Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Minimal instructions for installing a fully encrypted ArchLinux with USB boot on Lenovo Yoga 920.
# Install a fully encrypted ArchLinux on NVMe with detached LUKS
# headers and LUKS encrypted UEFI boot partition on a USB dongle.
#
# Full tutorial can be found here:
# https://headcrash.industries/reference/fully-encrypted-archlinux-with-secure-boot-on-yoga-920/
#
# Written by Gerke Max Preussner <info@headcrash.industries>
# Overview ############################################################
# Fully encrypted system drive with Btrfs file system
# Encrypted kernel, ramdisk images and bootloader configuration
# Two-factor authentication via detached LUKS header on USB dongle
# Encrypted swap space
# Secure boot enabled
# Prerequisites #######################################################
# Two USB sticks: one for the installer, one that will become the boot dongle
# Download and install the ArchLinux ISO on a USB stick (https://wiki.archlinux.org/index.php/Category:Getting_and_installing_Arch)
# If you have only one stick available, consider Archboot (https://wiki.archlinux.org/index.php/archboot)
# On Windows you can use Rufus to install the ISO (https://rufus.akeo.ie/)
# You can also boot from external CD/DVD or via Netboot
# Booting the Installer from USB ######################################
# 1. Power off laptop
# 2. Push a pin into the small hole next to power button
# 3. Select "BIOS Setup"
# 4. Navigate to "Security" page
# 5. Toggle "Secure Boot" option to "Disabled"
# 6. Save changes and exit BIOS Setup
# 7. Hold power button for 5 sec to turn off laptop
# 8. Insert ArchLinux USB installer
# 9. Push a pin into the small hole next to power button
# 10. Select "Boot Menu"
# 11. Select USB device to boot from
# 12. Wait for ArchLinux installer to boot up
# 13. Insert second USB stick
# set a bigger font
setfont sun12x22
# verify that installer is /dev/sda and dongle is /dev/sdb
lsblk
# Wireless Network Setup ##############################################
# make sure wireless adapter is detected (i.e. wlp107s0)
iw dev
# unblock and enable wireless interface
rfkill unblock all
ip link set wlp107s0 up
# optional: scan for wireless networks if needed
iw dev wlp107s0 scan | less
# connect to wireless network YourSSID with password YourKey
wpa_supplicant -i wlp107s0 -c <(wpa_passphrase "YourSSID" "YourKey") -B
# start DHCP client daemon to receive IP address
dhcpcd wlp107s0
# Verify Network Connectivity #########################################
# ping internet (Ctrl+C to exit)
ping archlinux.org
# synchronize clock
timedatectl set-ntp true
# Preparing the USB Dongle ############################################
# create three partitions on USB dongle
cgdisk /dev/sdb
# Size: 100M, Hex Code: ef00, Name: ESP
# Size: 512M, Hex Code: default (8300), Name: Boot
# Size: default (remaining space), Hex Code: default (8300), Name: Storage
#
# Select "Write" and "Quit" when done
# format ESP
mkfs.fat -F32 /dev/sdb1
# create encrypted container for /boot
cryptsetup luksFormat /dev/sdb2
cryptsetup open /dev/sdb2 cryptboot
# create and mount boot filesystem
mkfs.ext2 /dev/mapper/cryptboot
mount /dev/mapper/cryptboot /mnt
# optional: format storage partition
mkfs.fat -F32 /dev/sdb3
# Preparing the System Drive ##########################################
# Backup existing files or partitions if needed
# WARNING: the following command will discard all data on the SSD!
blkdiscard /dev/nvme0n1
# Encrypting the System Drive #########################################
# create and open encrypted container with detached LUKS header
truncate -s 2M /mnt/luksheader
cryptsetup luksFormat /dev/nvme0n1 --align-payload 4096 --header /mnt/luksheader
cryptsetup open --type luks --header /mnt/luksheader /dev/nvme0n1 cryptroot
# verify container was opened and mapped (/dev/mapper/cryptboot, /dev/mapper/cryptroot)
fdisk -l
# unmount boot partition
umount /mnt
# create Btrfs volume group
pvcreate /dev/mapper/cryptroot
vgcreate System /dev/mapper/cryptroot
# create logical volumes
lvcreate -L 8G System -n swap
lvcreate -l 100%FREE System -n root
# format logical volumes
mkswap /dev/mapper/System-swap
swapon -d /dev/mapper/System-swap
mkfs.btrfs /dev/mapper/System-root
mount /dev/mapper/System-root /mnt
# Root File System Setup ##############################################
# create Btrfs subvolumes
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home
btrfs subvolume create /mnt/@snapshots
# unmount system partition
umount /mnt
# mount Btrfs subvolumes
mount -o compress=lzo,discard,noatime,nodiratime,subvol=@ /dev/mapper/System-root /mnt
mkdir /mnt/home
mkdir /mnt/.snapshots
mount -o compress=lzo,discard,noatime,nodiratime,subvol=@home /dev/mapper/System-root /mnt/home
mount -o compress=lzo,discard,noatime,nodiratime,subvol=@snapshots /dev/mapper/System-root /mnt/.snapshots
# create nested subvolumes for special folders
mkdir -p /mnt/var/cache/pacman
btrfs subvolume create /mnt/var/cache/pacman/pkg
btrfs subvolume create /mnt/var/log
btrfs subvolume create /mnt/var/tmp
# mount /boot and ESP into root
mkdir /mnt/boot
mount /dev/mapper/cryptboot /mnt/boot
mkdir /mnt/boot/efi
mount /dev/sdb1 /mnt/boot/efi
# ArchLinux Installation ##############################################
# optional: select your preferred package server
nano /etc/pacman.d/mirrorlist
# install base packages
pacstrap /mnt base btrfs-progs efibootmgr grub-efi-x86_64 intel-ucode
# generate fstab
genfstab -Up /mnt >> /mnt/etc/fstab
# optional: add ramdisk tmp
#
# add the line:
# tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0
#
# Ctrl+X and 'y' and 'Enter' to save and exit nano
nano /mnt/etc/fstab
# verify fstab
cat /mnt/etc/fstab
UUID=... / btrfs rw,noatime,nodiratime,compress=lzo,ssd,discard,space_cache,subvolid=257,subvol=/@,subvol=@ 0 0
UUID=... /home btrfs rw,noatime,nodiratime,compress=lzo,ssd,discard,space_cache,subvolid=258,subvol=/@home,subvol=@home 0 0
UUID=... /.snapshots btrfs rw,noatime,nodiratime,compress=lzo,ssd,discard,space_cache,subvolid=259,subvo=/@snapshots,subvol=@snapshots 0 0
UUID=... /none swap defaults 0 0
UUID=... /boot ext2 noauto,rw,relatime,block_validity,barrier,user_xattr,acl 0 2
UUID=... /boot/efi vfat noauto,rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 2
tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0
# add boot partition to crypttab (replace <identifier> with UUID from 'blkid /dev/sda2')
nano /mnt/etc/crypttab
cryptboot UUID=<identifier> none noauto,luks
# change into installation root
arch-chroot /mnt
# Initial Ramdisk Configuration #######################################
# make copies of 'encrypt' hook files
cp /lib/initcpio/hooks/encrypt{,2}
cp /usr/lib/initcpio/install/encrypt{,2}
# add detached LUKS header support to 'encrypt2' hook
nano /lib/initcpio/hooks/encrypt2
# make the following modifications:
# ...
# warn_deprecated() {
# echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
# echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
# }
#
#>>> local headerFlag=false
# for cryptopt in ${cryptoptions//,/ }; do
# case ${cryptopt} in
# allow-discards)
# cryptargs="${cryptargs} --allow-discards"
# ;;
#>>> header)
#>>> cryptargs="${cryptargs} --header /boot/luksheader"
#>>> headerFlag=true
#>>> ;;
# *)
# echo "Encryption option '${cryptopt}' not known, ignoring." >&2
# ;;
# esac
# done
#
# if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then
#>>> if $headerFlag || cryptsetup isLuks ${resolved} >/dev/null 2>&1; then
# [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
# dopassphrase=1
# add modules, binaries, files and hooks to mkinitcpio.conf
nano /etc/mkinitcpio.conf
...
MODULES=(btrfs i915 loop)
...
BINARIES=(/usr/bin/btrfs)
...
FILES=(/boot/luksheader)
...
HOOKS=(base ... keyboard keymap ... block ... encrypt2 lvm2 ... filesystems ...)
# generate initial ramdisk image
mkinitcpio -p linux
# Bootloader Installation #############################################
# get NVMe device identifier (remember as YourDiskId)
ls -l /dev/disk/by-id | grep nvme0n1
# change Grub defaults (replace YourDiskId)
nano /etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-id/YourDiskId:cryptroot:allow-discards,header"
GRUB_PRELOAD_MODULES="part_gpt part_msdos lvm"
GRUB_ENABLE_CRYPTODISK=y
GRUB_GFXMODE=1024x768x32
# configure and install Grub
grub-mkconfig -o /boot/grub/grub.cfg
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id="grub"
# System Configuration ################################################
# set time zone and configure hardware clock
ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime
hwclock --systohc --utc
# uncomment desired localizations
nano /etc/locale.gen
# generate localization settings
locale-gen
echo LANGUAGE=en_US >> /etc/locale.conf
echo LANG=en_US.UTF-8 >> /etc/locale.conf
# set host name
echo myyoga920 > /etc/hostname
nano /etc/hosts
(add the following line)
...
127.0.0.1 myyoga920.localdomain myyoga920
# End of file
# update packages, install wireless & bash completion
pacman -Suy iw wpa_supplicant bash-completion
# add new user account
useradd -m -g users -G wheel,storage,power -s /bin/bash your_new_user_name
passwd your_new_user_name
# install and enable sudo
pacman -S sudo
EDITOR=nano visudo
uncomment the following line
%wheel ALL=(ALL) ALL
# disable root account
passwd -l root
# reboot
exit
umount -R /mnt
swapoff -a
reboot
# Secure Boot #########################################################
# 1. Enter a strong Administrator Password in BIOS Setup
# 2. Perform 'Reset to Setup Mode' in BIOS Setup
# install git client
sudo pacman -S base-devel git
# clone, build and install cryptboot
git clone https://github.com/xmikos/cryptboot
cd cryptboot
makepkg -si --skipchecksums
# mount boot partition, and create & enroll UEFI keys
sudo cryptboot mount
sudo cryptboot-efikeys create
sudo cryptboot-efikeys enroll
sudo cryptboot update-grub
sudo cryptboot umount
sudo shutdown -P now
# 3. Enable Secure Boot in BIOS Setup
# Post-install steps ##################################################
# install, configure and enable Snapper
sudo pacman -S snapper
sudo umount /.snapshots
sudo rm -r /.snapshots
sudo snapper -c root create-config /
sudo mount -o compression=lzo,discard,noatime,nodiratime,subvol=@snapshots /dev/mapper/System-root /.snapshots
sudo systemctl start snapper-timeline.timer
# install & configure Gnome
sudo pacman -S gnome
sudo localectl set-locale LANG=en_US.UTF-8
sudo echo LC_ALL= >> /etc/locale.conf
# install & enable NetworkManager
sudo pacman -S networkmanager
sudo systemctl enable --now NetworkManager.service
sudo nano /etc/NetworkManager/NetworkManager.conf
[ifupdown]
managed=true
# install & enable power management
sudo pacman -S tlp x86_energy_perf_policy
sudo systemctl enable tlp.service
sudo systemctl enable tlp-sleep.service
sudo pacman -S tlp-rdw
sudo systemctl enable NetworkManager-dispatcher.service
sudo systemctl mask systemd-rfkill.service
sudo systemctl mask systemd-rfkill.socket
# fire up Gnome Desktop Manager
sudo systemctl enable --now gdm.service
# Yoga Specifics ######################################################
# blacklist ideapad_laptop module
sudo nano /etc/modprobe.d/blacklist.conf
install ideapad_laptop /bin/false
# enable bluetooth
sudo systemctl enable --now bluetooth.service
# End #################################################################
For instructions on how to resume a previous installation, disable TRIM,
auto-mount boot and auto-unlock root partitions, please see the full article at:
https://headcrash.industries/reference/fully-encrypted-archlinux-with-secure-boot-on-yoga-920/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment