Cobbled together from the following resources:
- Full Disk Encryption - Linode
- Encrypting an entire system - Arch Wiki
- Install from existing linux - Arch Wiki
- Installation guide - Arch Wiki
- Gettys on Serial Consoles
Create a new Linode.
Create three new disk images.
- name "boot", type "unformatted / raw", size = 256 MB
- name "swap", type "unformatted / raw", size = swap size
- name "root", type "unformatted / raw", size = rest
Create a new configuration profile.
- label whatever
- kernel "pv-grub-x86_64"
- /dev/xvda "boot"
- /dev/xvdb "swap"
- /dev/xvdc "root"
- xenify distro "no"
- disable updatedb "no"
- modules.dep helper "no"
- automount devtmpfs "no"
Go to the Rescue tab, and click Reboot into Rescue Mode.
Connect via LISH.
Encrypt and open the root partition.
cryptsetup luksFormat /dev/xvdc
cryptsetup luksOpen /dev/xvdc crypt-xvdc
Create the filesystems for the boot and root partitions.
mkfs -t ext2 /dev/xvda
mkfs -t ext4 /dev/mapper/xvdc
Create the encrypted swap partition.
cryptsetup -d /dev/urandom create crypt-swap /dev/xvdb
mkswap /dev/mapper/crypt-swap
swapon /dev/mapper/crypt-swap
Bootstrap an Arch chroot environment.
cd /tmp
wget https://mirrors.kernel.org/archlinux/iso/2014.09.03/archlinux-bootstrap-2014.09.03-x86_64.tar.gz
tar xf archlinux-bootstrap-2014.09.03-x86_64.tar.gz
sed -i 's?#Server = https://mirrors.kernel.org/archlinux/$repo/os/$arch?Server = https://mirrors.kernel.org/archlinux/$repo/os/$arch?' root.x86_64/etc/pacman.d/mirrorlist
root.x86_64/bin/arch-chroot /tmp/root.x86_64
Prep the Arch chroot environment for installing the base system.
mkdir /run/shm
cd /tmp
curl -O https://mirrors.kernel.org/archlinux/extra/os/x86_64/haveged-1.9.1-1-x86_64.pkg.tar.xz
pacman -U haveged-1.9.1-1-x86_64.pkg.tar.xz
haveged -w 1024
pacman-key --init
pacman-key --populate archlinux
Mount the root and boot filesystems (in that order) under /mnt
.
mount /dev/mapper/crypt-xvdc /mnt
mkdir /mnt/boot
mount /dev/xvda /mnt/boot
Install the base system, generate the fstab, and chroot into it.
pacstrap /mnt base base-devel
genfstab -p /mnt >> /mnt/etc/fstab
arch-chroot /mnt /bin/bash
Configure the system.
sed -i 's/#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen
sed -i 's/#en_US ISO-8859-1/en_US ISO-8859-1/' /etc/locale.gen
locale-gen
echo LANG=en_US.UTF-8 > /etc/locale.conf
export LANG=en_US.UTF-8
ln -s /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
echo my.hostname.com > /etc/hostname
systemctl enable dhcpcd@eth0.service
Configure the initial ramdisk.
- Add
encrypt
to theHOOKS
line in/etc/mkinitcpio.conf
beforefilesystems
. mkinitcpio -p linux
Add this line /etc/crypttab
to mount the encrypted swap partition on boot.
crypt-swap /dev/xvdb /dev/urandom swap
Configure passwords and a user account.
passwd
useradd -m -g users -G wheel -s /bin/bash youruser
passwd youruser
visudo
- Uncomment line
%wheel ALL=(ALL) ALL
.
Build the grub-legacy
bootloader from the AUR.
- Uncomment the
multilib
repo from/etc/pacman.conf
. pacman -Sy gcc-multilib
su youruser
cd
curl -O https://aur.archlinux.org/packages/gr/grub-legacy/grub-legacy.tar.gz
tar xf grub-legacy.tar.gz
cd grub-legacy
makepkg -s
sudo pacman -U grub-legacy-0.97-25-x86_64.pk.tar.xz
cd ..
rm -rf grub-legacy grub-legacy.tar.gz
exit
Edit /boot/grub/menu.lst
.
root (hd0)
kernel /vmlinuz-linux root=/dev/mapper/crypt-xvdc cryptdevice=/dev/xvdc:crypt-xvdc console=hvc0 ro
Symlink the grub directory so pv-grub can find it.
cd /boot
mkdir boot
cd boot
ln -s ../grub .
Leave chroots, unmount partitions, and reboot.
exit
umount -R /mnt
exit
pkill haveged
umount /tmp/root.x86_64/dev
umount /tmp/root.x86_64
- Shutdown from Linode Manager
- Boot from Linode Manager
Every time you boot the machine, you'll need to connect to LISH and type in your password to unlock the root partition.