TODO passphrase protected keyfiles…setup a keyfile in a remaining key-slot? something to make this properly two–factor.
Notes on installing Arch Linux from scratch, using LVM volumes inside a LUKS container.
Why not boot from removable media? Well, there's no real support for “plausible deniability” built in to LUKS/dm-crypt. This means that the benefit of booting from removable media—being able to keep secret the fact that the main HDD contains an encrypted filesystem—is pretty moot. A LUKS container must contain header data; giving away the fact that LUKS is in use.
There's no Arch Linux installer as such; instead, there's a series of tasks carried out on the commandline to partition the disk and bootstrap base packages &c.
The following web pages were of use
Regarding disk encryption
- The LUKS wiki page contains a lot of information
- This blog post about LVM on LUKS was quite useful
- The LVM on LUKS wiki page was probably the most useful.
Begin by booting the installation media, which drops into a root shell.
So /dev/random most likely won't have enough entropy to be used as the random data source for erasure of an entire disk :( Use of /dev/urandom is more than likely OK for this purpose…however it should not at any time be relied upon for generation of cryptographic keys.
So use something like the following command to erase the target disk
dd if=/dev/urandom of=/dev/sda
…and wait a long time for it to complete!
There was mention of using
dcflddand thefrandommodule to more quickly generate random data for disk erasure…more research required. I'd like a faster (secure) disk erasure during install.
I decided to use the GUID Partition Table partitioning scheme, since it's all modern and futuristic and stuff. Not this means that we'll need to use Grub 2. There are some special requirements here, specifically for a BIOS boot partition (see this section of the GRUB wiki page).
So, use gdisk to create three partitions on the main disk.
- /boot, 200MB, type 8300.
- The “rest of” the disk to be used for a LUKS container. Don't give this any special type (stick with default 8300) it doesn't matter.
- BIOS boot partition, 1007KB, type EF02 (later, when grub is installed, this will automatically get used)
- create this right at the beginning of the disk, and create it last (see below)
Note from wiki
gdisk will only allow you to create this (the BIOS boot partition) on the position which will waste the least amount of space (sector 34-2047) if you create it last, after all the other partitions. This is because gdisk will auto-align partitions to 2048-sector boundaries if possible
This will be mounted later on…
mkfs -t ext4 /dev/sda1
Side note:
cryptsetup benchmarktests the speed of various cryptographic operations on the system, so can be quite useful when determining which algorithms to use.
On my ThinkPad cryptsetup benchmark showed that the fastest cipher mode was serpent-xts, and after a little research I decided it was a sensible choice for security as well as performance.
We will create a LUKS container with the following features
* use Serpent (in XTS mode) for encryption
* use key size of 256 bits (by specifying 512, because the key gets split)
* use SHA512 for passphrase hashing
* allow more time for more iterations during passphrase hashing
* use /dev/random for key generation
No create the LUKS container, which will ultimately store an LVM Volume Group
cryptsetup -c serpent-xts-plain64 -h sha512 -i 5000 -y -s 512 --use-random luksFormat /dev/sda2
You'll be prompted twice for a passphrase…
TODO Is there an equivalent to geli's “data authentication” behaviour?
This will map the opened container to /dev/mapper/lvm
cryptsetup luksOpen /dev/sda2 lvm
Make the LUKS container just created, and opened, above into a LVM Physical Volume
pvcreate /dev/mapper/lvm
Create a Volume Group backed by the newly create Physical Volume
vgcreate vg0 /dev/mapper/lvm
Create some Logical Volumes within our Volume Group for root, var, usr, and home
lvcreate -L 250M vg0 -n root
lvcreate -L 500M vg0 -n var
lvcreate -L 1.5G vg0 -n usr
lvcreate -L 500M vg0 -n home
Going to use ext4 for everything.
mkfs -t ext4 /dev/mapper/vg0-root
mkfs -t ext4 /dev/mapper/vg0-var
mkfs -t ext4 /dev/mapper/vg0-usr
mkfs -t ext4 /dev/mapper/vg0-home
First, mount the root volume onto /mnt
mount /dev/mapper/vg0-root /mnt
Then create mountpoints for the other volumes
mkdir /mnt/{boot,var,usr,home}
Finally, mount the volumes
mount /dev/sda1 /mnt/boot
mount /dev/mapper/vg0-var /mnt/var
mount /dev/mapper/vg0-usr /mnt/usr
mount /dev/mapper/vg0-home /mnt/home
First, edit /etc/pacman.d/mirrorlist to pick a mirror geographically close to me. I picked the iiNet FTP server.
Then install the base system using pacstrap /mnt base base-devel.
I like using the UUID of volumes:
genfstab -p /mnt -U >> /mnt/etc/fstab
Also, change the /etc/fstab entry for /usr, so the “pass” option is 0.
All these sub–steps should be carried out while chrooted into the system. This is required because we'll be running commands to configure locales and whatnot.
arch-chroot /mnt
This is a straightforward install of the grub-bios package
pacman -S grub-bios
Edit the /etc/hostname file and enter the desired hostname.
Symlink the appropriate zoneinfo file into /etc/localtime:
ln -s /usr/share/zoneinfo/Australia/Melbourne /etc/localtime
The Arch Linux wiki page on Locales was the source of information used to arrive at my desired locale configuration.
Enable some locales by uncommenting them in /etc/locale.gen
en_AU.UTF-8
en_GB.UTF-8
en_US.UTF-8
To set a system–wide locale, with fallbacks, edit /etc/locale.conf and add the following lines
# Enable UTF-8 with Australian settings.
LANG="en_AU.UTF-8"
# specify some fallback locales
LANGUAGE="en_AU:en_GB:en"
# Keep the default sort order, which means files starting with '.' appear first
LC_COLLATE="C"
Then, run locale-gen to generate the locales.
Arch wiki page on console fonts
Choose a font (or install the terminus-font package, which gets you ter-216n) from /usr/share/kbd/consolefonts/, then edit (or create) /etc/vconsole.conf. The font Lat2-Terminus16 is available without any extra package required.
FONT=ter-216n
With a /etc/vconsole.conf in place, put keymap in /etc/mkinitcpio.conf MODULES line.
In /etc/mkinitcpio.conf ensure i915 is in MODULES, and add consolefont to HOOKS. This will ensure the video is initialised early and the font change preserved.
See Arch Wiki page on KEYMAP. It's simple to switch Caps Lock for Control, just by using the emacs keymap.
In /etc/vconsole.conf
KEYMAP=emacs
The Arch Linux wiki page on mkinitcpio was used to derive appropriate settings for my system.
See mkinitcpio -H <hook name> for help on a specific hook.
Edit the file /etc/mkinitcpio.conf, and make sure the following HOOKS are present…
Since all volumes, except /boot are contained within a LUKS container, the RAM disk will need to know about LUKS
encrypt # allows LUKS containers to be opened
Since root device is on LVM (after block and encryption, before filesystems)
lvm2 # allows root partition to exist on a logical volume
Since /usr is its own partition (after lvm2)
shutdown # allows /usr to be properly unmounted
fsck # to allow fsck of /usr at boot
usr # mount /usr immediately after / and ensure graceful unmount at reboot
So, the full HOOKS string should look something like
base udev autodetect modconf block encrypt lvm2 filesystems keyboard usr fsck shutdown consolefont
Now run mkinitcpio -p linux to create the RAM disk.
It is necessary to tell grub about the LUKS container. Edit /etc/default/grub and change GRUB_CMDLINE_LINUX to include
cryptdevice=/dev/sda2:lvm
You might want to set some other nice options like colours…
Run grub-mkconfig -o /boot/grub/grub.cfg, to take into account updates to /etc/default/grub.
See the Arch wiki page on GRUB2.
grub-install --target=i386-pc --recheck --debug /dev/sda
mkdir -p /boot/grub/locale
cp /usr/share/locale/en\@quot/LC_MESSAGES/grub.mo /boot/grub/locale/en.mo
A simple passwd, followed by exit, and a umount /mnt/{boot,home,var,usr}. Finally a reboot.
When first rebooting the new system, permanently enabling DHCP networking must be done with: systemctl enable dhcpcd. Also start it now, too.
The Arch wiki page on Netctl is a good read.
Install packages which are require for connection to wireless networks (and automatic profile selection)
pacman -S iw wpa_supplicant wpa_actiond
And install dialog, required to use the console front-end wifi-menu
pacman -S dialog
An example netctl profile, for my home network (note hex ESSID)
Description='Home'
Interface=wlp3s0
Connection=wireless
Country=AU
Security=wpa
Key='KEYHERE'
ESSID=\"e0b2a05fe0b2a0
IP=dhcp
RFKill=auto
Enable the netctl-auto service for the interface in question
systemctl enable netctl-auto@wlp3s0.service
To scan for networks
iw dev wlp3s0 scan
To stop the wireless light blinking put the following in /etc/modprobe.d/wireless.conf
options iwlwifi led_mode=1
Install avahi pacman -S avahi nss-mdns, and change the hosts: line in /etc/nssswitch.conf to:
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
Enable avahi: systemctl enable avahi-daemon, systemctl start avahi-daemon.
Install net-tools (for ifconfig etc.) and OpenSSH: pacman -S net-tools openssh, then enable (if desired) the ssh service: systemctl enable sshd.
Install rsyslog: pacman -S rsyslog, and enable the service systemctl enable rsyslog.
Install ufw, and configure the basics: pacman -S ufw, systemctl enable ufw, systemctl start ufw, ufw default deny, ufw allow SSH, ufw allow proto udp from any to 224.0.0.251 port mdns, ufw enable.
Use tune2fs to reduce the amount of reserved space used by each ext4 volume…any other options?
Pretty useful Arch wiki page on Users and Groups
Create a standard user
useradd -m -G wheel,users -s /bin/bash mch
Can login an change shell later (otherwise, there might be a bug where I can't login as a user if any other shell than /bin/bash is specified.)
Arch wiki page on Lenovo ThinkPad X200. How to reduce power consumption.
Install Xorg, with an appropriate driver, and emacs with pacman -S xorg-apps xorg-server xf86-video-intel xorg-xinit emacs xterm.
To stop potential weird sluggish behaviour, create /etc/modprobe.d/drm_kms.conf and enter
options drm_kms_helper poll=N
Still relevant below??
Installed TLP, power saving tools for ThinkPads. This adds some commands
bluetooth (turn bluetooth on or off)
wifi (turn wifi on or off)
tlp-stat (print stats about tlp, including battery info)
Added the following to /etc/default/grub GRUB_CMDLINE_LINUX_DEFAULT, to enable big power savings on video driver
i915.i915_enable_rc6=1
In /etc/systemd/logind.conf uncomment lines to read…
HandleSuspendKey=poweroff
HandleHibernateKey=poweroff
HandleLidSwitch=poweroff
…so that closing the lid, or suspending, or hibernating, will power off the computer (it's encrypted!)
Read the Arch wiki page on AUR and modify my /etc/makepkg.conf to enable options to improve performance on multi–core systems.
Read a lot on Arch wiki page on Systemd/User to get systemd --user working to manage my XOrg session (requires xorg-launch-helper from AUR), as well as run my SSHConfigFS and dropboxd instances.
Using hp-setup -i <ipaddr> will download the “proprietary driver”, but still doesn't work?!
Important!
cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file luksbackup.img
Or similar…then store this (strongly encrypted) somewhere safe.
Simple howto on Arch Wiki page on StumpWM.