Skip to content

Instantly share code, notes, and snippets.

@alanorth

alanorth/arch-install-encrypted.md

Last active October 11, 2020 00:02
Show Gist options
  • Save alanorth/b1a4649f1f285cfa928c9fb5985118eb to your computer and use it in GitHub Desktop.
Save alanorth/b1a4649f1f285cfa928c9fb5985118eb to your computer and use it in GitHub Desktop.
Download ZIP
Installing Arch Linux on an SSD with plain boot but encrypted /, /home, etc.
Raw
arch-install-encrypted.md

Arch Linux on LUKS

Mostly follows the Arch Linux install guide, but with tips from these for the encryption setup:

Partitoning

Find the correct disk and clear all existing partitions with sgdisk:

# fdisk -l
# sgdisk --zap-all /dev/sda

Use gdisk to create a new GUID partition table (press "o") and two partitions (press "n"):

  • Partition 1: 512M (or more) for /boot with type "EF00"
  • Partition 2: the rest of the disk for LVM with type "8E00" (we will create root, home, etc here using LVM)
# gdisk /dev/sda

Format the boot partition with mkfs.fat:

# mkfs.fat -F32 /dev/sda1

Create Encrypted LUKS partition

Uses 128-bit AES (double to -s 512 if you want 256 bit) and sha256, because the NSA is not my adversary, but I don't want random people to be able to get my shit if I lose my laptop. Creates the encrypted device and then LVM inside it, for as many partitions as you want.

# cryptsetup -v -y -c aes-xts-plain64 -s 256 -h sha256 -i 2000 --use-urandom luksFormat /dev/sda2
# cryptsetup open /dev/sda2 luks
# pvcreate /dev/mapper/luks
# vgcreate vg0 /dev/mapper/luks
# lvcreate --size 6G vg0 --name root
# lvcreate -l +100%FREE vg0 --name home
# mkfs.ext4 /dev/mapper/vg0-root
# mkfs.ext4 /dev/mapper/vg0-home

Normal Arch Installation

Follow the Arch Linux install guide here, as from now it's mostly the same:

# mount /dev/mapper/vg0-root /mnt
# mkdir /mnt/{boot,home}
# mount /dev/mapper/vg0-home /mnt/home
# mount /dev/sda1 /mnt/boot
# pacstrap /mnt base base-devel vim
# genfstab -U /mnt >> /mnt/etc/fstab
# arch-chroot /mnt
...

Things to note:

  • You must edit the mkinitcpio.conf file before generating the initramfs to add support for lvm2
  • When creating /boot/loader/entries/arch.conf, pay attention to the options for kernel command line
    • If using busybox initramfs (ie, udev in HOOKS): cryptdevice=UUID:vg0 root=/dev/mapper/vg0-root where the UUID is that of the underlying encrypted block device (ie, sda2), not the ext4 partition
    • If using systemd initramfs (ie, systemd in HOOKS): luks.name=0000-0000-0000-0000=vg0 root=/dev/mapper/vg0-root where the UUID is that of the underlying encrypted block device (ie, sda2)
# bootctl --path=/boot install

After Install

# useradd -m aorth
# passwd aorth
# pacman -S xorg-server xf86-video-fbdev
# pacman -S plasma-desktop sddm breeze-gtk konsole
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment