Full disk encryption in Archlinux

Introduction

This manual outlines how to install archlinux on a computer with an encrypted disk. We did not write "full disk encryption" because we will not encrypt the partition containing the bootloader.

Everything that follows can be found in more detail in the installation guide of Archlinux.

This manual will assume the disk is suitably prepared for installation and that the system is booted in UEFI mode (the latter seems to be the norm nowadays).

Partition the disk

For the duration of this manual we will assume the name of the device is /dev/sda. We will create only two partitions.

  • A partition containing the bootloader (/dev/sda1),
  • A partion containing / (/dev/sda2).

We do not create a separate partition for /home.

Begin by setting the time

timedatectl set-ntp true

Find out using

lsblk -l

what the actual name of the device is (it could be /dev/nvme0n or some such).

Partition the disk by starting

cfdisk /dev/sda

and choose the gpt label type. Create partitions according to the following table.

Device Start Size Type
/dev/sda1 2048 512MB EFI System
/dev/sda2 1050624 remainder disk Linux filesystem

and write partition table to disk.

Create cryptographic device mapper

cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sda2

Unlock the partition, note that cryptroot will be the device mapper name that we will operate on.

cryptsetup open --type luks /dev/sda2 cryptroot

Create the boot and root file systems:

mkfs.fat -F32 /dev/sda1
mkfs.ext4 /dev/mapper/cryptroot

Mount them:

mount /dev/mapper/cryptroot /mnt
mkdir -p /mnt/boot
mount /dev/sda1 /mnt/boot

Install base system

pacstrap -i /mnt base base-devel linux linux-firmware

Configure the system

Generate the fstab:

genfstab -U -p /mnt >> /mnt/etc/fstab

Chroot to configure the base system:

arch-chroot /mnt

Set time zone:

ln -sf /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime

Run hwclock(8) to generate /etc/adjtime:

hwclock --systohc

Localization

Edit /etc/locale.gen and uncomment en_US.UTF-8 UTF-8 and other needed locales. Generate the locales by running:

locale-gen
echo 'LANG=en_US.UTF-8' > /etc/locale.conf

Network configuration

Create /etc/hostname and set hostname.

Add matching entries to /etc/hosts:

127.0.0.1       localhost
::1             localhost
127.0.1.1       myhostname.localdomain  myhostname

Check if dhcpcd is installed, if not install now and enable

pacman -S dhcpcd
systemctl enable dhcpcd.service

Root passwd and user management

Set root password:

passwd

Add system user:

useradd -m -g users -G wheel,games,power,optical,storage,scanner,lp,audio,video -s /bin/bash username

Initramfs & bootloader

Add the following kernel parameter in /etc/default/grub to be able to unlock your LUKS encrypted root partition during system startup:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:cryptroot"

Add encrypt hook in /etc/mkinitcpio.conf (order matters):

HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)
                                          ^^^^^^^

Re-generate the initramfs image:

mkinitcpio -p linux

We will be using the GRUB bootloader. Install the packages grub and efibootmgr. The EFI binary will be stored in /boot/EFI. Create that directory and install the GRUB EFI application

mkdir /boot/EFI
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB

Use the grub-mkconfig tool to generate /boot/grub/grub.cfg:

grub-mkconfig -o /boot/grub/grub.cfg

Unmount, reboot

Exit from chroot, unmount the partitions, close the device and reboot (remove the installation media):

exit
umount -R /mnt/boot
umount -R /mnt
cryptsetup close cryptroot
reboot

Startup

Once logged in the new system start dhcpcd:

systemctl start dhcpcd
systemctl enable dhcpcd

Modified: 2022-04-07 21:07:33 CEST

Emacs 28.1 (Org mode 9.5.2)