eikaas/gist:303078dfa82d0c6c20b1

## gistfile1.txt
##########################################################
#                                                        #
# Installing Archlinux with Full Disk Encryption and LVM #
#                                                        #
##########################################################

# For the perfect setup, your disk should be overwritten by random data. Encrypted data should be indistinguishable from encrypted data.
# That way an adversary would not be able to determine where the encrypted portion starts.
# WARNING: This is an extremely taxing operation. This can take A DAY OR MORE TO COMPLETE. Not for the impatient.
dd if=/dev/urandom of=/dev/sda

# Use fdisk to create a bootable boot partition and a partition for holding the encrypted container
# sda1 - 512 // For boot
# sda2 - REST // For Encrypted volume group (type 8e)
fdisk /dev/sda

# Create the encrypted driver on /dev/sda2
cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/sda2

# Open the newly created encrypted drive
cryptsetup luksOpen /dev/sda2 CryptLinux

# Our new, encrypted container should now be avaible on /dev/mapper/CryptLinux. We are ready to create
# a filesystem inside the cryptsetup/luks container. Starting with LVM...

# Create an LVM PhysicalVolume on the encrypted device
pvcreate /dev/mapper/CryptLinux

# Create an LVM VolumeGroup. The VolumeGroup will span the entire encrypted container
vgcreate CryptLinuxVG /dev/mapper/CryptLinux

# Now, create the logical volumes of your coice.
# For reference, this is my 3-4 year old install disk usage:
#   /dev/sda1                        488M   55M  408M  12% /boot
#   /dev/mapper/CryptLinuxVG-RootLV   25G   20G  4.2G  83% /
#   /dev/mapper/CryptLinuxVG-HomeLV  138G  130G  1.1G 100% /home
# You can eaisly grow any LVM volume later, shrinking them is much harder, so we start low:
lvcreate -L 10GB -n RootLV CryptLinuxVG
lvcreate -L 2GB -n SwapLV CryptLinuxVG
lvcreate -L +50GB -n HomeLV CryptLinuxVG
# Depending on your disk, you may now have a few hundred gigs free.
# Thats cool - we can allocated it where needed later with lvresize

# We have created "Virtual Partitions (Logical Volumes)" with LVM. Now we need to format with the file system of our choice.
# I've chosen ext4, and ext3 for /boot
mkfs -t ext3 /dev/sda1
mkfs -t ext4 /dev/mapper/CryptLinuxVG-RootLV
mkfs -t ext4 /dev/mapper/CryptLinuxVG-HomeLV

Remember to also create and enable the swap partition:
mkswap /dev/mapper/CryptLinuxVG-SwapLV
swapon /dev/mapper/CryptLinuxVG-SwapLV

# Installing Archlinux
# We're ready to install archlinux. Mount up your disk. You may reference the current up-to-date archlinux installation guide.

# Mount /root
mount /dev/mapper/CryptLinuxVG-RootLV /mnt

# Mount /home
mkdir /mnt/home
mount /dev/mapper/CryptLinuxVG-HomeLV /mnt/home

# Mount /boot
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot

# Our new install now resides under /mnt, now we bootstrap the OS with "pacstrap":
pacstrap /mnt base base-devel

# Once thats finished, we arch-chroot and install grub
arch-chroot /mnt pacman -S grub-bios

# Create the /etc/fstab file based on our current disks (This takes into account that disks are mounted on /mnt instead of /, you can check to make sure)
genfstab -p /mnt >> /mnt/etc/fstab

# Now we enter the chroot. Archlinux supplies a script which takes care of the boilerplate stuff.
arch-chroot /mnt

# Archlinux is installed, and you're using it (except you're on a live kernel)

# Set a hostname
echo "hostname" > /etc/hostname

# Chose your timezone
ln -s /usr/share/zoneinfo/Europe/Oslo /etc/localtime

# Enable Norwegian and English UTF-8 locales.
vi /etc/locale.gen
    :%s/#en_US.UTF-8/en_US.UTF-8/
    :%s/#nb_NO.UTF-8/nb_NO.UTF-8/
    :wq

echo "LANG=\"en_US.UTF-8\"" > /etc/locale.conf
echo "LC_COLLATE=\"C\"" >> /etc/locale.conf
echo "LC_TIME=\"nb_NO.UTF-8\"" >> /etc/locale.conf

# Generate the locales
locale-gen

# WARNING: Since we are booting of an encrypted LVM volume, we need to make sure our initramfs is built with support for it.
# This might have changed in later versions (Maybe its on by default).
# At the time of writing we need to add the modules 'lvm2' and 'encrypt' to the HOOKS=() array in /etc/mkinitcpio.conf
# Fucked up this part? System wont boot? Boot on the live-cd, unlock the luks container, mount the disks on /mnt as before and figure out what went wrong
vi /etc/mkinitcpio.conf // 'lvm2' and 'encrypt' into the HOOKS array

# Rebuild the initramfs // (Dont worry if you get lvmetad warnings, theire unimportant)
mkinitcpio -p linux


# Make norwegian keyboard layout default.
# NOTE: Not sure if this works any more. Makre sure you are able to type your encryption password on english keyboards just in case.
echo "KEYMAP=no-latin1" > /etc/vconsole.conf

# We need to edit the grub config in order  for it to find the encrypted contianer. This
# Should be nore more than adding cryptdevice line to the grub config:
vi /etc/default/grub
    :%s/GRUB_CMDLINE_LINUX=\"\"/GRUB_CMDLINE_LINUX=\"cryptdevice=/dev/sda2:CryptLinuxVG\"/
    :wq


# Generate the grub-config/image.
grub-mkconfig -o /boot/grub/grub.cfg

# Install it to the MBR. (Note that its /dev/sda, not /dev/sda1)
grub-install --recheck /dev/sda

# Finally, set a root password.
passwd root

# Leave th chroot environment
exit

# Try to safely unmount our filesystem mounted on /mnt, and reboot. Fingers crossed!
umount /mnt/{boot,home,}
reboot


# !!!NOTE: For Dell Latitude D420 and probably others the following line should also
# be added to the GRUB_CMD_LINE to get the screen to work after booting
# acpi_backlight=vendor noapic (Thats noapIC, not noacpi)

# Optional POST install stuff
# Start DHCP and enable it by default.
systemctl start dhcpcd
systemctl enable dhcpcd

# Add a new user for yourself.
useradd -m -g users -G games,audio,video,power,optical -s /bin/bash username
passwd username

# And of course, the most important step:
pacman -S vim
	##########################################################
	# #
	# Installing Archlinux with Full Disk Encryption and LVM #
	# #
	##########################################################

	# For the perfect setup, your disk should be overwritten by random data. Encrypted data should be indistinguishable from encrypted data.
	# That way an adversary would not be able to determine where the encrypted portion starts.
	# WARNING: This is an extremely taxing operation. This can take A DAY OR MORE TO COMPLETE. Not for the impatient.
	dd if=/dev/urandom of=/dev/sda

	# Use fdisk to create a bootable boot partition and a partition for holding the encrypted container
	# sda1 - 512 // For boot
	# sda2 - REST // For Encrypted volume group (type 8e)
	fdisk /dev/sda

	# Create the encrypted driver on /dev/sda2
	cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/sda2

	# Open the newly created encrypted drive
	cryptsetup luksOpen /dev/sda2 CryptLinux

	# Our new, encrypted container should now be avaible on /dev/mapper/CryptLinux. We are ready to create
	# a filesystem inside the cryptsetup/luks container. Starting with LVM...

	# Create an LVM PhysicalVolume on the encrypted device
	pvcreate /dev/mapper/CryptLinux

	# Create an LVM VolumeGroup. The VolumeGroup will span the entire encrypted container
	vgcreate CryptLinuxVG /dev/mapper/CryptLinux

	# Now, create the logical volumes of your coice.
	# For reference, this is my 3-4 year old install disk usage:
	# /dev/sda1 488M 55M 408M 12% /boot
	# /dev/mapper/CryptLinuxVG-RootLV 25G 20G 4.2G 83% /
	# /dev/mapper/CryptLinuxVG-HomeLV 138G 130G 1.1G 100% /home
	# You can eaisly grow any LVM volume later, shrinking them is much harder, so we start low:
	lvcreate -L 10GB -n RootLV CryptLinuxVG
	lvcreate -L 2GB -n SwapLV CryptLinuxVG
	lvcreate -L +50GB -n HomeLV CryptLinuxVG
	# Depending on your disk, you may now have a few hundred gigs free.
	# Thats cool - we can allocated it where needed later with lvresize

	# We have created "Virtual Partitions (Logical Volumes)" with LVM. Now we need to format with the file system of our choice.
	# I've chosen ext4, and ext3 for /boot
	mkfs -t ext3 /dev/sda1
	mkfs -t ext4 /dev/mapper/CryptLinuxVG-RootLV
	mkfs -t ext4 /dev/mapper/CryptLinuxVG-HomeLV

	Remember to also create and enable the swap partition:
	mkswap /dev/mapper/CryptLinuxVG-SwapLV
	swapon /dev/mapper/CryptLinuxVG-SwapLV

	# Installing Archlinux
	# We're ready to install archlinux. Mount up your disk. You may reference the current up-to-date archlinux installation guide.

	# Mount /root
	mount /dev/mapper/CryptLinuxVG-RootLV /mnt

	# Mount /home
	mkdir /mnt/home
	mount /dev/mapper/CryptLinuxVG-HomeLV /mnt/home

	# Mount /boot
	mkdir /mnt/boot
	mount /dev/sda1 /mnt/boot

	# Our new install now resides under /mnt, now we bootstrap the OS with "pacstrap":
	pacstrap /mnt base base-devel

	# Once thats finished, we arch-chroot and install grub
	arch-chroot /mnt pacman -S grub-bios

	# Create the /etc/fstab file based on our current disks (This takes into account that disks are mounted on /mnt instead of /, you can check to make sure)
	genfstab -p /mnt >> /mnt/etc/fstab

	# Now we enter the chroot. Archlinux supplies a script which takes care of the boilerplate stuff.
	arch-chroot /mnt

	# Archlinux is installed, and you're using it (except you're on a live kernel)

	# Set a hostname
	echo "hostname" > /etc/hostname

	# Chose your timezone
	ln -s /usr/share/zoneinfo/Europe/Oslo /etc/localtime

	# Enable Norwegian and English UTF-8 locales.
	vi /etc/locale.gen
	:%s/#en_US.UTF-8/en_US.UTF-8/
	:%s/#nb_NO.UTF-8/nb_NO.UTF-8/
	:wq

	echo "LANG=\"en_US.UTF-8\"" > /etc/locale.conf
	echo "LC_COLLATE=\"C\"" >> /etc/locale.conf
	echo "LC_TIME=\"nb_NO.UTF-8\"" >> /etc/locale.conf

	# Generate the locales
	locale-gen

	# WARNING: Since we are booting of an encrypted LVM volume, we need to make sure our initramfs is built with support for it.
	# This might have changed in later versions (Maybe its on by default).
	# At the time of writing we need to add the modules 'lvm2' and 'encrypt' to the HOOKS=() array in /etc/mkinitcpio.conf
	# Fucked up this part? System wont boot? Boot on the live-cd, unlock the luks container, mount the disks on /mnt as before and figure out what went wrong
	vi /etc/mkinitcpio.conf // 'lvm2' and 'encrypt' into the HOOKS array

	# Rebuild the initramfs // (Dont worry if you get lvmetad warnings, theire unimportant)
	mkinitcpio -p linux


	# Make norwegian keyboard layout default.
	# NOTE: Not sure if this works any more. Makre sure you are able to type your encryption password on english keyboards just in case.
	echo "KEYMAP=no-latin1" > /etc/vconsole.conf

	# We need to edit the grub config in order for it to find the encrypted contianer. This
	# Should be nore more than adding cryptdevice line to the grub config:
	vi /etc/default/grub
	:%s/GRUB_CMDLINE_LINUX=\"\"/GRUB_CMDLINE_LINUX=\"cryptdevice=/dev/sda2:CryptLinuxVG\"/
	:wq


	# Generate the grub-config/image.
	grub-mkconfig -o /boot/grub/grub.cfg

	# Install it to the MBR. (Note that its /dev/sda, not /dev/sda1)
	grub-install --recheck /dev/sda

	# Finally, set a root password.
	passwd root

	# Leave th chroot environment
	exit

	# Try to safely unmount our filesystem mounted on /mnt, and reboot. Fingers crossed!
	umount /mnt/{boot,home,}
	reboot


	# !!!NOTE: For Dell Latitude D420 and probably others the following line should also
	# be added to the GRUB_CMD_LINE to get the screen to work after booting
	# acpi_backlight=vendor noapic (Thats noapIC, not noacpi)

	# Optional POST install stuff
	# Start DHCP and enable it by default.
	systemctl start dhcpcd
	systemctl enable dhcpcd

	# Add a new user for yourself.
	useradd -m -g users -G games,audio,video,power,optical -s /bin/bash username
	passwd username

	# And of course, the most important step:
	pacman -S vim