Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Efficient Encrypted Arch Linux with Bcache Installation Procedure Providing SSD and HDD Concurrent Support
# OBJECTIVE: Install Arch Linux with encrypted root and swap filesystems with full Bcache SSD/HDD support
# and boot from UEFI.
# RATIONALE: As most users realize, you have to pay for marginal speed improvements in all circuits which compute.
# This holds true for CPUs, GPUs, DRAM, SRAM, Drives, including memory cards and USB sticks. If you want speed, you
# must be willing to pay the price premium that a faster device commands versus a slower alternative.
# SSDs are incredibly fast, but expensive to produce, and therefore, only offer limited storage space.
# HDDs, by comparison, are ridiculously slow, but offer immense storage space per dollar expended.
# Despite the higher $/GiB storage cost, many power users have opted to swap out their old primary system HDDs
# in favor of (usually) smaller SSDs. These SSD users now have far faster booting, and significantly more responsive,
# systems, but at the cost of (typically) far less available storage access.
# Bcache is a superb tool which allows users to leverage the incredible read and write speeds of SSDs while still being able
# to access their inexpensive and large HDD storage, quickly, concurrently and seamlessly, on the same running Arch system.
# REQUIREMENTS: You should have a modern SSD installed and correctly recognized as your primary system drive, whether you
# run a laptop or a desktop workstation. Your system must also be able to recognize another connected HDD. The faster that
# HDD connection, the better. For example, a 2.5" HDD residing in a SATA 3 HDD caddy is preferred over a HDD connected
# via an external USB 3.0 HDD enclosure. However, noting we prefer speed, either should work for bcache installation.
# Obviously you need free, zeroed-out space on both drives available prior to installation.
# WARNING: As expected, the Bcache ArchWiki provides excellent bcache management examples. Do NOT implement ANY of
# them during this installation procedure. Only follow the steps here and accept all the defaults during installation.
# The time to test and optimize bcache speeds comes much later, as in, definitely not now!
# Bcache must be correctly installed, along with a clean Arch Linux installation, if you expect bcache to work. Many of
# of the existing bcache guides I found on the Net are either deplorable, deprecated or lack key, required, steps.
# Worse, almost none of the purported bcache 'guides' address the vitally important topic of full system encryption.
# This guide provides the correct steps.
# Note: This method supports both dedicated Arch bcache installs and those who wish to install Arch bcache on a
# multi-OS-UEFI booting system.
# External USB HDD/SSD Installers Notes: Encrypted Arch installs can be booted and run from an external USB HDD
# or SSD, but only when the installation is correctly set up. There are several necessary changes to my standard
# procedure you'll want to make during the install process. Read my External USB HDD/SSD Installation section
# below before proceeding.
# VirtualBox Installers Notes: Bcache is designed to be installed to and run on bare-metal, physical SSD/HDD drives.
# If you only want to learn or practice installing encrypted Arch Linux, VBox is a good place to start.
# I have written a separate guide dedicated to the specifics of achieving an encrypted Arch Linux VirtualBox installation.
# That being said, I have tested, and it IS possible to install bcache within a VBox UEFI-installation using a 'virtual' SSD
# device for /dev/sda -C (caching) and a physical USB stick for /dev/sdb -B (backing). If you know your way around VBox,
# the VBox-specific modifications required to complete this installation procedure should be obvious. Others interested in
# bcache VBox installation procedure will have to wait until I have the requisite time to publish that process.
# My Arch Linux (non-bcache-enabled) VirtualBox Guest installation guide is available at:
https://gist.github.com/HardenedArray/d5b70681eca1d4e7cfb88df32cc4c7e6
# For those interested, open a new terminal at tty2 using ctrl-alt-f2, then use elinks to search for 'HardenedArray Gists'
# The official Arch installation guide contains details that you should refer to during this installation process.
# That guide resides at: https://wiki.archlinux.org/index.php/Installation_Guide
# Download the archlinux-*.iso image from https://www.archlinux.org/download/ and its GnuPG signature.
# Use gpg --verify to ensure your archlinux-*.iso is exactly what the Arch developers intended. For example:
$ gpg -v archlinux-2019.11.01-x86_64.iso.sig
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: assuming signed data in 'archlinux-2019.11.01-x86_64.iso'
gpg: Signature made Fri Nov 1 16:34:35 2019 UTC
gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg: using pgp trust model
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC
gpg: binary signature, digest algorithm SHA256, key algorithm rsa2048
# Burn the archlinux-*.iso to a 1+ Gb USB stick. On linux, do something like:
dd bs=4M if=archlinux-*.iso of=/dev/sdX status=progress oflag=sync
# If running Windows, use Rufus to burn the archlinux-*.iso to your USB stick in 'DD' mode.
# Also, if you are running BitLocker to encrypt your Windows system, read my BitLocker notes below, before proceeding.
# UEFI-Boot from your USB stick. If your USB stick fails to boot, ensure that Secure Boot is disabled in your
# UEFI configuration.
# Set your keymap only if not you are not using the default English language.
# It is typically wiser to be hard wired to the Net during installation. However, Arch supports WiFi-only installs. Also
# note that in mid-2020 the Arch devs deprecrated the use of `wifi-menu`. The current installation images support `iwd`,
# which provides `iwctl`. Carefully note that `iwd` will NOT be installed on your new system. If you will require WiFi
# access following reboot, we install `iwd` in the pacstrap command and then enable it after we enter arch-chroot, below.
# Connect to WiFi using:
iwctl
# then to connect to your WiFi station; do something like:
station <wlan device name> connect <wifi-station-name tab-auto-complete>
# then enter your wifi station's passphrase
# It is possible to access this guide from within your Arch installation environment using the built-in elinks text browser.
# For those interested, open a new terminal at tty2 using ctrl-alt-f2, then use elinks to search for 'HardenedArray Gists'
# which should return the URLs of my Arch installation guides, for example:
https://gist.github.com/HardenedArray/2c3e8c16e0710d02383b7b66785436b3
# You can then return to your installation terminal using ctrl-alt-f1.
# Create and size partitions appropriate to your goals using gdisk.
# Carefully Note: Multi-OS booters who have an existing EFI partition on their drive should NOT create a
# new EFI partition. Instead, we will append Arch as another OS to your existing EFI partition.
# See my Multi-OS-Booting Notes, below.
# This example supports a laptop bcache Arch installation using a 500 Gb SSD (/dev/sda) and a 2 Tb HDD (/dev/sdb) using a
# SATA 3 HDD drive caddy. Your device capacities and partition assignments and partition numbers may vary.
# The important things to remember are: your SSD is your caching device and your HDD is your backing device.
# We want our encrypted / and swap and our /boot and /boot/efi to ALL reside on our SSD, so we can boot quickly
# and run all programs utilizing our SSD's much lower latency, i.e. significantly faster read and write access times.
# Create ONLY the partitions you need. Do NOT create filesystems now, this step comes later:
gdisk /dev/sda ## Again, this is my SSD. Vary your partition numbers, as required.
Partition 6 = 100 MiB EFI partition # Hex code EF00 # Do NOT create a new /boot/efi, if one exists. Append, instead!
Partition 7 = 250 MiB Boot partition # Hex code 8300
Partition 8 = 20 GiB / and swap partition # Hex code 8300
# 20 GiB is sufficient for a complete DE, bcache-enabled Arch installation. Choose a reasonable
# size for your encrypted root and swap system partition, or just size it to the last sector of your SSD.
# Review your partitions with 'p'.
# Write your gdisk changes with 'w'.
# Reboot, if necessary, so the kernel reads your new partition structure.
# Then for: gdisk /dev/sdb
# Create a large, HDD single partition, sized to your liking. This backing device partition size will define your final
# bcache system size. Think about it, prior to proceeding.
Partition 3 = 700+ GiB, # Hex code 8300 is aqequate. Choose a reasonable size for your encrypted backing partition.
