Full disk encryption in Archlinux
Introduction
This manual outlines how to install archlinux on a computer with an encrypted disk. We did not write "full disk encryption" because we will not encrypt the partition containing the bootloader.
Everything that follows can be found in more detail in the installation guide of Archlinux.
This manual will assume the disk is suitably prepared for installation and that the system is booted in UEFI mode (the latter seems to be the norm nowadays).
Partition the disk
For the duration of this manual we will assume the name of the
device is /dev/sda. We will create only two partitions.
- A partition containing the bootloader (
/dev/sda1), - A partion containing
/(/dev/sda2).
We do not create a separate partition for /home.
Begin by setting the time
timedatectl set-ntp true
Find out using
lsblk -l
what the actual name of the device is (it could be /dev/nvme0n or
some such).
Partition the disk by starting
cfdisk /dev/sda
and choose the gpt label type. Create partitions according to the
following table.
| Device | Start | Size | Type |
|---|---|---|---|
/dev/sda1 |
2048 | 512MB | EFI System |
/dev/sda2 |
1050624 | remainder disk | Linux filesystem |
and write partition table to disk.
Create cryptographic device mapper
cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sda2
Unlock the partition, note that cryptroot will be the device mapper name that we will operate on.
cryptsetup open --type luks /dev/sda2 cryptroot
Create the boot and root file systems:
mkfs.fat -F32 /dev/sda1 mkfs.ext4 /dev/mapper/cryptroot
Mount them:
mount /dev/mapper/cryptroot /mnt mkdir -p /mnt/boot mount /dev/sda1 /mnt/boot
Install base system
pacstrap -i /mnt base base-devel linux linux-firmware
Configure the system
Generate the fstab:
genfstab -U -p /mnt >> /mnt/etc/fstab
Chroot to configure the base system:
arch-chroot /mnt
Set time zone:
ln -sf /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime
Run hwclock(8) to generate /etc/adjtime:
hwclock --systohc
Localization
Edit /etc/locale.gen and uncomment en_US.UTF-8 UTF-8 and other needed locales. Generate the locales by running:
locale-gen echo 'LANG=en_US.UTF-8' > /etc/locale.conf
Network configuration
Create /etc/hostname and set hostname.
Add matching entries to /etc/hosts:
127.0.0.1 localhost ::1 localhost 127.0.1.1 myhostname.localdomain myhostname
Check if dhcpcd is installed, if not install now and enable
pacman -S dhcpcd systemctl enable dhcpcd.service
Root passwd and user management
Set root password:
passwd
Add system user:
useradd -m -g users -G wheel,games,power,optical,storage,scanner,lp,audio,video -s /bin/bash username
Initramfs & bootloader
Add the following kernel parameter in /etc/default/grub to be
able to unlock your LUKS encrypted root partition during system
startup:
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:cryptroot"
Add encrypt hook in /etc/mkinitcpio.conf (order matters):
HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)
^^^^^^^
Re-generate the initramfs image:
mkinitcpio -p linux
We will be using the GRUB bootloader. Install the packages grub and
efibootmgr. The EFI binary will be stored in /boot/EFI. Create
that directory and install the GRUB EFI application
mkdir /boot/EFI grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
Use the grub-mkconfig tool to generate /boot/grub/grub.cfg:
grub-mkconfig -o /boot/grub/grub.cfg
Unmount, reboot
Exit from chroot, unmount the partitions, close the device and reboot (remove the installation media):
exit
umount -R /mnt/boot
umount -R /mnt
cryptsetup close cryptroot
reboot
Startup
Once logged in the new system start dhcpcd:
systemctl start dhcpcd systemctl enable dhcpcd