huntrar

Arch Linux Full-Disk Encryption Installation Guide

This guide provides instructions for an Arch Linux installation featuring full-disk encryption via LVM on LUKS and an encrypted boot partition (GRUB) for UEFI systems.

Following the main installation are further instructions to harden against Evil Maid attacks via UEFI Secure Boot custom key enrollment and self-signed kernel and bootloader.

Preface

You will find most of this information pulled from the Arch Wiki and other resources linked thereof.

Note: The system was installed on an NVMe SSD, substitute /dev/nvme0nX with /dev/sdX or your device as needed.

klingtnet

This guide is based on the hibernate article from the Arch wiki.

• edit /etc/default/grub and add resume as well as resume_offset kernel parameters
  • resume=UUID=abcd-efgh contains the UUID of the partition on which the swapfile resides. In most cases the swapfile resides in root, to identify the root parition's UUID run blkid or lsblk -O.
  • resume_offset=1234 is the offset of the swapfile from the partition start. The offset is the first entry in the physical_offset column of the output of filefrag -v /swapfile.
  • update grub: grub-mkconfig -o /boot/grub/grub.cfg
  • example: GRUB_CMDLINE_LINUX_DEFAULT="resume=UUID=75972c96-f909-4419-aba4-80c1b74bd605 resume_offset=1492992"
• add the resume module hook to /etc/mkinitcpio.conf:
  • HOOKS="base udev resume autodetect ...
• rebuild the initramfs mkinitcpio -p linux