# Save your changes.
# All data written to your soon to be created /dev/bcache0 will also be encrpted by LUKS/dm-crypt.
# Reboot, if necessary, so the kernel reads your new partition structure.
# If you are like me, and demand that your installation will be cryptographically secure, do NOT skip these steps!
# I strongly recommend you zero-out each of of your new partitions prior to creating filesystems on them.
# Obviously, multi-OS booters should NEVER zero-out an existing EFI partition. You can either use the Arch installer's
# ddrescue or, if you don't mind not having a progress indicator, it's more efficient to run:
cat /dev/zero > /dev/sdXY followed by
cat /dev/zero > /dev/sdXZ, and so on
# Using the partitioning examples above, you would do:
cat /dev/zero > /dev/sda6
cat /dev/zero > /dev/sda7
cat /dev/zero > /dev/sda8
cat /dev/zero > /dev/sdb3
# Run from within the Arch installation environment, run, as root:
mount -o remount,size=8G /run/archiso/cowspace
pacman -Syu base-devel git --ignore linux
# Create a new User:
useradd -m -G wheel -s /bin/bash user
# then:
passwd user
# then, since we will require sudo for vital future steps, do:
EDITOR=nano visudo
# and add:
user ALL=(ALL) ALL
# under User privilege specification. Save the /etc/sudoers.tmp file.
# Use ctrl-alt-f3, and login as 'user'
# Build and install bcache-tools from AUR:
git clone https://aur.archlinux.org/bcache-tools.git
cd bcache-tools/
makepkg -sri
# Switch back to the installation environment, as root (ctrl-alt-f1)
# Create, link and register your bcache devices. Again, maintaining consistency with the above provided examples:
make-bcache -B /dev/sdb3 -C /dev/sda8
# This creates a new device, /dev/bcache0, which is the bcache device we will be encrypting and installing Arch on.
# Create filesystems for /boot/efi and /boot. I recommend using btrfs on all SSDs and HDDs running bcache.
# Again, maintaining consistency with the examples above:
mkfs.vfat -F 32 /dev/sda6
mkfs.btrfs /dev/sda7
# Encrypt and open your system partition
cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/bcache0
cryptsetup luksOpen /dev/bcache0 BcacheRocks # (or use any word or phrase you're fond of)
# Create encrypted LVM partitions
# These steps create a required root partition and an optional partition for swap.
# Note that using a swap file with BTRFS is a very poor idea. Swap partitions are not controlled by BTRFS
# so they work fine. Read the BTRFS ArchWiki before proceeding.
# Also note that BTRFS fully supports, detects, and properly configures settings for all modern SSDs, which is
# the drive type almost everyone should be running when installing ArchLinux!
# HDDs are only useful for infrequently accessed data, and for storing your SSD's critical directories as
# encrypted backups.
# Modify this structure only if you need additional, separate partitions. The sizes used below are only suggestions.
# The VG and LV labels 'MyBcache, root and swap' can be changed to anything memorable to you.
# Use your labels consistently, below!
pvcreate /dev/mapper/BcacheRocks
vgcreate MyBcache /dev/mapper/BcacheRocks
lvcreate -L 512M MyBcache -n swap
lvcreate -l 100%FREE MyBcache -n root
# Create filesystems on your encrypted partitions
mkswap /dev/mapper/MyBcache-swap
mkfs.btrfs /dev/mapper/MyBcache-root
# Mount the new system, using the prior examples:
mount /dev/mapper/MyBcache-root /mnt
swapon /dev/mapper/MyBcache-swap
mkdir /mnt/boot
mount /dev/sda7 /mnt/boot
mkdir /mnt/boot/efi
mount /dev/sd6 /mnt/boot/efi
# Optional - Edit the Mirrorlist To Optimize Package Download Speeds
nano /etc/pacman.d/mirrorlist
# Copy one or two mirrors near your physical location to the top of the mirrorlist.
# Install your Arch system
# If you read the contents of https://www.archlinux.org/ you would know the Arch developers made significant
# changes to the 'base' package in October 2019.
# The new base-metapackage does not contain a kernel nor an editor and several other important packages.
# We will be addressing those issues in our pacstrap command below.
# This installation command provides a decent set of basic system programs which will also support WiFi through
# iwd's `iwctl` after initially booting into your Arch system. Having WiFi following installation is particularly
# critical for anyone running a modern ultrabook, as most are equipped with WiFi-only access to the Net. Recommended, yet
# optional: make and enjoy some fresh java while the following command completes. Once completed, you'll only
# be a few minutes away from putting your new system to serious work!
pacstrap /mnt base base-devel grub efibootmgr dialog wpa_supplicant linux linux-headers dkms nano
