Skip to content

Instantly share code, notes, and snippets.

@bobsomers
Last active August 30, 2019 04:29
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save bobsomers/a888fa7b291db72f14b7 to your computer and use it in GitHub Desktop.
Save bobsomers/a888fa7b291db72f14b7 to your computer and use it in GitHub Desktop.
Arch Linux on Linode with Full Disk Encryption

Arch Linux on Linode with Full Disk Encryption

Cobbled together from the following resources:

Create a new Linode.

Create three new disk images.

  • name "boot", type "unformatted / raw", size = 256 MB
  • name "swap", type "unformatted / raw", size = swap size
  • name "root", type "unformatted / raw", size = rest

Create a new configuration profile.

  • label whatever
  • kernel "pv-grub-x86_64"
  • /dev/xvda "boot"
  • /dev/xvdb "swap"
  • /dev/xvdc "root"
  • xenify distro "no"
  • disable updatedb "no"
  • modules.dep helper "no"
  • automount devtmpfs "no"

Go to the Rescue tab, and click Reboot into Rescue Mode.

Connect via LISH.

Encrypt and open the root partition.

  • cryptsetup luksFormat /dev/xvdc
  • cryptsetup luksOpen /dev/xvdc crypt-xvdc

Create the filesystems for the boot and root partitions.

  • mkfs -t ext2 /dev/xvda
  • mkfs -t ext4 /dev/mapper/xvdc

Create the encrypted swap partition.

  • cryptsetup -d /dev/urandom create crypt-swap /dev/xvdb
  • mkswap /dev/mapper/crypt-swap
  • swapon /dev/mapper/crypt-swap

Bootstrap an Arch chroot environment.

  • cd /tmp
  • wget https://mirrors.kernel.org/archlinux/iso/2014.09.03/archlinux-bootstrap-2014.09.03-x86_64.tar.gz
  • tar xf archlinux-bootstrap-2014.09.03-x86_64.tar.gz
  • sed -i 's?#Server = https://mirrors.kernel.org/archlinux/$repo/os/$arch?Server = https://mirrors.kernel.org/archlinux/$repo/os/$arch?' root.x86_64/etc/pacman.d/mirrorlist
  • root.x86_64/bin/arch-chroot /tmp/root.x86_64

Prep the Arch chroot environment for installing the base system.

  • mkdir /run/shm
  • cd /tmp
  • curl -O https://mirrors.kernel.org/archlinux/extra/os/x86_64/haveged-1.9.1-1-x86_64.pkg.tar.xz
  • pacman -U haveged-1.9.1-1-x86_64.pkg.tar.xz
  • haveged -w 1024
  • pacman-key --init
  • pacman-key --populate archlinux

Mount the root and boot filesystems (in that order) under /mnt.

  • mount /dev/mapper/crypt-xvdc /mnt
  • mkdir /mnt/boot
  • mount /dev/xvda /mnt/boot

Install the base system, generate the fstab, and chroot into it.

  • pacstrap /mnt base base-devel
  • genfstab -p /mnt >> /mnt/etc/fstab
  • arch-chroot /mnt /bin/bash

Configure the system.

  • sed -i 's/#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen
  • sed -i 's/#en_US ISO-8859-1/en_US ISO-8859-1/' /etc/locale.gen
  • locale-gen
  • echo LANG=en_US.UTF-8 > /etc/locale.conf
  • export LANG=en_US.UTF-8
  • ln -s /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
  • echo my.hostname.com > /etc/hostname
  • systemctl enable dhcpcd@eth0.service

Configure the initial ramdisk.

  • Add encrypt to the HOOKS line in /etc/mkinitcpio.conf before filesystems.
  • mkinitcpio -p linux

Add this line /etc/crypttab to mount the encrypted swap partition on boot.

  • crypt-swap /dev/xvdb /dev/urandom swap

Configure passwords and a user account.

  • passwd
  • useradd -m -g users -G wheel -s /bin/bash youruser
  • passwd youruser
  • visudo
  • Uncomment line %wheel ALL=(ALL) ALL.

Build the grub-legacy bootloader from the AUR.

  • Uncomment the multilib repo from /etc/pacman.conf.
  • pacman -Sy gcc-multilib
  • su youruser
  • cd
  • curl -O https://aur.archlinux.org/packages/gr/grub-legacy/grub-legacy.tar.gz
  • tar xf grub-legacy.tar.gz
  • cd grub-legacy
  • makepkg -s
  • sudo pacman -U grub-legacy-0.97-25-x86_64.pk.tar.xz
  • cd ..
  • rm -rf grub-legacy grub-legacy.tar.gz
  • exit

Edit /boot/grub/menu.lst.

  • root (hd0)
  • kernel /vmlinuz-linux root=/dev/mapper/crypt-xvdc cryptdevice=/dev/xvdc:crypt-xvdc console=hvc0 ro

Symlink the grub directory so pv-grub can find it.

  • cd /boot
  • mkdir boot
  • cd boot
  • ln -s ../grub .

Leave chroots, unmount partitions, and reboot.

  • exit
  • umount -R /mnt
  • exit
  • pkill haveged
  • umount /tmp/root.x86_64/dev
  • umount /tmp/root.x86_64
  • Shutdown from Linode Manager
  • Boot from Linode Manager

Every time you boot the machine, you'll need to connect to LISH and type in your password to unlock the root partition.

@dm17
Copy link

dm17 commented Aug 30, 2019

How do you do this today?
Would have thought this process would be easier today... Has it been updated recently? I see it is still pulling the 2014 arch bootstrap.
curl -O https://mirrors.edge.kernel.org/archlinux/extra/os/x86_64/haveged-1.9.4-3-x86_64.pkg.tar.xz
^^ fails ^^ I'm stuck here.
EDIT: I figured it out... Seems for this setup, curl must use '-o' & specify an output file to work.
Now stuck on: where is grub-install?

I also think "mkfs -t ext4 /dev/mapper/xvdc" should be "mkfs -t ext4 /dev/mapper/crypt-xvdc"

@dm17
Copy link

dm17 commented Aug 30, 2019

It seems this is what is happening when doing grub-install: https://wiki.archlinux.org/index.php/GRUB#msdos-style_error_message
Perhaps Linode uses VMWare? Then there is this thread where the last two posters seem confused, and the admins closed it: https://bbs.archlinux.org/viewtopic.php?pid=581760#p581760

This is not straight forward on Linode - and Linode says that they don't provide any support for people encrypting their disks. Thoughts @bobsomers ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment