WARNING: backup your files before beginning!
USB stick /dev/sdb
:
/dev/sdb1
: non-encrypted EFI System Partition (ESP)/dev/sdb2
: LUKS2 encrypted partition that contains the/boot
partition
Drive /dev/sda
: entirely encrypted with LUKS2. The LUKS2 header will be detached (not stored at the beginning of the drive). Arch Linux will be installed on the first partition (formatted as Ext4 or Btrfs) and additional partitions can be added as needed.
Only the USB key passphrase will be required to unlock all the partitions. The keyfile and the LUKS2 detached header will be stored in the initramfs, which is itself stored in the /boot
partition.
Completed from the Arch Linux wiki.
- POST
- UEFI launch
- UEFI identifies
/dev/sdb1
as an ESP and launchesEFI\GRUB\grubx64.efi
- GRUB unlocks
/dev/sdb2
with thecryptomount
command and accesses the/boot
partition - GRUB reads
/boot/grub/grub.cfg
and displays the OS selection splash screen - GRUB boots the kernel (
vmlinux
image) - The kernel loads the initramfs
- initramfs, using the keyfiles and the LUKS2 detached header it stores, unlocks
/dev/sdb2
and/dev/sda
- Late userspace launch:
fstab
mounts the/boot
and Arch Linux partitions
Note: the ESP contains the GRUB EFI application while the /boot
partition contains the GRUB configuration file. The ESP will be mounted on /efi
(not /boot
or /boot/efi
).
WARNING: backup your files before beginning!
Securely wipe the USB stick first, even if it is new.
Create a GPT partition table and the necessary partitions:
# fdisk /dev/sdb -> g (creates a GPT partition table, required for UEFI)
-> n then +512M (creates partition 1 of size 512MiB)
-> n (creates partition 2)
-> t then 1 (changes the type of partition 1 to ESP)
-> w (writes the changes to disk)
Format the ESP /dev/sdb1
as FAT32:
# mkfs.fat -F 32 /dev/sdb1
Encrypt the /dev/sdb2
partition with LUKS2 and then format it as Ext4:
# cryptsetup --type luks2 \
--cipher aes-xts-plain64 \
--key-size 512 \
--pbkdf pbkdf2 \
--hash sha512 \
--iter-time 5000 \
--verify-passphrase \
luksFormat /dev/sdb2
# cryptsetup open /dev/sdb2 boot
# mkfs.ext4 /dev/mapper/boot
N.B. : use PBKDF2 instead of Argon2 as the latter is not officially supported by GRUB 2.06 (alternatively, you can install the patched version grub-improved-luks2-git from the AUR).
Securely wipe the drive first, even if it is new.
Create a keyfile and the detached header, and encrypt the drive:
# dd if=/dev/urandom of=/root/cryptroot_key.img bs=512 count=4 iflag=fullblock
# truncate -s 16M /root/cryptroot_header.img
# cryptsetup --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 512 --pbkdf argon2id --use-urandom --verify-passphrase luksFormat /dev/sda --header=/root/cryptroot_header.img --key-file=/root/cryptroot_key.img
Create a partition table on the drive and a new partition for Arch Linux (Ext4 here):
# cryptsetup open /dev/sda root
# fdisk /dev/mapper/root -> g
-> n (repeat to create multiple partitions)
-> w
# mkfs.ext4 /dev/mapper/root-part1
Note: for Btrfs, follow steps 7 to 9 in this guide.
Mount the partitions then chroot
:
# mount /dev/mapper/root-part1 /mnt
# mount /dev/mapper/boot /mnt/boot
# mount /dev/sdb1 /mnt/efi
# genfstab -U /mnt >> /mnt/etc/fstab
# arch-chroot /mnt
Follow the official installation guide until Initramfs.
Corresponding section of the Arch Linux wiki
GRUB asks for the passphrase of /dev/sdb2
but does not communicate it to the initramfs. To avoid that the latter asks for it again, add a keyfile to /dev/sdb2
and store it in the initramfs:
# dd if=/dev/urandom of=/root/cryptboot_key.img bs=512 count=4 iflag=fullblock
# cryptsetup --cipher aes-xts-plain64 \
--pbkdf argon2id \
--hash sha512 \
--iter-time 5000 \
luksAddKey /dev/sdb2 /root/cryptboot_key.img
Add ext4
to the module list so that the initramfs can read the keyfiles and the LUKS2 detached header from the USB stick:
MODULES=(ext4)
Store the keyfiles and the header in the initramfs:
FILES=(/root/cryptboot_key.img /root/cryptroot_key.img /root/cryptroot_header.img)
Use sd-encrypt
in the hook chain:
HOOKS=(base systemd autodetect modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)
Corresponding section of the Arch Linux wiki
Find the identifiers of /dev/sda
and /dev/sdb2
with # ls -l /dev/disk/by-id
, then create /etc/crypttab.initramfs
with the following content:
cryptboot /dev/disk/by-id/id-of-sdb2 /root/cryptboot_key.img
cryptroot /dev/disk/by-id/id-of-sda /root/cryptroot_key.img header=/root/cryptroot_header.img
# mkinitcpio -P
Note: the settings in /etc/default/grub
(notably the kernel parameters) do not need to be changed.
Install the necessary packages:
# pacman -S grub efibootmgr
Install GRUB to the ESP with the modules needed to unlock /dev/sdb2
, in order to access the /boot
partition:
# grub-install --target=x86_64-efi --efi-directory=/efi --modules="luks2 part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512" --bootloader-id=GRUB
Generate the GRUB configuration file:
# grub-mkconfig -o /boot/grub/grub.cfg
Corresponding section of the Arch Linux wiki
Find the UUID identifier of /dev/sdb2
with # fdisk -l
then create the file /boot/grub/grub_sdb2.conf
:
cryptomount -u UUID-dev-sdb2
set prefix=(crypto0)/grub
set root=(crypto0)
insmod normal
normal
Generate the GRUB EFI image and install it to ESP:
# grub-mkimage -p '(crypto0)/grub' -O x86_64-efi -c /boot/grub/grub_sdb2.conf -o /tmp/grubx64.efi luks2 ext2 part_gpt cryptodisk gcry_rijndael pbkdf2 gcry_sha512
# install -v /tmp/grubx64.efi /efi/EFI/GRUB/grubx64.efi