dhcpcd iwd lvm2 linux-firmware
# Create and review FSTAB
genfstab -U /mnt >> /mnt/etc/fstab # The -U option pulls in all the correct UUIDs for your mounted filesystems.
cat /mnt/etc/fstab # Check your fstab carefully, and modify it, if required.
# Enter the encrypted, bcache-mounted new system:
arch-chroot /mnt /bin/bash
# Switch back to your previously created user account using ctrl-alt-f3
# From bcache-tools/ run:
sudo cp bcache-tools-1.0.8-2-x86_64.pkg.tar.xz /mnt
# Switch back into chroot using ctrl-alt-f1, then run these commands to install bcache-tools on your new system:
cd /
pacman -U bcache-tools-1.0.8-2-x86_64.pkg.tar.xz
# Now run:
bcache-super-show /dev/sda8
# and:
bcache-super-show /dev/sdb3
# Verify the 'cset.uuid' strings match for both the SSD and HDD partitions. If so, you are golden, and the remainder of
# the Arch Linux system installation process is quite standard. Pay careful attention to the mkinitcpio section, below.
# If the cset.uuid strings do not match, bcache will not work. Start over, and do it correctly.
# This procedure, when followed with precision, works!
# NinjaTip: 'lsblk' should now make perfect sense. If so, give yourself a pat on the back.
# Your linux-fu is getting stronger!
# Set the system clock
ln -s /usr/share/zoneinfo/UTC /etc/localtime # This will harmlessly fail if your system's CMOS clock is already set to UTC.
hwclock --systohc --utc
# If you require WiFi following reboot, enable iwd:
systemctl enable iwd
# Assign your hostname
echo MyHostName > /etc/hostname
# Set or update your locale
# If English is your native language, you need to edit exactly two lines to correctly configure your locale
# language settings:
a. In /etc/locale.gen **uncomment only**: en_US.UTF-8 UTF-8
b. In /etc/locale.conf, you should **only** have this line: LANG=en_US.UTF-8
# Now run:
locale-gen
# Set your root password
passwd
# Create a system User, assign appropriate Group membership, and set a User password. 'Wheel' is just one important Group
useradd -m -G wheel -s /bin/bash MyUserName # YES, you can use the identical 'user' name and passwd you used in pre-chroot
passwd MyUserName
# Configure mkinitcpio with the correct HOOKS required for your bcache-enabled initrd image
nano /etc/mkinitcpio.conf
# Add bcache to MODULES:
MODULES=(bcache)
# Use this HOOKS statement, with NO changes to the HOOKS order, for bcache and encryption initramfs support:
HOOKS="base udev autodetect modconf block bcache encrypt lvm2 keymap resume filesystems keyboard fsck"
# If you are using mdadm RAID for your backing device, append 'mdadm_udev' to the HOOKS statement above, then
# update your /etc/mdadm.conf.
# Note that recent ArchLinux installation images have shipped with a new version of /etc/mkinitcpio.conf. The
# only difference is that the new version uses '(' and ')' instead of the previous double quotation marks: ' " " '.
# Therefore, the current HOOKS statement should be:
HOOKS=(base udev autodetect modconf block bcache encrypt lvm2 keymap resume filesystems keyboard fsck)
# You do not need or want 'resume' in your HOOKS statement if you are not using swap.
# Generate your initrd image
mkinitcpio -p linux
# Install and configure Grub-EFI
# The correct way to install grub on an UEFI computer, irrespective of your use of a HDD or SSD, and whether you are
# installing dedicated Arch, or multi-OS booting, is:
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchBcache
# Edit /etc/default/grub so it includes a statement like this:
# GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdYZ:MyDevMapperMountpoint resume=/dev/mapper/MyVolGroupName-MyLVSwapName"
# Maintaining consistency with the examples provided above, you would use something like:
GRUB_CMDLINE_LINUX="cryptdevice=/dev/bcache0:BcacheRocks resume=/dev/mapper/MyBcache-swap"
# If you are not using swap, eliminate the 'resume' statement above.
# I have also noticed that recent releases of grub2 now offer this new option within /etc/default/grub:
# Uncomment to enable booting from LUKS encrypted devices
# GRUB_ENABLE_CRYPTODISK=y
# Note that you do NOT need to enable that cryptodisk statement to boot your LUKS encrypted ArchLinux system.
# Generate Your Final Grub Configuration:
grub-mkconfig -o /boot/grub/grub.cfg
# Exit Your New Bcache Arch System
exit
# Unmount all partitions
umount -R /mnt
swapoff -a
# Reboot and Enjoy Your Bcache Enabled Encrypted Arch Linux System!
reboot
# After you are satisfied that your Arch system is running well, if you are like most people not running an Arch server,
# you'll want a Desktop Environment so you can begin using your new system productively. See my: 'Installing a
# Plasma-KDE Desktop Post Arch Install' section below for some ideas and an efficient DE installation process.
__________________________
If you ever get dropped to the EFI Shell prompt when powering up Arch Linux, which I most often notice within
VirtualBox when running Arch Linux as UEFI-enabled Guest System, do the following:
At the Shell prompt, type the following entries, as indicated (also remember we used --bootloader-id=ArchLinux, above):
Shell> fs0:
fs0:> \EFI\ArchLinux\grubx64.efi
Hit Enter and now you should see your graphical grub Arch Linux menu. Note my atypical use of backslashes.
To prevent being dropped to the EFI Shell prompt in the future, enter your Arch Linux system, become root, and do:
# nano /boot/efi/startup.nsh
In your startup.nsh file, add these two lines:
fs0:
\EFI\ArchLinux\grubx64.efi
Save and exit nano. To test that you will no longer be dropped to the EFI Shell prompt, poweroff, not reboot,
and fire up your Arch Linux system again.
If you simply cannot bear the agony of the EFI Shell's five second wait prior to its loading of startup.nsh, hit any key,
except for 'esc', and you should be immediately directed to your (hopefully, beautifully configured) grub graphical
Arch Linux boot screen.
This solution also works when you have installed Arch Linux as an UEFI-enabled Guest system within VirtualBox.
__________________________
External USB HDD/SSD Encrypted Arch Installation:
Almost all of my standard Arch install procedure can be followed without modification when installing Arch to an
external device.
However, if you already have an encrypted Arch installation on a system HDD/SSD, you must ensure the names assigned to your
PV, VG and LVs are different than whatever you used on your system drive's Arch installation. Failure to use
different names will cause major udev and therefore, /dev/mapper, assignment problems for you, especially when you
try to mount your multiple encrypted Arch drives!
Additionally, we don't want to instruct grub to use standard device names as these are very likely to change when
using an external USB drive. For example, our external SSD may be assigned /dev/sdc by udev during installation,
but when we try to initially boot from it, udev may assign that external SSD to /dev/sdb, resulting in an
unbootable system.
The solution is to use PARTUUID, as opposed to a standard device name, in the cryptdevice statement in /etc/default/grub.
Therefore, instead of using this example from above:
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdXZ:MyPVdeviceName resume=/dev/mapper/Arch-swap"
Run 'blkid' as root, and find the correct PARTUUID for your external device's encrypted partition.
N.B.: PARTUUIDs are completely unrelated to UUIDs.
Substitute the correct PARTUUID for the standard device name.
You should end up with a statement that looks similar to this:
GRUB_CMDLINE_LINUX="cryptdevice=PARTUUID=4d2aed94-92d4-7b5e-b8df-81d7554495cf4:ArchUSBSSD resume=/dev/mapper/ArchSSD-swap"
Now regardless of the device name assigned by udev to your external drive, the kernel will be able to find the
correct cryptdevice.
All other parts of my installation procedure should be followed without modification.
__________________________
Multi-OS-Booting Notes:
I UEFI boot and run more than five operating systems from my SSD.
All of my OSes UEFI boot from my single, 100 MiB, EFI partition.
All of my OSes have encrypted root and swap, utilizing my SSD's native hardware-based AES-256-bit encryption support
with BitLocker or Linux's software-based LUKS on LVM encryption to secure my data, when at rest.
My Arch Linux install is just another encrypted Linux OS installation that happens to reside on my SSD.
If you multi-boot, ensure you mount Arch's /boot/efi at your existing ESP partition.
If you installed Windows 10 first, your EFI partition is likely to be /dev/sda2.
In all cases, /boot, /boot/efi, and '/' partitions, at a minimum, are required to be mounted during Arch installation.
As an example, an EFI-addicted, multi-OS booter might be doing something like:
mount /dev/mapper/Arch-root /mnt
swapon /dev/mapper/Arch-swap
mkdir /mnt/boot
mount /dev/sda17 /mnt/boot
mkdir /mnt/boot/efi
mount /dev/sda2 /mnt/boot/efi
In this example, the user is likely to be using /dev/sda18 as the physical drive partition where their encrypted
Arch root and swap filesystems will reside. Note the user's re-use of their existing EFI partition which resides
at /dev/sda2.
Adapt, as necessary, for your drive's partition structure.
Following successful Arch system installation, the path to your Arch-EFI boot file should be:
/boot/efi/EFI/ArchLinux/grubx64.efi
When you are multi-OS booting correctly, you should have one directory per operating system, each residing at:
/boot/efi/EFI/
__________________________
BitLocker Users on Windows Notes:
If you are running hardware-based BitLocker encryption on Windows, I recommend you Turn Off BitLocker encryption prior to
installing Arch, or any other operating system.
As I don't use software-based BitLocker, I cannot say whether leaving it enabled during Arch installation will cause
problems. Obviously, if you experience issues, you could turn BitLocker off temporarily.
You can tell if you are using AES-256 bit hardware-based BitLocker encryption when you run from within PowerShell,
as an Administrator:
PS C:\WINDOWS\system32> manage-bde -status
You see this line:
Encryption Method: Hardware Encryption - 1.3.111.2.1619.0.1.2
Also note that hardware-based BitLocker can either encrypt, or decrypt, a multi-hundred GiB drive in less than 3 seconds.
You can re-enable BitLocker after your new encrypted Arch system is UEFI booting correctly and running smoothly.
__________________________
Installing a Plasma-KDE Desktop Post Arch Install
After you have rebooted into your new Arch system, and are satisfied that every aspect of your system is running correctly,
if you're like most people not running an Arch server, you will likely want to install a desktop so you can utilize your
new Arch system productively.
Your choice of desktop environment is entirely up to you. Personally, I have tried them all. It is my opinion that if
you are running a modern, reasonably powered PC or laptop you are doing yourself a significant disservice by running any
of the 'lightweight desktops.' I also think the Gnome DE is best suited for children, or unskilled users. Keep in mind
that you can install multiple desktops, and then choose which one to fire up at each login, but that is beyond the scope
of this guide.
I prefer the Plasma5-KDE environment over all the others. If you would like to efficiently install a full
Plasma5-KDE environment, do the following, in this order:
# Log in as root, and not as a user
# Fully update your Arch system:
pacman -Syu # If a new kernel becomes available and is now installed, reboot, before proceeding.
# If you don't have network connectivity in your Arch system, run:
systemctl start dhcpcd <ethernet or wlan interface name> or if WiFi only, run:
wifi-menu
# Now that you have an updated system, do:
pacman -S linux-headers
pacman -S dkms # This will automatically rebuild your kernel modules as new upstream kernels are released.
pacman -S xorg # This will install a mandatory X server.
pacman -S xorg-apps
reboot
__________________________
# Log in as root, and not as a user, and do:
pacman -S plasma-meta # This large package set will also provide us with sddm, the recommended Plasma5 login manager.
systemctl enable sddm
systemctl enable NetworkManager # After your next reboot you will have full, correct, networking support from boot.
pacman -S kde-applications-meta
pacman -S xdg-user-dirs
# If you want full (English) spelling support for all of your applications, do:
pacman -S hunspell-en_US hyphen-en libmythes mythes-en aspell-en
# Everyone has their own font preferences, but I agree with Arch's initial ttf-font recommendations because
# they look great!:
pacman -S ttf-dejavu ttf-liberation
reboot
__________________________
# Log in to sddm's GUI as your user
# Your first stop is System Settings. Tweak 'all the things' into full compliance with 'your way.'
# Go ROCK your fully enabled Plasma DE, and your properly encrypted Arch Linux system!!!
@reubenkaiser

