Arch Linux installation on an encrypted LVM

** This article is currently being updated 2 April, 2017**

Brian first introduced me to Arch Linux when he gave me an old laptop with a fresh installation of Manjaro. I’ve turned into a bit of a minimalist after spending years using Crunchbang, but found it’s core of Debian lagged behind more bleeding edge apps I required for development. After Crunchbang closed (moving to a community driven BunsenLabs) I tried a vanilla install of Debian and, thought it was actually pretty snazzy, I thought ‘Why not get to grips with the basics’. Decide if I want to add in all the other bloat in my own time. And, more importantly, embrace the rolling releases of Arch.

arch-linux

Why encrypt at volume level? If anyone were to gain access to your device they could easily SSH or load the volume and navigate your files, your history, to copy, edit and corrupt anything. Most operating systems have a method to fully encrypt your filesystem. Mac’s use Filevault, Windows could use EFS (Encrypted File System), Linux you can use LUKS, and across all of them you could use VeraCrypt which allows encryption at container level. This tutorial will be showing the method for using LUKS.

I found this quite recent video on Youtube https://www.youtube.com/watch?v=gB1N00wj3bw which inspired me to blog the process. Not everyone likes to watch a vid, so this is me saving you the time. There are almost 100 steps here so put aside plenty of time. It might take you around 40 mins.. well my install did. This process will erase and partition all information currently on the target computer. Backup anything you need to keep from the.. who I am kidding? Lets destroy everything that existed on the drive already and start all over. Arch is pretty freaking solid. Get through these steps and you’ll be part of a pretty niche club of commandline installers. You’ll either be shouting ‘Stuff GUIs’ or so glad it’s over you’re scrambling to install a desktop environment because your mouse clicking finger withdrawals.

Linux is good like that. The flexibility is crazy for newcomers. I’ve been using it years and still find it breathtaking. I learned so much doing the install and I hope you enjoy it too. Now crack on..

1) Go to https://www.archlinux.org/download/ and download DUAL.ISO (dual as in both 32 bit [i386] and 64 bit [x86_64]) via a mirror close to your geographic location.

2) The DUAL.ISO.SIG file can be used to check the digital fingerprint of the file. Some might think is an unecessary step. I personally highly recommend feel arming yourself with such a skill is an important step in taking control of your privacy. Again the process to do so can vary with each OS. In future I’ll cover how to do this but for now here’s a tutorial from TAILS https://tails.boum.org/install/download/openpgp/

* I’ll skip DD’ing the ISO onto a USB or burning a DVD. Just search for that basic step to match your needs.

3) Boot using your ISO image. Arch will boot into the commandline as ROOT user and not use any GUI when you have installed. This will be added later.

4) enter: fdisk -l [this will list all the devices on this computer. Most often the default disk is /dev/sda (I’ll be using this within this tutorial) but this may be different on yours. For example if you are Live USB to install Linux the OS you are loading from will generally always be ‘sda’, and therefore ‘sdb’ would be your target. If you were installing from a CD or DVD, the target would be ‘sda’. If you had a number of drives you might even be using ‘sdc’, and so on. I won’t make an assumption of what you are using but be certain to recognise your specific case and how this may impact the code example I have in the steps ahead. Note down the /dev/whatever_it_is drive details to assist your brain recall.]

5) The rest of these steps will be in the commandline. A reminder that this process will erase the harddrive:

6) fdisk /dev/sda [I’ve never used fdisk as much as we do in this tutorial. It’s clearly really powerful.]

7) o [lowercase letter o – for output]

8) n [for new partition]

9) p [for primary partition]

10) enter [for default partition number of 1]

11) enter [for default first sector]

12) +400M [this is the boot partition and is the only partition not encrypted]

13) a [to mark that partition as bootable]

14) n [to create the second partition]

15) p [for primary partition]

16) 2 [for partition number 2]

17) enter [for default first sector]

18) enter [this will fill the rest of the harddrive]

19) t [to change the partition type]

20) 2 [default partition number]

21) 8E [Linux LVM]

22) w [to write changes – exciting hey?]

23) cryptsetup luksFormat /dev/sda2 [to encrypt the second hard drive]

24) YES [are you sure you want to encrypt this – remember you’re an adult now so type it in caps like they ask!]

25) [enter your really strong and unqiue passphrase – if you ever forget this passphrase you will be locked out of this encrypted harddrive for ever and ever]

26) [verify this passphrase by typing it again]

27) cryptsetup open – – type luks /dev/sda lvm [this will open the partition and give it the name ‘lvm’]

28) [enter your really strong and unique passphrase]

29) pvcreate –dataalignment 1m /dev/mapper/lvm [the ‘–dataalignment 1m’ is for an SSD. If you don’t have an SSD don enter that part. This will start the process of creating a physical volume for your LVM]

30) vgcreate volgroup0 /dev/mapper/lvm [this creates a volume group called ‘volgroup0’]

31) lvcreate -L 30GB volgroup0 -n lv_root [creates the ROOT logical volume]

32) lvcreate -L 2GB volgroup0 -n lv_swap [creates the SWAP logical volume]

33) lvcreate -l 100%FREE volgroup0 -n lv_home [creates the HOME logical volume using the rest of the harddrive space]

34) modprobe dm_mod [add Kernal module]

35) vgchange -ay [activate these changes to the volume group]

