Cobbled together from the following resources:
- Full Disk Encryption - Linode
- Encrypting an entire system - Arch Wiki
- Install from existing linux - Arch Wiki
- Installation guide - Arch Wiki
- Gettys on Serial Consoles
Create a new Linode.
Create three new disk images.
- name "boot", type "unformatted / raw", size = 256 MB
- name "swap", type "unformatted / raw", size = swap size
- name "root", type "unformatted / raw", size = rest
Create a new configuration profile.
- label whatever
- kernel "pv-grub-x86_64"
- /dev/xvda "boot"
- /dev/xvdb "swap"
- /dev/xvdc "root"
- xenify distro "no"
- disable updatedb "no"
- modules.dep helper "no"
- automount devtmpfs "no"
Go to the Rescue tab, and click Reboot into Rescue Mode.
Connect via LISH.
Encrypt and open the root partition.
cryptsetup luksFormat /dev/xvdc
cryptsetup luksOpen /dev/xvdc crypt-xvdc
Create the filesystems for the boot and root partitions.
mkfs -t ext2 /dev/xvda
mkfs -t ext4 /dev/mapper/xvdc
Create the encrypted swap partition.
cryptsetup -d /dev/urandom create crypt-swap /dev/xvdb
mkswap /dev/mapper/crypt-swap
swapon /dev/mapper/crypt-swap
Bootstrap an Arch chroot environment.
cd /tmp
wget https://mirrors.kernel.org/archlinux/iso/2014.09.03/archlinux-bootstrap-2014.09.03-x86_64.tar.gz
tar xf archlinux-bootstrap-2014.09.03-x86_64.tar.gz
sed -i 's?#Server = https://mirrors.kernel.org/archlinux/$repo/os/$arch?Server = https://mirrors.kernel.org/archlinux/$repo/os/$arch?' root.x86_64/etc/pacman.d/mirrorlist
root.x86_64/bin/arch-chroot /tmp/root.x86_64
Prep the Arch chroot environment for installing the base system.
mkdir /run/shm
cd /tmp
curl -O https://mirrors.kernel.org/archlinux/extra/os/x86_64/haveged-1.9.1-1-x86_64.pkg.tar.xz
pacman -U haveged-1.9.1-1-x86_64.pkg.tar.xz
haveged -w 1024
pacman-key --init
pacman-key --populate archlinux
Mount the root and boot filesystems (in that order) under /mnt
.
mount /dev/mapper/crypt-xvdc /mnt
mkdir /mnt/boot
mount /dev/xvda /mnt/boot
Install the base system, generate the fstab, and chroot into it.
pacstrap /mnt base base-devel
genfstab -p /mnt >> /mnt/etc/fstab
arch-chroot /mnt /bin/bash
Configure the system.
sed -i 's/#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen
sed -i 's/#en_US ISO-8859-1/en_US ISO-8859-1/' /etc/locale.gen
locale-gen
echo LANG=en_US.UTF-8 > /etc/locale.conf
export LANG=en_US.UTF-8
ln -s /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
echo my.hostname.com > /etc/hostname
systemctl enable dhcpcd@eth0.service
Configure the initial ramdisk.
- Add
encrypt
to theHOOKS
line in/etc/mkinitcpio.conf
beforefilesystems
. mkinitcpio -p linux
Add this line /etc/crypttab
to mount the encrypted swap partition on boot.
crypt-swap /dev/xvdb /dev/urandom swap
Configure passwords and a user account.
passwd
useradd -m -g users -G wheel -s /bin/bash youruser
passwd youruser
visudo
- Uncomment line
%wheel ALL=(ALL) ALL
.
Build the grub-legacy
bootloader from the AUR.
- Uncomment the
multilib
repo from/etc/pacman.conf
. pacman -Sy gcc-multilib
su youruser
cd
curl -O https://aur.archlinux.org/packages/gr/grub-legacy/grub-legacy.tar.gz
tar xf grub-legacy.tar.gz
cd grub-legacy
makepkg -s
sudo pacman -U grub-legacy-0.97-25-x86_64.pk.tar.xz
cd ..
rm -rf grub-legacy grub-legacy.tar.gz
exit
Edit /boot/grub/menu.lst
.
root (hd0)
kernel /vmlinuz-linux root=/dev/mapper/crypt-xvdc cryptdevice=/dev/xvdc:crypt-xvdc console=hvc0 ro
Symlink the grub directory so pv-grub can find it.
cd /boot
mkdir boot
cd boot
ln -s ../grub .
Leave chroots, unmount partitions, and reboot.
exit
umount -R /mnt
exit
pkill haveged
umount /tmp/root.x86_64/dev
umount /tmp/root.x86_64
- Shutdown from Linode Manager
- Boot from Linode Manager
Every time you boot the machine, you'll need to connect to LISH and type in your password to unlock the root partition.
How do you do this today?
Would have thought this process would be easier today... Has it been updated recently? I see it is still pulling the 2014 arch bootstrap.
curl -O https://mirrors.edge.kernel.org/archlinux/extra/os/x86_64/haveged-1.9.4-3-x86_64.pkg.tar.xz
^^ fails ^^ I'm stuck here.
EDIT: I figured it out... Seems for this setup, curl must use '-o' & specify an output file to work.
Now stuck on: where is grub-install?
I also think "mkfs -t ext4 /dev/mapper/xvdc" should be "mkfs -t ext4 /dev/mapper/crypt-xvdc"