This comment has been minimized.

Copy link

@reubenkaiser reubenkaiser commented Oct 15, 2019

Hey, I used this to guide me through the install on my machine.
The recent base package changes meant that a few more packages have to be included in pacstrap (linux, linux-firmware, dhcpcd [i think]).
The partitioning advice seemed unclear, I just went with separate efi, boot, root and caching partitions on the ssd and set up lv swap and home separately.
Also I followed your instructions for kde installation but it froze at login.

Something else that helped me with troubleshooting was sudo modprobe bcache which meant i didnt have to go through the cowspace user setup and reinstall bcache into the live environment to recognize the file systems in order to check the log files.

If anyone's using mdadm RAID for the blocking device dont forget to include mdadm_udev into /etc/mkinit.cpio hooks and update the /etc/mdadm.conf.

Thanks,
Reuben

@solsticedhiver

This comment has been minimized.

Copy link

@solsticedhiver solsticedhiver commented Oct 17, 2019

From what I have seen, the advice to zero out the device before using them as encrypted is wrong.
Because an attacker can see the encrypted data from the data not used that are now all-zeros.

So the recommendation is to better fill the device with random data.
/dev/urandom is quite slow and it could take hours for TB size so may be use frandom ?

or zero out over LUKS like
cat /dev/zero > /dev/mapper/BcacheRocks but it will even slower, right ?

@HardenedArray

This comment has been minimized.

Copy link
Owner Author

@HardenedArray HardenedArray commented Nov 14, 2019

Hi solsticedhiver,

No, the advice to zero out your target partitions with /dev/zero is NOT wrong. My advice to use /dev/zero comes directly from the highly informative cryptsetup FAQs. You should definitely read this document, as Milan Broz knows his LUKS security and knows his cryptsetup.

https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions

Cheers,

HardenedArray

@HardenedArray

This comment has been minimized.

Copy link
Owner Author

@HardenedArray HardenedArray commented Nov 14, 2019

Hi Reuben,

Yes, given the recent changes to the base-metapackage, I have revised this guide, and my other Arch install guides to compensate for the changes to base.

I've also added a few lines to this guide to provide support for those wishing to run RAID for their backing device, so that was good input.

My KDE/Plasma5 works perfectly on my bcache installation, and I course, I followed my own KDE installation instructions! In fact, I completed a clean install of Arch with full KDE/Plasma5 on a spare drive yesterday. I used the Nov 2019 arch*.iso and I followed my updated guide. All is booting, working and networking correctly.

Perhaps, there are configuration errors on your end, and if you cannot track those down, a reinstall is not difficult, nor that time consuming considering now you have installation experience.

Finally, sure once the bcache module gets built, it is easy to modprobe for it.

Thank you for your feedback.

Cheers and good luck,

HardenedArray

@solsticedhiver

This comment has been minimized.

Copy link

@solsticedhiver solsticedhiver commented Nov 14, 2019

@HardenedArray
The guide you are refereing to, just mention to wipe with zero to get rid of old data, nothing more. That does not address the concern I am pointing you to look at.

Also, in the same guide, is listed correct way to overwrite data with true random data.

Moreover, you can refer to the Archlinux wiki, where all of this is explictly explained:

There is also other page that address that concern

@HardenedArray

This comment has been minimized.

Copy link
Owner Author

@HardenedArray HardenedArray commented Nov 17, 2019

Hi solsticedhiver,

I have no desire to enter into a protracted debate with you over the securely wiping issue you've raised, and particularly not via GitHub. I had previously read the wiki you linked above, but re-read it again just for kicks.

The first two paragraphs summarize the issue(s) perfectly in my mind.

'The most common usecase for completely and irrevocably wiping a device will be when the device is going to be given away or sold. There may be (unencrypted) data left on the device and you want to protect against simple forensic investigation that is mere child's play with for example File recovery software.

If you want to quickly wipe everything from the disk, /dev/zero or simple patterns allow maximum performance while adequate randomness can be advantageous in some cases that should be covered up in #Data remanence.'

  1. No one following this guide is intent on giving away or selling their drive, which by the way, is something I would NEVER do.

  2. We are NOT encrypting a block device, such as /dev/sda or /dev/nvme0n1. We are encrypting our '/' and swap
    logical volumes which reside on a single partition on a block device, whether that partition happens to exist at /dev/sda17 or /dev/nvmen0n1p23.

  3. If you want to also encrypt /boot, read my guide at: https://gist.github.com/HardenedArray/ee3041c04165926fca02deca675effe1

  4. You might also want to review: https://web.archive.org/web/20131208184307/http://www.h-online.com/newsticker/news/item/Secure-deletion-a-single-overwrite-will-do-it-739699.html

Using /dev/zero to overwrite our target partitions provides more than adequate security prior to installing filesystems on /boot /boot/efi and /.

When I wrote my Arch installation guides some 4 years ago, 99% of the user base were running 'spinners'. Now that the SSD market has exploded, I am considering how to add some type of generic support section to my guides concerning how to properly zero out SSDs.

As you may understand, using /dev/zero to zero out partitions on a SSD accomplishes nothing, and is an utter waste of time.

This task is complex given the large number of SSD OEMs, and that each of them has a different method for zeroing out their particular SSD, so I probably will have to keep this new SSD support section highly generic.

If it helps you sleep better at night, feel free to use /dev/urandom and/or write your own guide, from scratch.

No changes will be made to my Arch installation guides in the interim.

Thank you for your input.

Cheers,

HardenedArray

@S5SD

This comment has been minimized.

Copy link

@S5SD S5SD commented Dec 25, 2019

Hi HardenedArray

big thx for your tut that i had followed and was able set up a system with bcache which runs like a charm now
how can i chroot into the encrypted system when something went wrong e.g. boot failure ...
i tried booting up Arch installation media to open bcache device with
cryptsetup luksOpen /dev/bcache0 XXX but got error messages
could you help. please
cheers
S5SD

@HardenedArray

This comment has been minimized.

Copy link
Owner Author

@HardenedArray HardenedArray commented Feb 20, 2020

Hi S5SD,

I am happy to learn you found my bcache guide useful, and that your installed bcache system is running well.

As for you chroot query, as with all things Arch, your first stop should be the Archwiki.

You may want to carefully review the procedure outlined, here: https://wiki.archlinux.org/index.php/Bcache#Accessing_from_the_install_disk.

If you need more help beyond that join us on #archlinux on Freenode.

Cheers,

HardenedArray

@ronaldseoh

This comment has been minimized.

Copy link

@ronaldseoh ronaldseoh commented May 10, 2020

I installed Arch on my laptop using this guide without any issues! Thank you so much!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.