Installing full system encrypted arch linux

Posted on Tue 19 May 2020 in dev-journal

This is a documentation of an Arch Linux installation with luks and lvm.

The drive will use a boot partition which will remain unencrypted with a second partition which will be encrypted with luks and then use lvm to create volumes within the lux encrypted partition.

Resources: https://computingforgeeks.com/install-arch-linux-luks-encryption/ https://gist.github.com/mattiaslundberg/8620837

Formatting the disk

The disk will be formatted with fdisk with the following details:

  • 260 MB efi partition
  • The rest of the drive is designated for the linux filesystem
➜  ma@ma-desktop /mnt  sudo fdisk /dev/nvme0n1

Welcome to fdisk (util-linux 2.35.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.


Command (m for help): g
Created a new GPT disklabel (GUID: 67FB8DF3-A6B6-9F4C-8853-A7DF2CF3EBAD).
The device contains 'dos' signature and it will be removed by a write command. See fdisk(8) man page and --wipe option for more details.

Command (m for help): n
Partition number (1-128, default 1): 
First sector (2048-1953525134, default 2048): 

Partition type (type L to list all types): 1
Changed type of partition 'Linux filesystem' to 'EFI System'.

Command (m for help): n
Partition number (2-128, default 2): 
First sector (1050624-1953525134, default 1050624): 
Last sector, +/-sectors or +/-size{K,M,G,T,P} (1050624-1953525134, default 1953525134): 

Created a new partition 2 of type 'Linux filesystem' and of size 931 GiB.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

Current partition scheme:

➜  ma@ma-desktop /mnt  lsblk
NAME        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
nvme0n1     259:0    0 941.3G  0 disk 
├─nvme0n1p1 259:1    0   260M  0 part 
└─nvme0n1p2 259:3    0   941G  0 part

install FAT 32 FS for boot partition

➜  ma@ma-desktop /mnt  sudo mkfs.fat -F32 /dev/nvme0n1p1
mkfs.fat 4.1 (2017-01-24)

Create the luks encrypted container on the other partition

➜  ma@ma-desktop /mnt  sudo cryptsetup luksFormat -v --type luks --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 2000 --use-random --verify-passphrase /dev/nvme0n1p2

Open the container

➜  ma@ma-desktop /mnt  sudo cryptsetup open /dev/nvme0n1p2 cryptlvm

Create physical volume

➜  ma@ma-desktop /mnt  sudo pvcreate /dev/mapper/cryptlvm
  Physical volume "/dev/mapper/cryptlvm" successfully created.

Create volume group

➜  ma@ma-desktop /mnt  sudo vgcreate vg0 /dev/mapper/cryptlvm
  Volume group "vg0" successfully created

Create root logical volume

➜  ma@ma-desktop /mnt  sudo lvcreate -L 32G vg0 --name root
  Logical volume "root" created.

Create home logical volume

➜  ma@ma-desktop /mnt  sudo lvcreate -L 100G vg0 --name home
  Logical volume "home" created.

Optional: Create swap logical volume

➜  ma@ma-desktop ~  sudo lvcreate -L 8G vg0 --name swap 
  Logical volume "swap" created

Create filesystem on lvs

➜  ma@ma-desktop /mnt  sudo mkfs.ext4 /dev/vg0/home

➜  ma@ma-desktop /mnt  sudo mkfs.ext4 /dev/vg0/root

Optional: mkswap

➜  ma@ma-desktop ~  sudo mkswap /dev/mapper/vg0-swap 
Setting up swapspace version 1, size = 8 GiB (8589930496 bytes)

Create and mount necessary directories for chroot

➜  ma@ma-desktop /mnt  sudo mount /dev/vg0/root /mnt/install
➜  ma@ma-desktop /mnt  sudo mkdir /mnt/install/home
➜  ma@ma-desktop /mnt  sudo mkdir /mnt/install/boot
➜  ma@ma-desktop /mnt  sudo mount /dev/vg0/home /mnt/install/home

Bootstrap the system

### bootstrap the system from live cd 
 ➜  pacstrap -i /mnt/install base base-devel vim lvm2

### bootstrap the system from live cd 
# note for -c option 
#    -c             Use the package cache on the host, rather than the target
 ➜  ma@ma-desktop /mnt sudo pacstrap -c -i /mnt/install base base-devel vim lvm2

modify /mnt/install/etc/mkinitcpio to add encrypt and lvm2 before filesystems

HOOKS=(base udev autodetect modconf block keyboard keymap encrypt lvm2 filesystems fsck)

➜  ma@ma-desktop /mnt mkinitcpio -p linux

Finish install

Continue the installation as normal Arch linux installation guide

sudo pacstrap -c -i /mnt/install base base-devel vim lvm2 intel-ucode

modify /etc/mkinitcpio.conf when I first tried this the keyboard layout was still asdf so needed to add the keymap 

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems fsck)

developer journal

Previous Post Next Post