Also note that hardware-based BitLocker can either encrypt, or decrypt, a multi-hundred GiB drive in less than 3 seconds.
You can re-enable BitLocker after your new encrypted Arch system is UEFI booting correctly and running smoothly.
__________________________
Installing a Plasma-KDE Desktop Post Arch Install
After you have rebooted into your new Arch system, and are satisfied that every aspect of your system is running correctly,
if you're like most people not running an Arch server, you will likely want to install a desktop so you can utilize your new
Arch system productively.
Your choice of desktop environment is entirely up to you. Personally, I have tried them all. It is my opinion that if
you are running a modern, reasonably powered PC or laptop you are doing yourself a significant disservice by running any
of the 'lightweight desktops.' I also think the Gnome DE is best suited for children, or unskilled users. Keep in mind
that you can install multiple desktops, and then choose which one to fire up at each login, but that is beyond the scope
of this guide.
I prefer the Plasma5-KDE environment over all the others. If you would like to efficiently install a full Plasma5-KDE
environment, do the following, in this order:
# Log in as root, and not as a user
# Fully update your Arch system:
pacman -Syu # If a new kernel becomes available and is now installed, reboot, before proceeding.
# If you don't have network connectivity in your Arch system, run:
systemctl start dhcpcd <ethernet or wlan interface name>
# Now that you have an updated system, do:
pacman -S linux-headers
pacman -S dkms # This will automatically rebuild your kernel modules as new upstream kernels are released.
pacman -S xorg # This will install a mandatory X server.
pacman -S xorg-apps
reboot
__________________________
# Log in as root, and not as a user, and do:
pacman -S plasma-meta # This large package set will also provide us with sddm, the recommended Plasma5 login manager.
systemctl enable sddm
pacman -S kde-applications-meta
pacman -S xdg-user-dirs
systemctl enable NetworkManager # After your next reboot you will have full, correct, networking support from boot.
# If you want full (English) spelling support for all of your applications, do:
pacman -S hunspell-en hyphen-en libmythes mythes-en aspell-en
# Everyone has their own font preferences, but I agree with Arch's initial ttf-font recommendations because they look great!:
pacman -S ttf-dejavu ttf-liberation
reboot
__________________________
# Log in to sddm's GUI as your user
# Your first stop is System Settings. Tweak 'all the things' into full compliance with 'your way.'
# Go ROCK your fully enabled Plasma DE, and your properly encrypted Arch Linux system!!!
__________________________
@Xel

This comment has been minimized.

Xel commented Apr 1, 2017

After running grub-mkconfig, i encountered this error

WARNING: Failed to connect to lvmetad. Falling back to device scanning.

Would you recommend disabling lvmetad from /etc/lvm/lvm.conf and setting use_lvmetad = 0?

@HardenedArray

This comment has been minimized.

Owner

HardenedArray commented Apr 3, 2017

Hi Xel,

Yes - I have seen that same warning during installation. If you do a search on that warning, you will see that plenty of others have seen it also.

Despite that warning, you should see at least these lines during installation:

# grub-mkconfig -o /boot/grub/grub.cfg`
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-linux
Found initrd image(s) in /boot: initramfs-linux.img

This output indicates that grub found your kernel, and since we need to mount encrypted Logical Volumes at boot, the kernel's mandatory initramfs.

Note that I have never seen that warning following installation. In other words, once you enter your installed Arch Linux system and run:

# grub-mkconfig -o /boot/grub/grub.cfg

you should not see any lvmetad warning(s).

I am not certain of the precise cause of the lvmetad warning during the installation process. My best guess is that the lvmetad warning arises as a direct result of the inherent limitations of the chroot environment we used during installation, which explains why we only see the warning during installation. It is much less likely the warning is being driven by a bug in udev, grub, or lvm.

The manual for lvmetad is at: https://linux.die.net/man/8/lvmetad if you are interested.

However, since this a only a warning, and not an error, and the warning does not carry over to the properly installed system, I recommend not altering anything in your /etc/lvm/lvm.conf file.

Thank you for your feedback, Xel.

HardenedArray

@bmanturner

This comment has been minimized.

bmanturner commented Apr 12, 2017

You're obviously very knowledgable about this, HardenedArray. Would you mind taking a quick glance at the following configuration? It is based partially on your work above, which was a great help.

https://www.reddit.com/r/archlinux/comments/64ynyh/can_i_get_someone_to_glance_this_over_raid1/

@HardenedArray

This comment has been minimized.

Owner

HardenedArray commented Apr 15, 2017

Hi bmanturner,

It's obviously beyond the scope of this guide to troubleshoot individual use cases. That, of course, is the reason the forums exist.

However, I did take a very quick look at your setup, and I did not notice any glaring errors. I also noted that you have updated your reddit, and stated that your customization works.

That's obviously a good thing, and I am glad you found my guide useful as a framework to support your desired outcome.

If you believe your approach would be helpful to others in pursuit of a similar outcome, please consider creating your own Gist.

Thank you for your comments.

Cheers,

HardenedArray

@Xel

This comment has been minimized.

Xel commented Jun 5, 2017

Hey, i forgot to thank you for the earlier reply.

As stated, the warnings didn't show after the installation was complete. Thanks

@HardenedArray

This comment has been minimized.

Owner

HardenedArray commented Jun 9, 2017

Hi Xel,

Thank you for your polite follow-up and confirmation. Demonstrating proper etiquette never goes unnoticed, and is always appreciated.

In case you are interested, I've written a similar guide dedicated to the specifics of installing encrypted Arch within VirtualBox. That procedure also demonstrates how to properly install a fully enabled Plasma5/KDE system on top of Arch in VBox.

My encrypted Arch Guest VBox installation guide resides at:

https://gist.github.com/HardenedArray/d5b70681eca1d4e7cfb88df32cc4c7e6

If you follow my Arch Guest VBox installation procedure, you will find the lvmetad warning also occurs within the VBox Arch installation environment after running grub-mkconfig. As we also observe on Arch bare metal installs, the lvmetad warning only appears during initial base system installation. This fact adds more evidence to my belief that this warning is solely driven by the arch-chroot environment we use during initial base system installation.

As a final thought which applies to a much wider audience than just you, Xel, if you keep your important data continuously backed up, and encrypted, to at least two physically separate locations, and practice installing Arch Linux (VBox is ideal for this), you'll be much better prepared than most to quickly and seamlessly recover your entire computing life when some type of data-threatening disaster inevitably strikes.

There are only two types of hard drives in this world: those that have failed, and those that have not, yet. Another way to think about the same quite common problem of people ranting about unexpectedly and instantly losing access to most, or all, of their digital lives:

Be prepared, or be prepared to get hurt very badly!

Cheers and best of luck Xel,

HardenedArray

@oldlance

This comment has been minimized.

oldlance commented Sep 2, 2017

Hi HardenedArray

Thank you very much indeed for this superb document. I was able to get my Dell Precision M7510 dual booting successfully on the first attempt based on the instructions here. My only deviation from the above was to use LUKS on LVM so that I could use both NVME and SSD disks in one volume. A massive time saver!

@manadart

This comment has been minimized.

manadart commented Sep 11, 2017

Many thanks for the guide.

Big help getting me up on an old Thinkpad.

@HardenedArray

This comment has been minimized.

Owner

HardenedArray commented Sep 22, 2017

Hi oldlance and manadart,

I am pleased to learn that each of you found my guide useful. I've personally used both old ThinkPad and Dell laptops for years and I hope each of your machines deliver the same wonderful user experiences I was able to enjoy.

Cheers,

HardenedArray

@HardenedArray

This comment has been minimized.

Owner

HardenedArray commented Sep 22, 2017

Hi Xel,

This follow-up is for you and others interested in understanding the lvmetad warning discussed above.

I was able to track down the definitive cause behind the lvmetad warning we only see within our chrooted Arch installation environment.

This lvmetad warning is generated solely due to the fact that /run is not available in a chroot environment. Obviously /run again becomes available once we exit chroot and boot into Arch. This explains why we never see the lvmetad warning when running our operating system normally and subsequently updating our Grub2 configuration.

