eggman64/Efficient Encrypted UEFI-Booting Arch Installation

## Efficient Encrypted UEFI-Booting Arch Installation


# OBJECTIVE:  Install Arch Linux with encrypted root and swap filesystems and boot from UEFI.  Optionally, we will also encrypt
/boot and then decrypt and mount our entire encrypted system using a single LUKS passphrase entry.

# Note:  This method supports both dedicated Arch installs and those who wish to install Arch on a multi-OS-UEFI booting system.

# External USB HDD/SSD Installers Notes:  Encrypted Arch installs can be booted and run from an external USB HDD or SSD, but
# only when the installation is correctly set up.  There are several necessary changes to my standard procedure you'll want
# to make during the install process.  Read my External USB HDD/SSD Installation section below before proceeding.

# VirtualBox Installers Notes:  This installation method can also be used to install Arch Linux as an UEFI-booting
# Guest system in VirtualBox.  You must have UEFI-booting enabled in VBox's Guest System Settings prior to installation.
# I have written a separate guide dedicated to the specifics of achieving an encrypted Arch Linux VirtualBox installation.
# My Arch Linux VirtualBox Guest installation guide is available at:

https://gist.github.com/HardenedArray/d5b70681eca1d4e7cfb88df32cc4c7e6

# The official Arch installation guide contains details that you should refer to during this installation process.
# That guide resides at:  https://wiki.archlinux.org/index.php/Installation_Guide

# Download the archlinux-*.iso image from https://www.archlinux.org/download/ and its GnuPG signature.
# Use gpg --verify to ensure your archlinux-*.iso is exactly what the Arch developers intended.  For example:

$ gpg --verify archlinux-2017.01.01-dual.iso.sig
gpg: assuming signed data in 'archlinux-2017.01.01-dual.iso'
gpg: Signature made Sun 01 Jan 2017 04:06:24 PM UTC
gpg:                using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE  28B7 7F2D 434B 9741 E8AC

# Burn the archlinux-*.iso  to a 1+ Gb USB stick.  On linux, do something like:

dd if=archlinux-*.iso of=/dev/sdX bs=16M && sync

# If running Windows, use Rufus to burn the archlinux-*.iso to your USB stick in DD mode.
# Also, if you are running BitLocker to encrypt your Windows system, read my BitLocker notes below, before proceeding.

# UEFI-Boot from your USB stick. If your USB stick fails to boot, ensure that Secure Boot is disabled in your UEFI configuration.

# Set your keymap only if not you are not using the default English language.

# It is typically wiser to be hard wired to the Net during installation. However, Arch supports WiFi-only installs.
# Connect to WiFi using:

wifi-menu

# It is possible to access this guide from within your Arch installation environment using the built-in elinks text browser.
# For those interested, open a new terminal at tty2 using ctrl-alt-f2, then use elinks to search for 'HardenedArray Gists'
# which should return the URL of my Arch installation guide:

https://gist.github.com/HardenedArray/31915e3d73a4ae45adc0efa9ba458b07

# You can then return to your installation terminal using ctrl-alt-f1.

# Create and size partitions appropriate to your goals using gdisk.
# Carefully Note:  Multi-OS booters who have an existing EFI partition on their drive should NOT create a new EFI partition.
# Instead, we will append Arch as another OS to your existing EFI partition.  See my Multi-OS-Booting Notes, below.

gdisk /dev/sdX

# Create the partitions you need:

Partition X = 100 MiB EFI partition # Hex code EF00
Partition Y = 250 MiB Boot partition # Hex code 8300
Partition Z = Choose a reasonable size for your encrypted root and swap system partition, or just size it to the
last sector of your drive. # Hex code 8300.

# Review your partitions with 'p'.
# Write your gdisk changes with 'w'.
# Reboot, if necessary, so the kernel reads your new partition structure.
,
# I strongly recommend you zero-out each of of your new partitions prior to creating filesystems on them.  Obviously, multi-OS
# booters should NEVER zero-out an existing EFI partition.  You can either use the Arch installer's ddrescue or, if you don't
# mind not having a progress indicator, it's more efficient to run:

cat /dev/zero > /dev/sdXY followed by
cat /dev/zero > /dev/sdXZ

# Create filesystems for /boot/efi and /boot

mkfs.vfat -F 32 /dev/sdXX
mkfs.ext2 /dev/sdXY  # Note that ext4 or btrfs are also fine choices for your /boot partition.

# Encrypt and open your system partition

cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/sdXZ

cryptsetup luksOpen /dev/sdXZ 2016-Global-OpSec-Champion-LyingHillary # (or use any word or phrase you're fond of)

# Create encrypted LVM partitions

# These steps create a required root partition and an optional partition for swap.  Note that using a swap file with BTRFS is
# a very poor idea.  Swap partitions are not controlled by BTRFS so they work fine.  Read the BTRFS ArchWiki before proceeding.
# Also note that BTRFS fully supports, detects, and properly configures settings for all modern SSDs, which is the drive type
# almost everyone should be running when installing ArchLinux!  HDDs are only useful for infrequently accessed data, and
# for storing your SSD's critical directories as encrypted backups.

# Modify this structure only if you need additional, separate partitions.  The sizes used below are only suggestions.
# The VG and LV labels 'Arch, root and swap' can be changed to anything memorable to you.  Use your labels consistently, below!

pvcreate /dev/mapper/2016-Global-OpSec-Champion-LyingHillary
vgcreate Arch /dev/mapper/2016-Global-OpSec-Champion-LyingHillary
lvcreate -L +512M Arch -n swap
lvcreate -l +100%FREE Arch -n root

# Create filesystems on your encrypted partitions

mkswap /dev/mapper/Arch-swap
mkfs.ext4 /dev/mapper/Arch-root

# Note that Arch Linux fully supports btrfs, and btrfs is also an excellent filesystem choice for your encrypted root.
# If you want a btrfs filesystem on your root logical volume, instead of 'mkfs.ext4 /dev/mapper/Arch-root', do this:

mkfs.btrfs /dev/mapper/Arch-root

# If you've created a btrfs root filesystem, do not forget to append 'btrfs-progs' to the pacstrap installation command
# we use immediately after correctly mounting our partitions below.

# Mount the new system

mount /dev/mapper/Arch-root /mnt
swapon /dev/mapper/Arch-swap
mkdir /mnt/boot
mount /dev/sdXY /mnt/boot
mkdir /mnt/boot/efi
mount /dev/sdXX /mnt/boot/efi

# Optional - Edit the Mirrorlist To Optimize Package Download Speeds

nano /etc/pacman.d/mirrorlist

# Copy one or two mirrors near your physical location to the top of the mirrorlist.

# Install your Arch system

# This installation command provides a decent set of basic system programs which will also support WiFi when initially
# booting into your Arch system.  Recommended, yet optional:  make and enjoy some fresh java while the following
# command completes.  Once completed, you'll only be a few minutes away from putting your new system to serious work!

pacstrap /mnt base base-devel grub-efi-x86_64 efibootmgr dialog wpa_supplicant

# Create and review FSTAB

genfstab -U /mnt >> /mnt/etc/fstab  # The -U option pulls in all the correct UUIDs for your mounted filesystems.
cat /mnt/etc/fstab  # Check your fstab carefully, and modify it, if required.

# Enter the new system

arch-chroot /mnt /bin/bash

# Set the system clock

ln -s /usr/share/zoneinfo/UTC /etc/localtime  # This will harmlessly fail if your system's CMOS clock is already set to UTC.
hwclock --systohc --utc

# Assign your hostname

echo MyHostName > /etc/hostname

# Set or update your locale

# If English is your native language, you need to edit exactly two lines to correctly configure your locale language settings:

a. In /etc/locale.gen **uncomment only**: en_US.UTF-8 UTF-8
b. In /etc/locale.conf, you should **only** have this line: LANG=en_US.UTF-8

# Now run:

locale-gen

# Set your root password

passwd

# Create a User, assign appropriate Group membership, and set a User password.  'Wheel' is just one important Group.

useradd -m -G wheel -s /bin/bash MyUserName

passwd MyUserName

# Configure mkinitcpio with the correct HOOKS required for your initrd image

nano /etc/mkinitcpio.conf

# Use this HOOKS statement:

HOOKS="base udev autodetect modconf block keymap encrypt lvm2 resume filesystems keyboard fsck"

# Note that recent ArchLinux installation images have shipped with a new version of /etc/mkinitcpio.conf.  The
# only difference is that the new version uses '(' and ')' instead of dual double quotation marks: ' " " '.  Therefore,
# the current HOOKS statement should be:

HOOKS=(base udev autodetect modconf block keymap encrypt lvm2 resume filesystems keyboard fsck)

# You do not need or want 'resume' in your HOOKS statement if you are not using swap.

# Generate your initrd image

mkinitcpio -p linux

# Install and Configure Grub-EFI

# The correct way to install grub on an UEFI computer, irrespective of your use of a HDD or SSD, and whether you are
# installing dedicated Arch, or multi-OS booting, is:

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchLinux

# Edit /etc/default/grub so it includes a statement like this:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdYZ:MyDevMapperMountpoint resume=/dev/mapper/MyVolGroupName-MyLVSwapName"

# Maintaining consistency with the examples provided above, you would use something like:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdXZ:2016-Global-OpSec-Champion-LyingHillary resume=/dev/mapper/Arch-swap"

# If you are not using swap, eliminate the 'resume' statement above.

# I have also noticed that recent releases of grub2 now offer this new option within /etc/default/grub:

# Uncomment to enable booting from LUKS encrypted devices
# GRUB_ENABLE_CRYPTODISK=y

# Note that you do NOT need to enable that cryptodisk statement to boot your LUKS encrypted / and swap ArchLinux system,
# assuming you are **NOT** trying to decrypt an encrypted /boot.  If you want to encrypt /boot, continue reading.

# Generate Your Final Grub Configuration:

grub-mkconfig -o /boot/grub/grub.cfg

# If you are not interested in encrypted /boot, you are almost done!  Skip down to:  # Exit Your New Arch System, below.

++++++++++++++++++++++++++++++++++

**OPTIONAL** Encrypted /boot Configuration and Installation

# Booting from an encrypted /boot is entirely optional, but, if you expect to maintain data privacy, unlike having (almost)
# mandatory encrypted / and swap, booting from an encrypted /boot provides an extra layer of security for the truly paranoid!

# I spent a great deal of time discussing this topic with a very intelligent Arch developer.  I will hide you from the
# enormous complexity underlying how grub's code actually achieves this seamless dual encrypted booting and mounting
# outcome, but this encrypted /boot sub-procedure is known to work!

# Setting up an encrypted /boot requires further configuration.

# ASSUMING you have followed **ALL** of the above installation steps, now do:

nano /etc/default/grub

# and enable, by uncommenting:

GRUB_ENABLE_CRYPTODISK=y

# then:

nano /etc/mkinitcpio.conf

# Make certain your FILES statement matches this:

FILES=(/crypto_keyfile.bin)

# Ensure that /boot and /boot/efi and / are all mounted with:

df -h

# then ensure your 'pwd' is at / with:

cd /

# Now run these four commands in succession:

dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin
chmod 000 /crypto_keyfile.bin
chmod 600 /boot/initramfs-linux*
cryptsetup luksAddKey /dev/sdX# /crypto_keyfile.bin

# Obviously, adjusting /dev/sdaX# to your current root partition on your physical HDD/SSD.

# When prompted for your passphrase with 'luksAddKey' be certain to enter ONLY your current LUKS passphrase,

# This will add your (second) new LUKS random key, now protecting /boot, to Key Slot #1.

# Verify your new key has been correctly added with something like:

cryptsetup luksDump /dev/sda23

# Now run to verify the partition where /boot is mounted on your physical drive:

df -h

# Then run and record the EXACT UUID of your Arch /boot partition:

ls -l /dev/disk/by-uuid

# Now run:

nano /etc/crypttab

# Add a new line in precisely this format:

encryptedBOOT   UUID=YourArch/bootUUIDgoeshere       none    luks,timeout=180

# Of course, alternatively, it is trivial to point /etc/crypttab at a REQUIRED_TO_BE_PRESENT_AT_BOOT external USB stick, etc.
# I will leave that part up to you to figure out.

# Now run:

mkinitcpio -p linux

# then, re-install grub, and YES, I DO MEAN, a second time:

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchLinux --modules="part_gpt part_msdos"

# and finally:

grub-mkconfig -o /boot/grub/grub.cfg

# FINISHED!  Now you are completely re-synced with the non-encrypted /boot installers.  Merely exit and umount, as below!

# Enjoy the decryption magic upon your next, and all subsequent, reboots!  Bad Actors will be most uphappy, as if I cared!

++++++++++++++++++++++++++++++++++


# Exit Your New Arch System

exit

# Unmount all partitions

umount -R /mnt
swapoff -a

# Reboot and Enjoy Your Encrypted Arch Linux System!

reboot

# After you are satisfied that your Arch system is running well, if you are like most people not running an Arch server,
# you'll want a Desktop Environment so you can begin using your new system productively.  See my:  'Installing a
# Plasma-KDE Desktop Post Arch Install' section below for some ideas and an efficient DE installation process.

__________________________


If you ever get dropped to the EFI Shell prompt when powering up Arch Linux, which I most often notice within
VirtualBox when running Arch Linux as UEFI-enabled Guest System, do the following:

At the Shell prompt, type the following entries, as indicated (also remember we used --bootloader-id=ArchLinux, above):

Shell> fs0:
fs0:> \EFI\ArchLinux\grubx64.efi

Hit Enter and now you should see your graphical grub Arch Linux menu.  Note my atypical use of backslashes.

To prevent being dropped to the EFI Shell prompt in the future, enter your Arch Linux system, become root, and do:

# nano /boot/efi/startup.nsh

In your startup.nsh file, add these two lines:

fs0:
\EFI\ArchLinux\grubx64.efi

Save and exit nano.  To test that you will no longer be dropped to the EFI Shell prompt, poweroff, not reboot, and fire up
your Arch Linux system again.

If you simply cannot bear the agony of the EFI Shell's five second wait prior to its loading of startup.nsh, hit any key,
except for 'esc', and you should be immediately directed to your (hopefully, beautifully configured) grub graphical
Arch Linux boot screen.

This solution also works when you have installed Arch Linux as an UEFI-enabled Guest system within VirtualBox.

__________________________


External USB HDD/SSD Encrypted Arch Installation:

Almost all of my standard Arch install procedure can be followed without modification when installing Arch to an external device.

However, if you already have an encrypted Arch installation on a system HDD/SSD, you must ensure the names assigned to your
PV, VG and LVs are different than whatever you used on your system drive's Arch installation.  Failure to use different names
will cause major udev and therefore, /dev/mapper, assignment problems for you, especially when you try to mount your
multiple encrypted Arch drives!

Additionally, we don't want to instruct grub to use standard device names as these are very likely to change when using an
external USB drive.  For example, our external SSD may be assigned /dev/sdc by udev during installation, but when we try to
initially boot from it, udev may assign that external SSD to /dev/sdb, resulting in an unbootable system.

The solution is to use PARTUUID, as opposed to a standard device name, in the cryptdevice statement in /etc/default/grub.

Therefore, instead of using this example from above:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdXZ:2016-Global-OpSec-Champion-LyingHillary resume=/dev/mapper/Arch-swap"

Run 'blkid' as root, and find the correct PARTUUID for your external device's encryted partition.

N.B.:  PARTUUIDs are completely unrelated to UUIDs.

Substitute the correct PARTUUID for the standard device name.  You should end up with a statement that looks similar to this:

GRUB_CMDLINE_LINUX="cryptdevice=PARTUUID=4d2aed94-92d4-7b5e-b8df-81d7554495cf4:ArchUSBSSD resume=/dev/mapper/ArchSSD-swap"

Now regardless of the device name assigned by udev to your external drive, the kernel will be able to find the
correct cryptdevice.

All other parts of my installation procedure should be followed without modification.

__________________________


One Post-Install Recommendation To Optimize the Speed of All Your Future Installs - Rank Your Mirrors, First!

It's a very simple procedure, and will save you a lot of downloading time over your Arch Linux lifetime, particularly
if you are planning on doing any mass-installs, like gnome, gnome-extra, kde-meta or similar.

As root, run:

cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.bak
rankmirrors -n 6 /etc/pacman.d/mirrorlist.bak > /etc/pacman.d/mirrorlist

That will test all the mirrors and grab the six fastest from your location.  It takes a while to complete,
so go grab a cup of java.

Upon your return, you'll be ready to put pacman to serious work, as it was intended:  Crazy Fast!

Cheers, and now it is time to Go Rock Your Arch!

HardenedArray

__________________________


Multi-OS-Booting Notes:

I UEFI boot and run more than five operating systems from my SSD.
All of my OSes UEFI boot from my single, 100 MiB, EFI partition.
All of my OSes have encrypted root and swap, utilizing my SSD's native hardware-based AES-256-bit encryption support
with BitLocker or Linux's software-based LUKS on LVM encryption to secure my data, when at rest.
My Arch Linux install is just another encrypted Linux OS installation that happens to reside on my SSD.

If you multi-boot, ensure you mount Arch's /boot/efi at your existing ESP partition.
If you installed Windows 10 first, your EFI partition is likely to be /dev/sda2.

In all cases, /boot, /boot/efi, and '/' partitions, at a minimum, are required to be mounted during Arch installation.

As an example, an EFI-addicted, multi-OS booter might be doing something like:

mount /dev/mapper/Arch-root /mnt
swapon /dev/mapper/Arch-swap
mkdir /mnt/boot
mount /dev/sda17 /mnt/boot
mkdir /mnt/boot/efi
mount /dev/sda2 /mnt/boot/efi

In this example, the user is likely to be using /dev/sda18 as the physical drive partition where their encrypted
Arch root and swap filesystems will reside.  Note the user's re-use of their existing EFI partition which resides
at /dev/sda2.

Adapt, as necessary, for your drive's partition structure.

Following successful Arch system installation, the path to your Arch-EFI boot file should be:

/boot/efi/EFI/ArchLinux/grubx64.efi

When you are multi-OS booting correctly, you should have one directory per operating system, each residing at:

/boot/efi/EFI/

__________________________


BitLocker Users on Windows Notes:

If you are running hardware-based BitLocker encryption on Windows, I recommend you Turn Off BitLocker encryption prior to
installing Arch, or any other operating system.

As I don't use software-based BitLocker, I cannot say whether leaving it enabled during Arch installation will cause problems.
Obviously, if you experience issues, you could turn BitLocker off temporarily.

You can tell if you are using AES-256 bit hardware-based BitLocker encryption when you run from within PowerShell,
as an Administrator:

PS C:\WINDOWS\system32> manage-bde -status

You see this line:
Encryption Method:    Hardware Encryption - 1.3.111.2.1619.0.1.2

Also note that hardware-based BitLocker can either encrypt, or decrypt, a multi-hundred GiB drive in less than 3 seconds.
You can re-enable BitLocker after your new encrypted Arch system is UEFI booting correctly and running smoothly.

__________________________


Installing a Plasma-KDE Desktop Post Arch Install

After you have rebooted into your new Arch system, and are satisfied that every aspect of your system is running correctly,
if you're like most people not running an Arch server, you will likely want to install a desktop so you can utilize your new
Arch system productively.

Your choice of desktop environment is entirely up to you.  Personally, I have tried them all.  It is my opinion that if
you are running a modern, reasonably powered PC or laptop you are doing yourself a significant disservice by running any
of the 'lightweight desktops.'  I also think the Gnome DE is best suited for children, or unskilled users.  Keep in mind
that you can install multiple desktops, and then choose which one to fire up at each login, but that is beyond the scope
of this guide.

I prefer the Plasma5-KDE environment over all the others.  If you would like to efficiently install a full Plasma5-KDE
environment, do the following, in this order:

# Log in as root, and not as a user

# Fully update your Arch system:

pacman -Syu  # If a new kernel becomes available and is now installed, reboot, before proceeding.

# If you don't have network connectivity in your Arch system, run:

systemctl start dhcpcd <ethernet or wlan interface name>

# Now that you have an updated system, do:

pacman -S linux-headers

pacman -S dkms  # This will automatically rebuild your kernel modules as new upstream kernels are released.

pacman -S xorg  #  This will install a mandatory X server.

pacman -S xorg-apps

reboot

__________________________


# Log in as root, and not as a user, and do:

pacman -S plasma-meta  # This large package set will also provide us with sddm, the recommended Plasma5 login manager.

systemctl enable sddm

pacman -S kde-applications-meta

pacman -S xdg-user-dirs

systemctl enable NetworkManager  # After your next reboot you will have full, correct, networking support from boot.

# If you want full (English) spelling support for all of your applications, do:

pacman -S hunspell-en hyphen-en libmythes mythes-en aspell-en

# Everyone has their own font preferences, but I agree with Arch's initial ttf-font recommendations because they look great!:

pacman -S ttf-dejavu ttf-liberation

reboot

__________________________


# Log in to sddm's GUI as your user

# Your first stop is System Settings.  Tweak 'all the things' into full compliance with 'your way.'

# Go ROCK your fully enabled Plasma DE, and your properly encrypted Arch Linux system!!!

__________________________