36) mkfs.ext2 /dev/sda1 [formats the standard boot partition]

37) mkfs.ext4 /dev/volgroup0/lv_root [to format to ROOT logical volume]

38) mkfs.ext4 /dev/volgroup0/lv_home [to format the HOME logical volume]

39) mount /dev/volgroup0/lv_root /mnt [to mount ROOT logical volume]

40) mkdir /mnt/boot [create a temporary boot directory]

41) mount /dev/sda1 /mnt/boot [link the temp directory to the BOOT logical volume]

42) mkdir /mnt/home [create a temporary home directory]

43) mount /dev/volgroup0/lv_home /mnt/home [link the temp directory to the HOME directory]

44) ip a [shows all the network connections – I’ll show how to setup broadcom WiFi]

45) ifconfig [look for your WiFi card – the ethernet start with ‘enp0s..’ – the internal software loopback is ‘lo’ – the WiFi starts with ‘wlp…’]

46) cp /etc/netctl/examples/wireless-wpa /etc/netctl/some_wireless_name [this will copy the example WPA settings into ROOT. Change ‘some_wireless_name’ to one more appropriate for your network. You must also re-enable dhcpcd with `dhcpcd.service enable`]

47) nano /etc/netctl/some_wireless_name [to edit this file you just copied in the nano editor. This will just be for this setup. Note them down somewhere as you’ll need them again!]

48) [edit INTERFACE to the name of your WiFi card from step 45]

49) [edit ESSID to the name of your WiFi network]

50) [edit KEY to the password for your WiFi network]

51) CTRL-O [to save the file]

52) enter [to save as the same name as the file you opened]

53) CTRL-X [to exit nano editor]

54) netctl start some_wireless_name

55) ip a [should now show your wifi all connected and stuff]

56) pacstrap -i /mnt base [uses a simple script to install the base image as seen in the Arch Linux wiki – https://wiki.archlinux.org/index.php/Installation_guide#Install_the_base_packages]

57) enter [to download all the default packages]

58) enter [to proceed]

59) genfstab -U -p /mnt >> /mnt/etc/fstab [to use the logical volume we’ve previously created]

60) arch-chroot /mnt [to change root to the ROOT filesystem]

61) pacman -S openssh grub-bios linux-headers linux-lts linux-lts-headers wpa_supplicant wireless_tools [only grub-bios is essential but on the laptop I was installing on I needed the rest to. Do a search to find out if you need the rest. The linux-lts files in particular are for a fairly robust installation using the supported ‘long term service’ and ace for those older machines]

62) nano /etc/mkinitcpio.conf [edit a script which at boot hands over control to the file system. Go to the uncommented line starting with ‘HOOKS=’ and enter the following text at step 63 inbetween ‘block’ and ‘filesystem]

63) encrypt lvm2 [be sure there is just one SPACE between and surrounding each word (and no more) or boot will break!]

64) CTRL-O [to write out]

65) CTRL-X [to exit nano]

66) mkinitcpio -p linux [builds hooks for linux]

67) mkinitcpio -p linux-lts [only use this if you installed this option at step 61]

68) nano /etc/locale.gen [find your locale on the list and uncomment it – e.g. en-GB.UTF-8]

69) CTRL-O [to write out]

70) CTRL-X [to close nano]

71) locale.gen [to build the locale files]

72) ln -s /usr/share/zoneinfo/ locale-gen [if you tab twice here further options are shown here e.g. tab tab Europe tab tab London] (space) /etc/localtime [e.g. ln -s /usr/share/zoneinfo/Europe/London /etc/localtime]

73) hwclock – – systohc – – utc [set the hardware clock]

74) systemctl enable sshd.service [if you installed the openssh package at step 61 you need to enable it]

75) passwd [set the password for the root user – note this is different than the filesystem encryption passphrase you created at step 25. It’s obviously more secure to have multiple layers of security!]

76) nano /etc/default/grub [you need to edit the grub bootloader so it knows your installation is not generic and encrypted. Look for the line GRUB_CMDLINE_LINUX_DEFAULT= *and the text in step 77 ahead of ‘quiet’*]

77) cryptdevice=/dev/sda2:volgroup0 [make sure there is a space before ‘quiet’]

78) CTRL-O [to write out]

79) CTRL-X [to exit nano]

80) grub-install – – target=i386-pc – – recheck /dev/sda [this text does not change even in 64 bit – also note /sda does not have a trailing number]

81) cp /usr/share/locale/en\@quot/LC_MESSAGES/grub.mo /boot/grub/locale/en.mo [edit this if you are not using an ‘en’ locale. On my Dell laptop I found the forward slash after hitting near every key. In case this helps somebody else too, I found it under the hash/# key]

82) grub-mkconfig -o /boot/grub/grub.cfg [don’t panic about the warnings]

83) exit

84) umount /mnt/boot

85) umount /mnt/home

86) umount /mnt

87) reboot

88) Boot existing OS

89) [enter your passphrase from step 25]

90) [login with user: root and the password you set at step 75]

91) df -h [to display the filesystem layout]

92) [you may need to set the WiFi again (back from step 44 on – which will save this time as it will be written to to harddrive)]

Arch can run perfectly fine from here, though you may wish to install a windowing system and desktop environment. Maybe another time!

If you want to see a tutorial on anything, please comment below. This learning stuff is fun.

Happy Linuxing

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s