This issue is documented within the ArchWiki covering Grub, which can be directly accessed here:

https://wiki.archlinux.org/index.php/GRUB#Warning_when_installing_in_chroot

Thanks again Xel for initiating the discussion of this topic.

Cheers,

HardenedArray

@tjcim

This comment has been minimized.

tjcim commented Nov 10, 2017

Great gist.

I would add a step before the pacstrap that check and modifies /etc/pacman.d/mirrorlist. As of right now the first entry on the list is for a server in Poland and that may not be desirable for most of the world.

@HardenedArray

This comment has been minimized.

Owner

HardenedArray commented Nov 19, 2017

Hi tjcim,

Thank you for your compliment!

Personally, I have never experienced an issue with unacceptably slow pacstrap download speeds. Of course, package download speeds vary widely between individuals, and are dependent on a large number of factors.

That being said, it makes sense for every Arch installer and user to employ a pacman mirrorlist file optimized for their location.

Therefore, I have added a step entitled 'Optional - Edit the Mirrorlist To Optimize Package Download Speeds' prior to running the pacstrap download and installation command.

Thank you for your feedback tjcim.

Cheers,

HardenedArray

@wildersan72

This comment has been minimized.

wildersan72 commented Dec 16, 2017

This is brilliant. Thank you for taking the time and posting. Not only did this work, I was able to use this in combination with the official Arch install documentation and save a bunch of time learning how to do the install. Thanks again!

@HardenedArray

This comment has been minimized.

Owner

HardenedArray commented Dec 27, 2017

Hi wildersan72,

Thank you for your kind feedback. Your reaction to my guide precisely matches my original intention during composition.

Cheers,

HardenedArray

@soraismus

This comment has been minimized.

soraismus commented Jan 10, 2018

Hi, HardenedArray.

After I enter the command cryptsetup luksOpen /dev/sda3 tsundoku, /dev/mapper/tsundoku does not become available.

ls /dev/mapper lists /dev/mapper/control alone, and not also /dev/mapper/tsundoku as I would expect.

The following error message appears upon cryptsetup luksOpen /dev/sda3 tsundoku --verbose --debug:
"Trying to read ... LUKS2 header at offset .... LUKS header read failed (-22). Command failed with code -1 (wrong or missing parameters)."

I've tried to research the matter online, but so far, my google-fu has proven unsuccessful.

Would you perhaps have any suggestions so that I might continue following your guide where I left off?

Thanks much.

@Progman-DT

This comment has been minimized.

Progman-DT commented Jan 13, 2018

If you're gonna do an ecrypted installation, don't you want to encrypt as much as possible? So, why a separate partition for /boot? You already created an ESP partition, so it might be a good decision to keep /boot (where kernel images, initramfs images (maybe with embedded encryption keys), grub settings reside) on encrypted LVM, and mount your ESP into /boot/efi.

@HardenedArray

This comment has been minimized.

Owner

HardenedArray commented Feb 3, 2018

Hi soraismus,

As I mentioned earlier, it is beyond the scope of this guide to provide individual user support. However, the cryptsetup commands I've published above are correct, and do work properly when followed with precision.

Since it seems you got stuck at the beginning of the process, I would suggest re-creating a complete set of new partitions, rebooting if advised to do so. then zero-out each new partition and finally use cryptsetup to encrypt your intended system partition.

Best of luck,

HardenedArray

@HardenedArray

This comment has been minimized.

Owner

HardenedArray commented Nov 15, 2018

Hi Progman-DT,

Thank you for your input concerning also achieving an encrypted /boot during installation.

While I continue to believe there is not a whole lot of 'actionable intelligence' a sophisticated attacker could gain by perusing the contents of an unencrypted /boot, for those users who face intense, invasive, potential security threats, adding an additional layer of security does make sense.

I spent quite a few hours with a Senior Arch Developer discussing the entire gamut of issues involved with encrypted /boot.

Following these discussions, and after testing on both Arch VMs and production rigs, we know this encrypted /boot procedure works.

Therefore, I have included an optional sub-procedure in all my Arch installation guides to address the needs of those who desire to have the additional layer of security provided by correctly configuring and installing an encrypted /boot.

Cheers,

HardenedArray

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment