manuelcoppotelli/arch-uefi-luks-installation.txt

## arch-uefi-luks-installation.txt
# This installation guide will create basic working arch linux installation with encryption.
# Encryption is implemented with dm-crypt + LUKS on a single disk.

# Following articles/posts/gists were used as reference
# https://www.happyassassin.net/2014/01/25/uefi-boot-how-does-that-actually-work-then/
# https://wiki.archlinux.org/index.php/Installation_guide
# https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration
# https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption
# https://blog.tinned-software.net/automount-a-luks-encrypted-volume-on-system-start/
# https://gist.github.com/mattiaslundberg/8620837
# https://gist.github.com/HardenedArray/31915e3d73a4ae45adc0efa9ba458b07
# https://bbs.archlinux.org/viewtopic.php?id=198754


# +-----------------------+------------------------+-----------------------+
# | Boot/EFI partition    | LUKS encrypted root    | Rest of the space     |
# | (unencrypted)         | partition              |                       |
# |                       |                        |                       |
# | /boot                 | /                      | /home                 |
# |                       |                        |                       |
# |                       | /dev/mapper/cryptroot  | /dev/mapper/crypthome |
# |-----------------------|------------------------|-----------------------|
# | /dev/nvme0n1p1        | /dev/nvme0n1p2         | /dev/nvme0n1p3        |
# +-----------------------+------------------------+-----------------------+


# | ------------------------- Preparing USB installer ------------------------- |

# Get arch linux image from https://www.archlinux.org/download/

# Make bootable USB
dd bs=4M if=path/to/archlinux.iso of=/dev/sdx status=progress oflag=sync

# | ------------------------- System configuration (once arch installer is booted) ------------------------- |

# Load finnish keymap
loadkeys fi

# Connec to to wifi
iwctl
device list
station wlan0 scan
station wlan0 list
station wlan0 get-networks
station wlan0 connect MyNetwork

# Double check disks
lsblk

# Securely wipe entire disk with shred (https://wiki.archlinux.org/index.php/Securely_wipe_disk)
shred -v /dev/nvme1n1

# Check current partitions on device
fdisk -l /dev/nvme1n1

# Create partitions to device in interactive mode for each partition individually. Changes wont be made until saved in interactive mode.

# First create GPT partition table on the disk by pressing "g" in interactive mode
fdisk /dev/nvme1n1

# For /boot partition
#     type:   EFI System (1)
#     size:   +512MB
# For / partition
#     type:   Linux x86-64 root (24)
#     size :  +50G
# For /home partition use partition type:
#     type:   Linux /home (28)
#     size:   (press enter for default and use rest of size)


# | ------------------------- Create /boot partition ------------------------- |
# TODO: add separate EFI and boot partition

# Format EFI partition

mkfs.fat -F32 /dev/nvme1n1p1

mkfs.ext4 /dev/nvme1n1p2

# Create mount points
mkdir -p /mnt/boot/efi
mkdir /mnt/home

# Mount that shit (should be after encryption
mount /dev/nvme0n1p1 /mnt/boot/efi
mount /dev/nvme0n1p2 /mnt/boot

# | ------------------------- Encryption ------------------------- |

cryptsetup -y -v luksFormat /dev/nvme0n1p2
cryptsetup open /dev/nvme1n1p2 cryptroot
mkfs.ext4 /dev/mapper/cryptroot
mount /dev/mapper/cryptroot /mnt

# Check the mapping works as intended:
umount /mnt
cryptsetup close cryptroot
cryptsetup open /dev/nvme1n1p2 cryptroot
mount /dev/mapper/cryptroot /mnt

cryptsetup -y -v luksFormat /dev/nvme0n1p3
cryptsetup open /dev/nvme0n1p3 crypthome
mkfs.ext4 /dev/mapper/crypthome
mount /dev/mapper/crypthome /mnt/home

# Check the mapping works as intended:
umount /mnt/home
cryptsetup close crypthome
cryptsetup open /dev/nvme0n1p3 crypthome
mount /dev/mapper/crypthome /mnt/home

cryptsetup close crypthome

# create luks-keys dir for holding keys and add LUKS keyfile for /home partition that is placed inside root partition. This allows /home partition mountpoint to be booted once root partition is mounted and booted.
mkdir -p /mnt/etc/luks-keys & dd bs=512 count=4 if=/dev/random of=/mnt/etc/luks-keys/homefile iflag=fullblock

