Skip to content

Instantly share code, notes, and snippets.

@saces

saces/archlinux_crypto_setup.md

Last active August 29, 2015 14:04
Show Gist options
  • Save saces/1c58e7dcd86ad0d43864 to your computer and use it in GitHub Desktop.
Save saces/1c58e7dcd86ad0d43864 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
archlinux_crypto_setup.md

Archlinux setup with LVM on LUKS

This guide is based on the official Archlinux Installation Guide, Beginners' Guide and my personal experience.

Partition layout

HDD mapper fs size mountpoint
sda1 - ext4 512 MB /boot
sda2 - LUKS MAX /dev/mapper/lvmpool
lvm root ext4 16 GB /
lvm swap swap = RAM none
lvm var ext4 16 GB /var
lvm home ext4 MAX /home

If LUKS is not in the filesystem type list set this partition to type e8.

Load correct key layout if needed

# loadkeys de-latin1-nodeadkeys

Setup partitions

Create the 2 partitions and make the first one bootable.

# cfdisk

Format the first partition with ext4. It holds the kernel and grub.

# mkfs.ext4 -L boot /dev/sda1

Create the crypto container

# cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sda2

Open the crypto container

HDD:

# cryptsetup luksOpen /dev/sda2 lvmpool

SSD:

# cryptsetup luksOpen --allow-discards /dev/sda2 lvmpool

Create LVM setup

  • Add physical volume

    # pvcreate /dev/mapper/lvmpool

  • Add volume group

    # vgcreate system /dev/mapper/lvmpool

  • Add logical volumes

    # lvcreate -L 16G system -n swap
# lvcreate -L 16G system -n root
# lvcreate -L 16G system -n var
# lvcreate -l +100%FREE system -n home

Format the partitions

# mkswap -L swap /dev/system/swap
# mkfs.ext4 -L root /dev/system/root
# mkfs.ext4 -L var /dev/system/var
# mkfs.ext4 -L home /dev/system/home

Mount everything

# mount /dev/system/root /mnt
# mkdir /mnt/{boot,var,home}
# mount /dev/sda1 /mnt/boot
# mount /dev/system/var /mnt/var
# mount /dev/system/home /mnt/home
# swapon /dev/system/swap

Install rootfs with pacstrap

# pacstrap -i /mnt base base-devel

Generate fstab

# genfstab -U -p /mnt >> /mnt/etc/fstab

Turn the swap off. It was only needed to correctly generate the fstab.

# swapoff /dev/system/swap

Chroot into the new system

# arch-chroot /mnt

Install grub

# pacman -S grub-bios
# grub-install --recheck /dev/sda

Edit /etc/mkinitcpio.conf:

HOOKS="... keyboard encrypt lvm2 resume filesystems ..."

Generate initfs:

# mkinitcpio -p linux

Setup grub

Edit /etc/default/grub:

SSD:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:lvmpool:allow-discards root=/dev/system/root resume=/dev/system/swap"

HDD:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:lvmpool root=/dev/system/root resume=/dev/system/swap"

Generate grub.cfg:

# grub-mkconfig -o /boot/grub/grub.cfg

Seting up the base system

  • Edit /etc/locale.conf:

    LANG=en_US.UTF-8
LANGUAGE=en_US:en_GB:en

  • Edit /etc/locale.gen and uncomment the needed locales:

    de_DE.UTF-8 UTF-8
[..]
en_US.UTF-8 UTF-8

  • Generate locales

    # locale-gen

  • Edit /etc/vconsole.conf and set keymap and font:

    #KEYMAP=de-latin1-nodeadkeys
KEYMAP=us
FONT=Lat2-Terminus16
FONT_MAP=8859-2

  • Set timezone:

    # ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime

  • Set hostname:

    # echo example.com > /etc/hostname

Configure network with dynamic IP

This is not needed if you install a graphical network manager.

Get the example config file.

# cp /etc/netctl/examples/ethernet-dhcp /etc/netctl/

Enable and start netctl profile at boot:

# netctl enable ethernet-dhcp

Deactivate new udev naming scheme

# ln -s /dev/null /etc/udev/rules.d/80-net-setup-link.rules

Install dependencies for wifi connection (optional)

# pacman -S dialog wpa_supplicant

Configure pacman and add a user

Edit /etc/pacman.conf and uncomment [multilib].

Update packages and db:

# pacman -Sy

Add an user and set the password:

# useradd -m -g users -G wheel -s /bin/bash bob
# passwd bob

Run:

# visudo

and uncomment %wheel ALL=(ALL) ALL so that the user can use sudo.

Now remove the root password so that root cannot login (don't use passwd -l because than the recovery root login doesn't work anymore):

# passwd -d root

Finishing

Exit chroot environment.

Umounting devices:

# umount /mnt/boot
# umount /mnt/var
# umount /mnt/home
# umount /mnt
# swapoff /dev/system/swap
# cryptsetup luksClose /dev/mapper/lvmpool

Reboot:

# reboot

Finished! You now have an encrypted Archlinux up and running.

Now setup the system

Setup audio

Install ALSA and unmute the master volume.

# pacman -S alsa-utils
# alsamixer

Setup X

  • You need at least one font and the X server

    # pacman -S ttf-dejavu xorg-server xorg-server-utils xorg-xinit mesa xorg-twm xorg-xclock xterm

  • Find your video driver and install it. (here intel is used):

    $ pacman -Ss xf86-video | less
# pacman -S xf86-video-intel

  • Test X and exit all X-terminals if it works

    $ startx

Setup your prefered system

  • Now go there and look how to install your favorite desktop environment: Desktop_Environment
  • Or choose just one of these window managers (Window Manager) and look how to start X at boot here: Start_X_at_Login
  • Use the Archlinux wiki extensively! It's beautiful and full of wonderful pages that can help you in every situation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment