arch-linode-fde.md

Arch Linux on Linode with Full Disk Encryption

Cobbled together from the following resources:

• Full Disk Encryption - Linode
• Encrypting an entire system - Arch Wiki
• Install from existing linux - Arch Wiki
• Installation guide - Arch Wiki
• Gettys on Serial Consoles

Create a new Linode.

Create three new disk images.

• name "boot", type "unformatted / raw", size = 256 MB
• name "swap", type "unformatted / raw", size = swap size
• name "root", type "unformatted / raw", size = rest

Create a new configuration profile.

• label whatever
• kernel "pv-grub-x86_64"
• /dev/xvda "boot"
• /dev/xvdb "swap"
• /dev/xvdc "root"
• xenify distro "no"
• disable updatedb "no"
• modules.dep helper "no"
• automount devtmpfs "no"

Go to the Rescue tab, and click Reboot into Rescue Mode.

Connect via LISH.

Encrypt and open the root partition.

• cryptsetup luksFormat /dev/xvdc
• cryptsetup luksOpen /dev/xvdc crypt-xvdc

Create the filesystems for the boot and root partitions.

• mkfs -t ext2 /dev/xvda
• mkfs -t ext4 /dev/mapper/xvdc

Create the encrypted swap partition.

• cryptsetup -d /dev/urandom create crypt-swap /dev/xvdb
• mkswap /dev/mapper/crypt-swap
• swapon /dev/mapper/crypt-swap

Bootstrap an Arch chroot environment.

• cd /tmp
• wget https://mirrors.kernel.org/archlinux/iso/2014.09.03/archlinux-bootstrap-2014.09.03-x86_64.tar.gz
• tar xf archlinux-bootstrap-2014.09.03-x86_64.tar.gz
• sed -i 's?#Server = https://mirrors.kernel.org/archlinux/$repo/os/$arch?Server = https://mirrors.kernel.org/archlinux/$repo/os/$arch?' root.x86_64/etc/pacman.d/mirrorlist
• root.x86_64/bin/arch-chroot /tmp/root.x86_64

Prep the Arch chroot environment for installing the base system.

• mkdir /run/shm
• cd /tmp
• curl -O https://mirrors.kernel.org/archlinux/extra/os/x86_64/haveged-1.9.1-1-x86_64.pkg.tar.xz
• pacman -U haveged-1.9.1-1-x86_64.pkg.tar.xz
• haveged -w 1024
• pacman-key --init
• pacman-key --populate archlinux

Mount the root and boot filesystems (in that order) under /mnt.

• mount /dev/mapper/crypt-xvdc /mnt
• mkdir /mnt/boot
• mount /dev/xvda /mnt/boot

Install the base system, generate the fstab, and chroot into it.

• pacstrap /mnt base base-devel
• genfstab -p /mnt >> /mnt/etc/fstab
• arch-chroot /mnt /bin/bash

Configure the system.

• sed -i 's/#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen
• sed -i 's/#en_US ISO-8859-1/en_US ISO-8859-1/' /etc/locale.gen
• locale-gen
• echo LANG=en_US.UTF-8 > /etc/locale.conf
• export LANG=en_US.UTF-8
• ln -s /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
• echo my.hostname.com > /etc/hostname
• systemctl enable dhcpcd@eth0.service

Configure the initial ramdisk.

• Add encrypt to the HOOKS line in /etc/mkinitcpio.conf before filesystems.
• mkinitcpio -p linux

Add this line /etc/crypttab to mount the encrypted swap partition on boot.

• crypt-swap /dev/xvdb /dev/urandom swap

Configure passwords and a user account.

• passwd
• useradd -m -g users -G wheel -s /bin/bash youruser
• passwd youruser
• visudo
• Uncomment line %wheel ALL=(ALL) ALL.

Build the grub-legacy bootloader from the AUR.

• Uncomment the multilib repo from /etc/pacman.conf.
• pacman -Sy gcc-multilib
• su youruser
• cd
• curl -O https://aur.archlinux.org/packages/gr/grub-legacy/grub-legacy.tar.gz
• tar xf grub-legacy.tar.gz
• cd grub-legacy
• makepkg -s
• sudo pacman -U grub-legacy-0.97-25-x86_64.pk.tar.xz
• cd ..
• rm -rf grub-legacy grub-legacy.tar.gz
• exit

Edit /boot/grub/menu.lst.

• root (hd0)
• kernel /vmlinuz-linux root=/dev/mapper/crypt-xvdc cryptdevice=/dev/xvdc:crypt-xvdc console=hvc0 ro

Symlink the grub directory so pv-grub can find it.

• cd /boot
• mkdir boot
• cd boot
• ln -s ../grub .

Leave chroots, unmount partitions, and reboot.

• exit
• umount -R /mnt
• exit
• pkill haveged
• umount /tmp/root.x86_64/dev
• umount /tmp/root.x86_64
• Shutdown from Linode Manager
• Boot from Linode Manager

Every time you boot the machine, you'll need to connect to LISH and type in your password to unlock the root partition.