# deny any access for other users than root
chmod 600 /mnt/etc/luks-keys/homefile

# Map keyfile to /home partition (Previously entered passphrase will be asked)
cryptsetup -v luksAddKey /dev/nvme0n1p3 /mnt/etc/luks-keys/homefile

# Device already exists or busy error !! <----------------->

# Check that newly created keyfile works
cryptsetup -v open /dev/nvme0n1p3 crypthome --key-file /mnt/etc/luks-keys/homefile

# Get the UUID of the encrypted LUKS volume for both devices
cryptsetup luksDump /dev/nvme0n1p2
cryptsetup luksDump /dev/nvme0n1p3

# Create crypttab entry which is loaded before fstab. And add following lines formatted accordingly with your device UUIDs
# https://www.freedesktop.org/software/systemd/man/crypttab.html
echo "/dev/mapper/crypthome UUID=0a5f4c0e-7659-4278-a1a5-d27fc24296d5 /etc/luks-keys/homefile" >> /mnt/etc/crypttab

# | ------------------------- Kernel & package installation ------------------------- |

# Install linux kernel and basic arch system and other software to root mountpoint
pacstrap /mnt base base-devel vim git efibootmgr dialog wpa_supplicant

# Update mkinitcpio hooks with (keyboard, keymap and encrypt) following line
# HOOKS=(base udev keyboard autodetect keymap consolefont modconf block encrypt filesystems fsck)
vim /mnt/etc/mkinitcpio.conf

genfstab -U /mnt >> /mnt/etc/fstab

# Generate an fstab file with UUIDs
genfstab -U /mnt >> /mnt/etc/fstab

# chroot to new system
arch-chroot /mnt

# Change root passwordder on the encrypted device: this scenario exploits this feature to set up a system on an unpartitioned, en
passwd

# | ------------------------- Time ------------------------- |
# Time zone
 ln -sf /usr/share/zoneinfo/Europe/Helsinki /etc/localtime
 # Set hardware clock to UTC
 hwclock --systohc

# | ------------------------- Localization ------------------------- |
 # Uncomment required localizations.
 # en_US.UTF-8 UTF-8
 # fi_FI.UTF-8 UTF-8
 vim /etc/locale.gen

# Change system lang to LANG=en_US.UTF-8
echo "LANG=en_US.UTF-8" >> /etc/locale.conf

# Make keyboard layout persistent
echo "KEYMAP=fi" > /etc/vconsole.conf

 # Regenerate locales
locale-gen

# | ------------------------- Network configuration ------------------------- |
# Update hostname
# Add myhostname
echo "myhostname" > /etc/hostname
#Add maching entries to /etc/hosts
# 127.0.0.1	localhost
# ::1		localhost
# 127.0.1.1	myhostname.localdomain	myhostname
vim /etc/hosts

# Generate your initrd image

mkinitcpio -p linux

# | ------------------------- Kernel parameters ------------------------- |
# Add kernel parameters for efibootmgr
# The root= parameter specifies the device of the actual (decrypted) root file system.
# Since the file system is formatted directly on the decrypted device file this will be /dev/mapper/cryptroot
# Check efibootmgr documentation for more details https://linux.die.net/man/8/efibootmgr

# Kernel headers for encryption
# Check efibootmgr documentation for more details https://linux.die.net/man/8/efibootmgr
efibootmgr --disk /dev/nvme0n1 --part 1 --create --label "Arch Linux" --loader /boot/vmlinuz-linux --unicode 'cryptdevice=UUID=7b8b37df-d0df-42ca-9e8e-79dd2b462e07:cryptroot root=UUID=ac2e8489-3768-4a87-bd0a-8876325921ba rw initrd=/boot/initramfs-linux.img' --verb
	# This installation guide will create basic working arch linux installation with encryption.
	# Encryption is implemented with dm-crypt + LUKS on a single disk.

	# Following articles/posts/gists were used as reference
	# https://www.happyassassin.net/2014/01/25/uefi-boot-how-does-that-actually-work-then/
	# https://wiki.archlinux.org/index.php/Installation_guide
	# https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration
	# https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption
	# https://blog.tinned-software.net/automount-a-luks-encrypted-volume-on-system-start/
	# https://gist.github.com/mattiaslundberg/8620837
	# https://gist.github.com/HardenedArray/31915e3d73a4ae45adc0efa9ba458b07
	# https://bbs.archlinux.org/viewtopic.php?id=198754


	# +-----------------------+------------------------+-----------------------+
	# \| Boot/EFI partition \| LUKS encrypted root \| Rest of the space \|
	# \| (unencrypted) \| partition \| \|
	# \| \| \| \|
	# \| /boot \| / \| /home \|
	# \| \| \| \|
	# \| \| /dev/mapper/cryptroot \| /dev/mapper/crypthome \|
	# \|-----------------------\|------------------------\|-----------------------\|
	# \| /dev/nvme0n1p1 \| /dev/nvme0n1p2 \| /dev/nvme0n1p3 \|
	# +-----------------------+------------------------+-----------------------+


	# \| ------------------------- Preparing USB installer ------------------------- \|

	# Get arch linux image from https://www.archlinux.org/download/

	# Make bootable USB
	dd bs=4M if=path/to/archlinux.iso of=/dev/sdx status=progress oflag=sync

	# \| ------------------------- System configuration (once arch installer is booted) ------------------------- \|

	# Load finnish keymap
	loadkeys fi

	# Connec to to wifi
	iwctl
	device list
	station wlan0 scan
	station wlan0 list
	station wlan0 get-networks
	station wlan0 connect MyNetwork

	# Double check disks
	lsblk

	# Securely wipe entire disk with shred (https://wiki.archlinux.org/index.php/Securely_wipe_disk)
	shred -v /dev/nvme1n1

	# Check current partitions on device
	fdisk -l /dev/nvme1n1

	# Create partitions to device in interactive mode for each partition individually. Changes wont be made until saved in interactive mode.

	# First create GPT partition table on the disk by pressing "g" in interactive mode
	fdisk /dev/nvme1n1

	# For /boot partition
	# type: EFI System (1)
	# size: +512MB
	# For / partition
	# type: Linux x86-64 root (24)
	# size : +50G
	# For /home partition use partition type:
	# type: Linux /home (28)
	# size: (press enter for default and use rest of size)


	# \| ------------------------- Create /boot partition ------------------------- \|
	# TODO: add separate EFI and boot partition

	# Format EFI partition

	mkfs.fat -F32 /dev/nvme1n1p1

	mkfs.ext4 /dev/nvme1n1p2

	# Create mount points
	mkdir -p /mnt/boot/efi
	mkdir /mnt/home

	# Mount that shit (should be after encryption
	mount /dev/nvme0n1p1 /mnt/boot/efi
	mount /dev/nvme0n1p2 /mnt/boot

	# \| ------------------------- Encryption ------------------------- \|

	cryptsetup -y -v luksFormat /dev/nvme0n1p2
	cryptsetup open /dev/nvme1n1p2 cryptroot
	mkfs.ext4 /dev/mapper/cryptroot
	mount /dev/mapper/cryptroot /mnt

	# Check the mapping works as intended:
	umount /mnt
	cryptsetup close cryptroot
	cryptsetup open /dev/nvme1n1p2 cryptroot
	mount /dev/mapper/cryptroot /mnt

	cryptsetup -y -v luksFormat /dev/nvme0n1p3
	cryptsetup open /dev/nvme0n1p3 crypthome
	mkfs.ext4 /dev/mapper/crypthome
	mount /dev/mapper/crypthome /mnt/home

	# Check the mapping works as intended:
	umount /mnt/home
	cryptsetup close crypthome
	cryptsetup open /dev/nvme0n1p3 crypthome
	mount /dev/mapper/crypthome /mnt/home

	cryptsetup close crypthome

	# create luks-keys dir for holding keys and add LUKS keyfile for /home partition that is placed inside root partition. This allows /home partition mountpoint to be booted once root partition is mounted and booted.
	mkdir -p /mnt/etc/luks-keys & dd bs=512 count=4 if=/dev/random of=/mnt/etc/luks-keys/homefile iflag=fullblock

	# deny any access for other users than root
	chmod 600 /mnt/etc/luks-keys/homefile

	# Map keyfile to /home partition (Previously entered passphrase will be asked)
	cryptsetup -v luksAddKey /dev/nvme0n1p3 /mnt/etc/luks-keys/homefile

	# Device already exists or busy error !! <----------------->

	# Check that newly created keyfile works
	cryptsetup -v open /dev/nvme0n1p3 crypthome --key-file /mnt/etc/luks-keys/homefile

	# Get the UUID of the encrypted LUKS volume for both devices
	cryptsetup luksDump /dev/nvme0n1p2
	cryptsetup luksDump /dev/nvme0n1p3

	# Create crypttab entry which is loaded before fstab. And add following lines formatted accordingly with your device UUIDs
	# https://www.freedesktop.org/software/systemd/man/crypttab.html
	echo "/dev/mapper/crypthome UUID=0a5f4c0e-7659-4278-a1a5-d27fc24296d5 /etc/luks-keys/homefile" >> /mnt/etc/crypttab

	# \| ------------------------- Kernel & package installation ------------------------- \|

	# Install linux kernel and basic arch system and other software to root mountpoint
	pacstrap /mnt base base-devel vim git efibootmgr dialog wpa_supplicant

	# Update mkinitcpio hooks with (keyboard, keymap and encrypt) following line
	# HOOKS=(base udev keyboard autodetect keymap consolefont modconf block encrypt filesystems fsck)
	vim /mnt/etc/mkinitcpio.conf

	genfstab -U /mnt >> /mnt/etc/fstab

	# Generate an fstab file with UUIDs
	genfstab -U /mnt >> /mnt/etc/fstab

	# chroot to new system
	arch-chroot /mnt

	# Change root passwordder on the encrypted device: this scenario exploits this feature to set up a system on an unpartitioned, en
	passwd

	# \| ------------------------- Time ------------------------- \|
	# Time zone
	ln -sf /usr/share/zoneinfo/Europe/Helsinki /etc/localtime
	# Set hardware clock to UTC
	hwclock --systohc

	# \| ------------------------- Localization ------------------------- \|
	# Uncomment required localizations.
	# en_US.UTF-8 UTF-8
	# fi_FI.UTF-8 UTF-8
	vim /etc/locale.gen

	# Change system lang to LANG=en_US.UTF-8
	echo "LANG=en_US.UTF-8" >> /etc/locale.conf

	# Make keyboard layout persistent
	echo "KEYMAP=fi" > /etc/vconsole.conf

	# Regenerate locales
	locale-gen

	# \| ------------------------- Network configuration ------------------------- \|
	# Update hostname
	# Add myhostname
	echo "myhostname" > /etc/hostname
	#Add maching entries to /etc/hosts
	# 127.0.0.1 localhost
	# ::1 localhost
	# 127.0.1.1 myhostname.localdomain myhostname
	vim /etc/hosts

	# Generate your initrd image

	mkinitcpio -p linux

	# \| ------------------------- Kernel parameters ------------------------- \|
	# Add kernel parameters for efibootmgr
	# The root= parameter specifies the device of the actual (decrypted) root file system.
	# Since the file system is formatted directly on the decrypted device file this will be /dev/mapper/cryptroot
	# Check efibootmgr documentation for more details https://linux.die.net/man/8/efibootmgr

	# Kernel headers for encryption
	# Check efibootmgr documentation for more details https://linux.die.net/man/8/efibootmgr
	efibootmgr --disk /dev/nvme0n1 --part 1 --create --label "Arch Linux" --loader /boot/vmlinuz-linux --unicode 'cryptdevice=UUID=7b8b37df-d0df-42ca-9e8e-79dd2b462e07:cryptroot root=UUID=ac2e8489-3768-4a87-bd0a-8876325921ba rw initrd=/boot/initramfs-linux.img' --verb