Skip to content

Instantly share code, notes, and snippets.

@daemonp

daemonp/carbon-x1-gen5-encrypted-btrfs-arch-install.md

Last active July 3, 2018 12:27
Show Gist options
  • Save daemonp/da62cb19e3ad64bbb715411ca61fc1bc to your computer and use it in GitHub Desktop.
Save daemonp/da62cb19e3ad64bbb715411ca61fc1bc to your computer and use it in GitHub Desktop.
Download ZIP
Raw
carbon-x1-gen5-encrypted-btrfs-arch-install.md

Overview

  • Fully encrypted Btrfs root partition & ext4 boot
  • Install Arch Linux
  • Configure some basics

Status

Everything works out of the box!

Install Arch

Prep USB for installing Arch

sudo dd if=archlinux-2018.05.01-x86_64.iso of=/dev/sda bs=4M

Setup wifi

wifi-menu

Enable SSH to simplify the installation process (optional)

  • Set a root password
passwd root
  • Enable sshd
systemctl start sshd

Now you should be able ssh to this box from another one which has a font which you can see.

Preparing the System Drive

Encrypting the System Drive

  • Find out how fast are ciphers on your machine (AES should have hardware acceleration therefore win)
cryptsetup benchmark

# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1      1489454 iterations per second for 256-bit key
PBKDF2-sha256    1664406 iterations per second for 256-bit key
PBKDF2-sha512    1328993 iterations per second for 256-bit key
PBKDF2-ripemd160 1054905 iterations per second for 256-bit key
PBKDF2-whirlpool  787219 iterations per second for 256-bit key
argon2i       5 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
argon2id      5 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
#     Algorithm | Key |  Encryption |  Decryption
        aes-cbc   128b  1063.3 MiB/s  3276.7 MiB/s
    serpent-cbc   128b    89.6 MiB/s   677.3 MiB/s
    twofish-cbc   128b   194.2 MiB/s   362.2 MiB/s
        aes-cbc   256b   810.3 MiB/s  2624.6 MiB/s
    serpent-cbc   256b    90.9 MiB/s   677.1 MiB/s
    twofish-cbc   256b   195.3 MiB/s   362.3 MiB/s
        aes-xts   256b  2022.0 MiB/s  2032.2 MiB/s
    serpent-xts   256b   653.0 MiB/s   644.3 MiB/s
    twofish-xts   256b   356.6 MiB/s   357.5 MiB/s
        aes-xts   512b  1846.6 MiB/s  1847.6 MiB/s
    serpent-xts   512b   654.1 MiB/s   644.3 MiB/s
    twofish-xts   512b   356.6 MiB/s   357.0 MiB/s
cryptsetup benchmark  26.30s user 25.05s system 145% cpu 35.399 total

aes-xts 512b 1846.6 MiB/s 1847.6 MiB/s looks good, maginal performance hit for 512b key

  • Format disk
Disk /dev/nvme0n1: 477 GiB, 512110190592 bytes, 1000215216 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: ECE601CC-27F0-4CF0-92C8-1D663A4CC362

Device           Start        End   Sectors   Size Type
/dev/nvme0n1p1    2048    1050623   1048576   512M EFI System
/dev/nvme0n1p2 1050624 1000215182 999164559 476.4G Linux filesystem
  • Make data partition LUKS formatted
cryptsetup --cipher aes-xts-plain64 --key-size 512 --use-random --verify-passphrase luksFormat /dev/nvme0n1p2
  • Check if everything looks good
cryptsetup luksDump /dev/nvme0n1p2
  • Open encrypted partition
cryptsetup open --type luks /dev/nvme0n1p2 cryptroot
  • Create BTRFS on cryptdata volume
mkfs.btrfs -L data /dev/mapper/cryptroot
  • Mount BTRFS with flags
mount /dev/mapper/cryptroot /mnt -t btrfs -o defaults,noatime,nodiratime,discard,autodefrag,ssd,compress=lzo,space_cache
  • Create subvolumes
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home
btrfs subvolume create /mnt/@snapshots
  • Create boot partition
mkfs.vfat -F 32 /dev/nvme0n1p1
  • Mount sub-volumes and boot partition
umount /mnt
mount -o defaults,noatime,nodiratime,discard,autodefrag,ssd,compress=lzo,space_cache,subvol=@ /dev/mapper/cryptroot /mnt
mkdir /mnt/home
mount -o defaults,noatime,nodiratime,discard,autodefrag,ssd,compress=lzo,space_cache,subvol=@home /dev/mapper/cryptroot /mnt/home
mkdir /mnt/.snapshots
mount -o compress=lzo,discard,noatime,nodiratime,subvol=@snapshots /dev/mapper/cryptroot /mnt/.snapshots
mkdir /mnt/boot
mount /dev/nvme0n1p1 /mnt/boot
  • create nested subvolumes for special folders
mkdir -p /mnt/var/cache/pacman
btrfs subvolume create /mnt/var/cache/pacman/pkg
btrfs subvolume create /mnt/var/log
btrfs subvolume create /mnt/var/tmp

Arch Installation

  • use reflector to speed up install (optional)
pacman -Syy reflector
reflector --sort rate --save /etc/pacman.d/mirrorlist -f 5 -n 10 -p https
  • synchronize clock
timedatectl set-ntp true
  • install base packages
pacstrap /mnt base base-devel git btrfs-progs openssh linux-zen
  • generate fstab
genfstab -Up /mnt >> /mnt/etc/fstab
  • optional: add ramdisk tmp
echo "tmpfs     /tmp         tmpfs  defaults,noatime,mode=1777  0 0" >> /mnt/etc/fstab
  • change into installation root
arch-chroot /mnt
  • There is only SSD, so we want to reduce swapping as much as possible
echo "vm.swappiness=10" > /etc/sysctl.d/99-sysctl.conf
  • add modules, binaries, files, and hooks to mkinitcpio.conf
vi /etc/mkinitcpio.conf

Replace the variables with these values

MODULES=(btrfs loop i915)
BINARIES=(/usr/bin/btrfs)
HOOKS=(base udev autodetect modconf keyboard encrypt block filesystems btrfs fsck)
  • Generate initial ramdisk image
mkinitcpio -p linux

Bootloader Installation

rEFInd is a simplistic boot manager for UEFI based systems, with a clean and minimal black theme for it.

rEFInd Minimalistic

pacman -S intel-ucode refind-efi

efind-install
  • edit /boot/EFI/refind/refind.conf

UUID from nvmen1p2


timeout 10

menuentry "Arch Linux" {

    icon     /EFI/refind/rEFInd-minimal/icons/os_arch.png
    volume   "Arch Linux"
    loader   /vmlinuz-linux-zen
    initrd   /initramfs-linux-zen.img
    options  "cryptdevice=UUID=6e74c74b-ba92-4100-9077-29e604e24ffe:cryptroot root=/dev/mapper/cryptroot rootflags=subvol=@ add_efi_memmap initrd=boot/intel-ucode.img quiet splash rw"

    submenuentry "Boot using non-zen kernel" {
        loader   /vmlinuz-linux
        initrd /initramfs-linux.img
    }

    submenuentry "Boot using fallback initramfs" {
        loader   /vmlinuz-linux
        initrd /initramfs-linux-fallback.img
    }

    submenuentry "Boot to terminal" {
        add_options "systemd.unit=multi-user.target"
    }
}

include rEFInd-minimal-black/theme.conf


git clone https://github.com/andersfischernielsen/rEFInd-minimal-black /boot/EFI/refind/rEFInd-minimal-black

System Configuration

  • Set locale
cat >/etc/locale.gen <<END
en_US.UTF-8 UTF-8
END

locale-gen
echo LANG=en_US.UTF-8 > /etc/locale.conf
  • Set timezone
ln -sf /usr/share/zoneinfo/Europe/London /etc/localtime
hwclock --systohc --utc
  • set hostname
echo carbon > /etc/hostname
  • Add some more useful packages and setup reflector
pacman -Suy base-devel git iw wpa_supplicant dialog zsh sudo reflector vim
reflector --sort rate --save /etc/pacman.d/mirrorlist -f 5 -n 10 -p https
  • add a new user account
useradd -m -g users -G wheel,storage,power -s /bin/zsh damon
passwd damon
  • enable sudo for your user account

uncomment the following line

%wheel ALL=(ALL) ALL

  • disable root account
passwd -l root

Tidy up and reboot

exit
umount -R /mnt
swapoff -a
reboot

Post-install steps

install, configure and enable Snapper

sudo pacman -S snapper
sudo umount /.snapshots
sudo rm -r /.snapshots
sudo snapper -c root create-config /
sudo mount -o compression=lzo,discard,noatime,nodiratime,subvol=@snapshots /dev/mapper/cryptroot /.snapshots
sudo systemctl start snapper-timeline.timer

install & enable power management

sudo pacman -S tlp x86_energy_perf_policy tlp-rdw
sudo systemctl enable tlp.service
sudo systemctl enable tlp-sleep.service
sudo systemctl enable NetworkManager-dispatcher.service
sudo systemctl mask systemd-rfkill.service
sudo systemctl mask systemd-rfkill.socket

enable bluetooth

pacman -S bluez bluez-firmware bluez-utils blueman
sudo systemctl enable --now bluetooth.service
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment