jeffsharpe/arch-install-gpt-luks_on_lvm.sh

## arch-install-gpt-luks_on_lvm.sh
# # boot to arch linux boot prompt

# installation

# setup networking
ping -c 3 www.google.ca
# eth connections just work or me, so…
wifi-menu  # select and log in
ping -c 3 www.google.ca

# now to set up LUKS on LVM (for multiple HD)
modprobe dm-mod
# partition the disk
lsblk
# I created the following partitions on 2 devices, modify as required
#     /dev/sda1 1007KB BIOS boot partition
#     /dev/sda2 500MB linux filesystem (boot)
#     /dev/sda3 Linux LVM (root)
#     /dev/sdb1 Linux LVM (swap home var)
# partition the disk, set partition table to GUID
gdisk /dev/sda
gdisk /dev/sdb
# idea is to create the root encrypted system, then use a password file to mount the others
# so for the initial install ONLY create root
lvm pvcreate /dev/sda3
lvm vgcreate lvm /dev/sda3
lvm lvcreate -L 25G -n lvroot lvm
#encrypt
cryptsetup luksFormat -c aes-xts-plain64 -s 512 /dev/lvm/lvroot
cryptsetup open --type luks /dev/lvm/lvroot root
mkfs.ext4 /dev/mapper/root
mkfs.ext4 /dev/sda2
mount /dev/mapper/root /mnt
mkdir /mnt/boot
mount /dev/sda2 /mnt/boot
lsblk -f /dev/sda

# now pacstrap the system
#     select a close mirror and move to the top of the file, save and close
vim /etc/pacman.d/mirrorlist
pacstrap -i /mnt base base-devel
# generate fstab
genfstab -U -p  /mnt/ >> /mnt/etc/fstab
#     confirm content
vim /mnt/etc/fstab

# chroot to the new filesystem
arch-chroot /mnt /bin/bash
export PS1="(CHROOT) $PS1"

# setup locales
#     uncomment your locale and save
vi /etc/locale.gen
locale-gen
echo LANG=en_CA.UTF-8 > /etc/locale.conf
export LANG=en_CA.UTF-8

# set the tz and clock
ln -fs /usr/share/zoneinfo/Canada/Pacific /etc/localtime
hwclock —systohc —utc

# hostname
echo arod > /etc/hostname
#       add ‘arod’ to the beginning of both localhost row aliases
vi /etc/hosts

# setup networking for next boot
pacman -S networkmanager
systemctl enable NetworkManager.service
# disable network services not needed
systemctl disable netctl.service

# create ramdisk
#    on the HOOKS=“” line, add ‘lvm2 encrypt’ between ‘block’ and ‘filesystems’
#    on the MODULES=“” line, add ‘dm-mod’
vi /etc/mkinitcpio.conf
mkinitcpio -p linux

# set root password
passwd

# make sure vim is installed
pacman -S vim

# set up the boot loader
pacman -S grub
grub-install —target=i386-pc —recheck /dev/sda
#     edit /etc/default/grub
#     add to GRUB_CMDLINE_LINUX=“cryptdevice=/dev/lvm/lvroot:root root=/dev/mapper/root”
#     add to GRUB_PRELOAD_MODULES=“” at the end, add ‘lvm’
vim /etc/default/grub
#     ignore any connection warnings
grub-mkconfig -o /boot/grub/grub.cfg

# exit and unmount and reboot
exit
umount -R /mnt
reboot
#     remove your USB or CD
#     fingers crossed


# once you log in to the newly installed machine, you have more work to do!
#
# post installation
#
# once you reboot, lets create a new encrypted /home and swap partitions
# lets make the home password file
mkdir -m 700 /etc/luks-keys
dd if=/dev/random of=/etc/luks-keys/home bs=1 count=256
dd if=/dev/random of=/etc/luks-keys/var  bs=1 count=256
#
# now create the remaining partitions
lvm pvcreate /dev/sdb1
lvm vgextend lvm /dev/sdb1
lvm lvcreate -L 16G -n swap lvm
lvm lvcreate -L 25G -n var lvm
lvm lvcreate -l 100%FREE -n home lvm
#
# now encrypt it
cryptsetup luksFormat -v -s 512 /dev/lvm/home /etc/luks-keys/home
cryptsetup luksFormat -v -s 512 /dev/lvm/var /etc/luks-keys/var
#
# open the new encrypted partitions
cryptsetup -d /etc/luks-keys/home open —type luks /dev/lvm/home home
cryptsetup -d /etc/luks-keys/var open —type luks /dev/lvm/var var
#
mkfs.ext4 /dev/mapper/home
mkfs.ext4 /dev/mapper/var
mount /dev/mapper/home /home
# we have to mount /var later
#
# now add “home    /dev/lvm/home      /etc/luks-keys/home”
# and         “swap     /dev/lvm/swap      /dev/urandom              swap,cipher=aes-xts-plain64,size=256”  to
vim /etc/crypttab
# finally, add it to fstab
# add the home and swap mapped partitions to
#      “/dev/mapper/home    /home      ext4          defaults       0   2"
#      “/dev/mapper/swap    none         swap        sw               0   0"
vim /etc/fstab
#
reboot
#
# seperate /var partition?  you'll need to do this
#
# boot to your installation USB or CDROM
# so we can copy /var to the new encrypted LVM
#
# first mount /
cryptsetup open --type luks /dev/lvm/lvroot root
mount /dev/mapper/root /mnt
# now mount the new var
cryptsetup -d /mnt/etc/luks-keys/var open —type luks /dev/lvm/var var
mkdir /tmp/tmpvar
mount /dev/mapper/var /tmp/tmpvar
# finally copy the old folder to the new
cp -av /mnt/var/* /tmp/tmpvar/
# create the new empty folder to mount too
mv /mnt/var /mnt/var.old
mkdir -m 755 /mnt/var
# now add “var    /dev/lvm/var      /etc/luks-keys/var” to
vim  /mnt/etc/crypttab
# finally add   “/dev/mapper/var    /var      ext4          defaults       0   2" to
vim /mnt/etc/fstab
# thats it, now reboot and remove your USB or CDROM
umount -R /tmp/tmpvar
umount -R /mnt
reboot

# /whew - done!   (wasn't that hard, come on!)
	# # boot to arch linux boot prompt

	# installation

	# setup networking
	ping -c 3 www.google.ca
	# eth connections just work or me, so…
	wifi-menu # select and log in
	ping -c 3 www.google.ca

	# now to set up LUKS on LVM (for multiple HD)
	modprobe dm-mod
	# partition the disk
	lsblk
	# I created the following partitions on 2 devices, modify as required
	# /dev/sda1 1007KB BIOS boot partition
	# /dev/sda2 500MB linux filesystem (boot)
	# /dev/sda3 Linux LVM (root)
	# /dev/sdb1 Linux LVM (swap home var)
	# partition the disk, set partition table to GUID
	gdisk /dev/sda
	gdisk /dev/sdb
	# idea is to create the root encrypted system, then use a password file to mount the others
	# so for the initial install ONLY create root
	lvm pvcreate /dev/sda3
	lvm vgcreate lvm /dev/sda3
	lvm lvcreate -L 25G -n lvroot lvm
	#encrypt
	cryptsetup luksFormat -c aes-xts-plain64 -s 512 /dev/lvm/lvroot
	cryptsetup open --type luks /dev/lvm/lvroot root
	mkfs.ext4 /dev/mapper/root
	mkfs.ext4 /dev/sda2
	mount /dev/mapper/root /mnt
	mkdir /mnt/boot
	mount /dev/sda2 /mnt/boot
	lsblk -f /dev/sda

	# now pacstrap the system
	# select a close mirror and move to the top of the file, save and close
	vim /etc/pacman.d/mirrorlist
	pacstrap -i /mnt base base-devel
	# generate fstab
	genfstab -U -p /mnt/ >> /mnt/etc/fstab
	# confirm content
	vim /mnt/etc/fstab

	# chroot to the new filesystem
	arch-chroot /mnt /bin/bash
	export PS1="(CHROOT) $PS1"

	# setup locales
	# uncomment your locale and save
	vi /etc/locale.gen
	locale-gen
	echo LANG=en_CA.UTF-8 > /etc/locale.conf
	export LANG=en_CA.UTF-8

	# set the tz and clock
	ln -fs /usr/share/zoneinfo/Canada/Pacific /etc/localtime
	hwclock —systohc —utc

	# hostname
	echo arod > /etc/hostname
	# add ‘arod’ to the beginning of both localhost row aliases
	vi /etc/hosts

	# setup networking for next boot
	pacman -S networkmanager
	systemctl enable NetworkManager.service
	# disable network services not needed
	systemctl disable netctl.service

	# create ramdisk
	# on the HOOKS=“” line, add ‘lvm2 encrypt’ between ‘block’ and ‘filesystems’
	# on the MODULES=“” line, add ‘dm-mod’
	vi /etc/mkinitcpio.conf
	mkinitcpio -p linux

	# set root password
	passwd

	# make sure vim is installed
	pacman -S vim

	# set up the boot loader
	pacman -S grub
	grub-install —target=i386-pc —recheck /dev/sda
	# edit /etc/default/grub
	# add to GRUB_CMDLINE_LINUX=“cryptdevice=/dev/lvm/lvroot:root root=/dev/mapper/root”
	# add to GRUB_PRELOAD_MODULES=“” at the end, add ‘lvm’
	vim /etc/default/grub
	# ignore any connection warnings
	grub-mkconfig -o /boot/grub/grub.cfg

	# exit and unmount and reboot
	exit
	umount -R /mnt
	reboot
	# remove your USB or CD
	# fingers crossed


	# once you log in to the newly installed machine, you have more work to do!
	#
	# post installation
	#
	# once you reboot, lets create a new encrypted /home and swap partitions
	# lets make the home password file
	mkdir -m 700 /etc/luks-keys
	dd if=/dev/random of=/etc/luks-keys/home bs=1 count=256
	dd if=/dev/random of=/etc/luks-keys/var bs=1 count=256
	#
	# now create the remaining partitions
	lvm pvcreate /dev/sdb1
	lvm vgextend lvm /dev/sdb1
	lvm lvcreate -L 16G -n swap lvm
	lvm lvcreate -L 25G -n var lvm
	lvm lvcreate -l 100%FREE -n home lvm
	#
	# now encrypt it
	cryptsetup luksFormat -v -s 512 /dev/lvm/home /etc/luks-keys/home
	cryptsetup luksFormat -v -s 512 /dev/lvm/var /etc/luks-keys/var
	#
	# open the new encrypted partitions
	cryptsetup -d /etc/luks-keys/home open —type luks /dev/lvm/home home
	cryptsetup -d /etc/luks-keys/var open —type luks /dev/lvm/var var
	#
	mkfs.ext4 /dev/mapper/home
	mkfs.ext4 /dev/mapper/var
	mount /dev/mapper/home /home
	# we have to mount /var later
	#
	# now add “home /dev/lvm/home /etc/luks-keys/home”
	# and “swap /dev/lvm/swap /dev/urandom swap,cipher=aes-xts-plain64,size=256” to
	vim /etc/crypttab
	# finally, add it to fstab
	# add the home and swap mapped partitions to
	# “/dev/mapper/home /home ext4 defaults 0 2"
	# “/dev/mapper/swap none swap sw 0 0"
	vim /etc/fstab
	#
	reboot
	#
	# seperate /var partition? you'll need to do this
	#
	# boot to your installation USB or CDROM
	# so we can copy /var to the new encrypted LVM
	#
	# first mount /
	cryptsetup open --type luks /dev/lvm/lvroot root
	mount /dev/mapper/root /mnt
	# now mount the new var
	cryptsetup -d /mnt/etc/luks-keys/var open —type luks /dev/lvm/var var
	mkdir /tmp/tmpvar
	mount /dev/mapper/var /tmp/tmpvar
	# finally copy the old folder to the new
	cp -av /mnt/var/* /tmp/tmpvar/
	# create the new empty folder to mount too
	mv /mnt/var /mnt/var.old
	mkdir -m 755 /mnt/var
	# now add “var /dev/lvm/var /etc/luks-keys/var” to
	vim /mnt/etc/crypttab
	# finally add “/dev/mapper/var /var ext4 defaults 0 2" to
	vim /mnt/etc/fstab
	# thats it, now reboot and remove your USB or CDROM
	umount -R /tmp/tmpvar
	umount -R /mnt
	reboot

	# /whew - done! (wasn't that hard, come on!)