Install Arch Linux in an encrypted BTRFS partition with GPT and UEFI support, GRUB2 with unencrypted SWAP
- 1. Set your environment
- 2. Wipe your existing disk
- 3. Create partition table
- 4. Create filesystems
- 5. Mount subvolumes (template for later fstab):
- 6. Install BASE SYSTEM
- 7. Chroot into installation
- 8. Exit chroot unmount and reboot
loadkeys de-latin1
For installation via SSH:
systemctl start ssh
passwd
pacman -Syy && pacman -S termite-terminfo
Check EFI:
modprobe efivars
stat /proc/efi/vars > /dev/null || systemctl reboot
Make sure you wipe the correct disk! Run
lsblkanddf -hTif you are not certain!
cryptsetup open --type plain /dev/sda container
dd if=/dev/zero of=/dev/mapper/container
cryptsetup luksClose container
Assuming
/dev/sdais the target disk
gdisk /dev/sda
Create your partition table with the following input:
o
Make this partition with the type EF00 (EFI System Partition). The minimum size for the EFI partition is 64M. This is sufficient for just the EFI bootloader */boot/efi/**.
n , 128 , [ENTER] , +64M , EF00
n , 2 , [ENTER] , +8G , 8200
n , [ENTER] , [ENTER] , [ENTER] , [ENTER]
mkfs.vfat -F32 -n "EFI" /dev/sda128
mkswap -L SWAP /dev/sda2
swapon /dev/sda2
cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/sda1
dd if=/dev/random of=/tmp/key bs=512 count=4
cryptsetup luksAddKey /dev/sda1 /tmp/key
cryptsetup luksOpen /dev/sda1 crypt -d /tmp/key
mkfs.btrfs -KL "Arch Linux" /dev/mapper/crypt
mkdir -p /mnt/btrfs-root
mount -o ssd,discard,noatime,compress=lzo /dev/mapper/crypt /mnt/btrfs-root
mkdir -p /mnt/btrfs-root/__snapshot
cd /mnt/btrfs-root && btrfs subvolume create __active && cd __active
btrfs subvolume create system && btrfs subvolume create home
btrfs subvolume create system/rootvol && btrfs subvolume create system/var && btrfs subvolume create system/opt
Check your work:
btrfs subvolume list .
mkdir -p /mnt/btrfs-active && cd /mnt/btrfs-active
mount -o ssd,discard,noatime,compress=lzo,nodev,subvol=__active/system/rootvol /dev/mapper/crypt /mnt/btrfs-active
mkdir -p /mnt/btrfs-active/{home,opt,var,boot,boot/efi}
mount -o ssd,discard,noatime,compress=lzo,nosuid,nodev,subvol=__active/home /dev/mapper/crypt /mnt/btrfs-active/home
mount -o ssd,discard,noatime,compress=lzo,nosuid,nodev,subvol=__active/system/opt /dev/mapper/crypt /mnt/btrfs-active/opt
mount -o ssd,discard,noatime,compress=lzo,nosuid,nodev,noexec,subvol=__active/system/var /dev/mapper/crypt /mnt/btrfs-active/var
Check your mountpoints:
df -hT
pacstrap /mnt/btrfs-active base base-devel efibootmgr grub-efi-x86_64 cryptsetup btrfs-progs openssh rsync bash-completion curl termite-terminfo wget vim
mv /tmp/key /mnt/btrfs-active/root/luks-keyfile.bin
chmod 000 /mnt/btrfs-active/root/luks-keyfile.bin
genfstab -pU /mnt/btrfs-active >> /mnt/btrfs-active/etc/fstab
less /mnt/btrfs-active/etc/fstab
arch-chroot /mnt/btrfs-active /bin/bash
ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime && tzselect
hwclock --systohc --utc --adjfile /etc/adjtime
loadkeys de-latin1
echo "KEYMAP=de-latin1" >> /etc/vconsole.conf
sed -i 's/#en_US.U/en_US.U/g' /etc/locale.gen && sed -i 's/#de_DE.UTF-8/de_DE.UTF-8/'g /etc/locale.gen && locale-gen
echo LANG=en_US.UTF-8 > /etc/locale.conf && export LANG=en_US.UTF-8
echo "HOSTNAME" > /etc/hostname
Enable HOOKS keymapping, encryption and btrfs; disable fsck:
sed -i 's/HOOKS="base udev autodetect modconf block filesystems keyboard fsck"/HOOKS="base udev autodetect modconf block keyboard keymap encrypt filesystems btrfs"/g' /etc/mkinitcpio.conf
Enable MODULES for keys on external FAT usb drives:
sed -i 's/MODULES=""/MODULES="vfat aes_x86_64 crc32c-intel"/g' /etc/mkinitcpio.conf
For troubleshooting add btrfsck to bootmenu:
sed -i 's,BINARIES="",BINARIES="/usr/bin/btrfsck",g' /etc/mkinitcpio.conf
Include
KeyFileintoinitramfs(not recommendet). When doing this check thatinitramfspermission are set to 600, or users will be able to dump the keyfile!
sed -i 's,FILES="",FILES="/root/luks-keyfile.bin",g' /etc/mkinitcpio.conf
less /etc/mkinitcpio.conf
Create the initramfs:
mkinitcpio -p linux
chmod 600 /boot/initramfs-linux*
Mount your previously created EFI partition (NOTE: if you created a bigger partition to include kernel and initramfs change mountpoint to /boot):
mkdir -p /boot/efi && mount /dev/sda128 /boot/efi
Install GRUB2 on 64Bit UEFI system:
echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=arch_grub --recheck --debug
Add something like cryptdevice=UUID=<UUID of /dev/sda1>:crypt cryptkey=UUID=<UUID of USBKEY>:<fstype>:<path> ... quiet to your GRUB_CMDLINE_LINUX_DEFAULT="" setting in /etc/default/grub:
ls -l /dev/disk/by-uuid | grep sda1
vim /etc/default/grub
grub-mkconfig -o /boot/grub/grub.cfg
Check your work:
less /boot/grub/grub.cfg
exit
umount -R /mnt/btrfs-root && umount -R /mnt/btrfs-active
reboot
can you do it with the systemd-boot without grub????