Created
September 29, 2015 13:55
-
-
Save eikaas/303078dfa82d0c6c20b1 to your computer and use it in GitHub Desktop.
Archlinux Full Disk Encryption
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
########################################################## | |
# # | |
# Installing Archlinux with Full Disk Encryption and LVM # | |
# # | |
########################################################## | |
# For the perfect setup, your disk should be overwritten by random data. Encrypted data should be indistinguishable from encrypted data. | |
# That way an adversary would not be able to determine where the encrypted portion starts. | |
# WARNING: This is an extremely taxing operation. This can take A DAY OR MORE TO COMPLETE. Not for the impatient. | |
dd if=/dev/urandom of=/dev/sda | |
# Use fdisk to create a bootable boot partition and a partition for holding the encrypted container | |
# sda1 - 512 // For boot | |
# sda2 - REST // For Encrypted volume group (type 8e) | |
fdisk /dev/sda | |
# Create the encrypted driver on /dev/sda2 | |
cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/sda2 | |
# Open the newly created encrypted drive | |
cryptsetup luksOpen /dev/sda2 CryptLinux | |
# Our new, encrypted container should now be avaible on /dev/mapper/CryptLinux. We are ready to create | |
# a filesystem inside the cryptsetup/luks container. Starting with LVM... | |
# Create an LVM PhysicalVolume on the encrypted device | |
pvcreate /dev/mapper/CryptLinux | |
# Create an LVM VolumeGroup. The VolumeGroup will span the entire encrypted container | |
vgcreate CryptLinuxVG /dev/mapper/CryptLinux | |
# Now, create the logical volumes of your coice. | |
# For reference, this is my 3-4 year old install disk usage: | |
# /dev/sda1 488M 55M 408M 12% /boot | |
# /dev/mapper/CryptLinuxVG-RootLV 25G 20G 4.2G 83% / | |
# /dev/mapper/CryptLinuxVG-HomeLV 138G 130G 1.1G 100% /home | |
# You can eaisly grow any LVM volume later, shrinking them is much harder, so we start low: | |
lvcreate -L 10GB -n RootLV CryptLinuxVG | |
lvcreate -L 2GB -n SwapLV CryptLinuxVG | |
lvcreate -L +50GB -n HomeLV CryptLinuxVG | |
# Depending on your disk, you may now have a few hundred gigs free. | |
# Thats cool - we can allocated it where needed later with lvresize | |
# We have created "Virtual Partitions (Logical Volumes)" with LVM. Now we need to format with the file system of our choice. | |
# I've chosen ext4, and ext3 for /boot | |
mkfs -t ext3 /dev/sda1 | |
mkfs -t ext4 /dev/mapper/CryptLinuxVG-RootLV | |
mkfs -t ext4 /dev/mapper/CryptLinuxVG-HomeLV | |
Remember to also create and enable the swap partition: | |
mkswap /dev/mapper/CryptLinuxVG-SwapLV | |
swapon /dev/mapper/CryptLinuxVG-SwapLV | |
# Installing Archlinux | |
# We're ready to install archlinux. Mount up your disk. You may reference the current up-to-date archlinux installation guide. | |
# Mount /root | |
mount /dev/mapper/CryptLinuxVG-RootLV /mnt | |
# Mount /home | |
mkdir /mnt/home | |
mount /dev/mapper/CryptLinuxVG-HomeLV /mnt/home | |
# Mount /boot | |
mkdir /mnt/boot | |
mount /dev/sda1 /mnt/boot | |
# Our new install now resides under /mnt, now we bootstrap the OS with "pacstrap": | |
pacstrap /mnt base base-devel | |
# Once thats finished, we arch-chroot and install grub | |
arch-chroot /mnt pacman -S grub-bios | |
# Create the /etc/fstab file based on our current disks (This takes into account that disks are mounted on /mnt instead of /, you can check to make sure) | |
genfstab -p /mnt >> /mnt/etc/fstab | |
# Now we enter the chroot. Archlinux supplies a script which takes care of the boilerplate stuff. | |
arch-chroot /mnt | |
# Archlinux is installed, and you're using it (except you're on a live kernel) | |
# Set a hostname | |
echo "hostname" > /etc/hostname | |
# Chose your timezone | |
ln -s /usr/share/zoneinfo/Europe/Oslo /etc/localtime | |
# Enable Norwegian and English UTF-8 locales. | |
vi /etc/locale.gen | |
:%s/#en_US.UTF-8/en_US.UTF-8/ | |
:%s/#nb_NO.UTF-8/nb_NO.UTF-8/ | |
:wq | |
echo "LANG=\"en_US.UTF-8\"" > /etc/locale.conf | |
echo "LC_COLLATE=\"C\"" >> /etc/locale.conf | |
echo "LC_TIME=\"nb_NO.UTF-8\"" >> /etc/locale.conf | |
# Generate the locales | |
locale-gen | |
# WARNING: Since we are booting of an encrypted LVM volume, we need to make sure our initramfs is built with support for it. | |
# This might have changed in later versions (Maybe its on by default). | |
# At the time of writing we need to add the modules 'lvm2' and 'encrypt' to the HOOKS=() array in /etc/mkinitcpio.conf | |
# Fucked up this part? System wont boot? Boot on the live-cd, unlock the luks container, mount the disks on /mnt as before and figure out what went wrong | |
vi /etc/mkinitcpio.conf // 'lvm2' and 'encrypt' into the HOOKS array | |
# Rebuild the initramfs // (Dont worry if you get lvmetad warnings, theire unimportant) | |
mkinitcpio -p linux | |
# Make norwegian keyboard layout default. | |
# NOTE: Not sure if this works any more. Makre sure you are able to type your encryption password on english keyboards just in case. | |
echo "KEYMAP=no-latin1" > /etc/vconsole.conf | |
# We need to edit the grub config in order for it to find the encrypted contianer. This | |
# Should be nore more than adding cryptdevice line to the grub config: | |
vi /etc/default/grub | |
:%s/GRUB_CMDLINE_LINUX=\"\"/GRUB_CMDLINE_LINUX=\"cryptdevice=/dev/sda2:CryptLinuxVG\"/ | |
:wq | |
# Generate the grub-config/image. | |
grub-mkconfig -o /boot/grub/grub.cfg | |
# Install it to the MBR. (Note that its /dev/sda, not /dev/sda1) | |
grub-install --recheck /dev/sda | |
# Finally, set a root password. | |
passwd root | |
# Leave th chroot environment | |
exit | |
# Try to safely unmount our filesystem mounted on /mnt, and reboot. Fingers crossed! | |
umount /mnt/{boot,home,} | |
reboot | |
# !!!NOTE: For Dell Latitude D420 and probably others the following line should also | |
# be added to the GRUB_CMD_LINE to get the screen to work after booting | |
# acpi_backlight=vendor noapic (Thats noapIC, not noacpi) | |
# Optional POST install stuff | |
# Start DHCP and enable it by default. | |
systemctl start dhcpcd | |
systemctl enable dhcpcd | |
# Add a new user for yourself. | |
useradd -m -g users -G games,audio,video,power,optical -s /bin/bash username | |
passwd username | |
# And of course, the most important step: | |
pacman -S vim |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment