Vendredi 23 novembre 2018

Install ARCH Linux with encrypted file-system and UEFI

The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.

Download the archiso image from https://www.archlinux.org/

Copy to a usb-drive

dd if=archlinux.img of=/dev/sdX bs=16M && sync # on linux

Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.

Set french keymap

le clavier par défaut étant le clavier QWERTY, il faut taper loqdkeys fr)pc sur un clavier AZERTY pour écrire loadkeys fr-pc

loadkeys fr-pc

Let’s start with disk erasing. Run lsblk to find your primary disk and replace /dev/sdX where needed:

shred –verbose –random-source=/dev/urandom –iterations=3 /dev/sdX

This assumes a wifi only system…

wifi-menu

Create partitions

gdisk /dev/sdX 1 100MB EFI partition # Hex code ef00 2 250MB Boot partition # Hex code 8300 3 100% size partiton # (to be encrypted) Hex code 8300

mkfs.vfat -F32 /dev/sdX1 mkfs.ext2 /dev/sdX2

Create cryptographic device mapper device in LUKS encryption mode:

cryptsetup –verbose –cipher aes-xts-plain64 –key-size 512 –hash sha512 –iter-time 5000 –use-random luksFormat /dev/sdX3 cryptsetup luksOpen /dev/sdX3 cryptroot

Create encrypted partitions

This creates one partions for root, modify if /home or other partitions should be on separate partitions

pvcreate /dev/mapper/cryptroot vgcreate vg0 /dev/mapper/cryptroot lvcreate –size 8G vg0 –name swap lvcreate -l +100%FREE vg0 –name root

Create filesystems on encrypted partitions

mkfs.ext4 /dev/mapper/vg0-root mkswap /dev/mapper/vg0-swap

Mount the new system

mount /dev/mapper/vg0-root /mnt # /mnt is the installed system swapon /dev/mapper/vg0-swap # Not needed but a good thing to test mkdir /mnt/boot mount /dev/sdX2 /mnt/boot mkdir /mnt/boot/efi mount /dev/sdX1 /mnt/boot/efi

Install the system also includes stuff needed for starting wifi when first booting into the newly installed system

pacstrap /mnt base base-devel grub-efi-x86_64 git efibootmgr dialog wpa_supplicant

‘install’ fstab

genfstab -pU /mnt » /mnt/etc/fstab

Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)

tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0

Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)

Enter the new system

arch-chroot /mnt

Setup system clock

ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime hwclock –systohc –utc

Set the hostname

echo MYHOSTNAME > /etc/hostname

Uncomment the fr_FR locale:

sed -i ‘s/#fr_FR.UTF-8 UTF-8/fr_FR.UTF-8 UTF-8/g’ /etc/locale.gen

Generate the locale:

locale-gen

Create configuration file that would instruct the system what language locale it should be using:

echo LANG=fr_FR.UTF-8 > /etc/locale.conf

Export the locale

export LANG=fr_FR.UTF-8

Set password for root

passwd

Add real user

useradd -m -g users -G wheel,games,power,optical,storage,scanner,lp,audio,video -s /bin/bash username passwd username

Install sudo (base-devel) and the boot loader grub and os-prober:

pacman -S sudo grub os-prober

Allow the system user to use sudo and run commands (temporary) as root:

EDITOR=nano visudo

Press CTRL + W and type wheel, then uncomment the following line:

%wheel ALL=(ALL) ALL

Add the following kernel parameter to be able to unlock your LUKS encrypted root partition during system startup (In /etc/default/grub edit the line GRUB_CMDLINE_LINUX) :

GRUB_CMDLINE_LINUX=”cryptdevice=/dev/sdX3:cryptroot:allow-discards”

Configure mkinitcpio with modules needed for the initrd image

nano /etc/mkinitcpio.conf

Add ‘encrypt’ and ‘lvm2’ to HOOKS before filesystems

Since we added new hook in the mkinitcpio configuration file, we should re-generate our initrams image (ramdisk):

mkinitcpio -p linux

Install grub and save it’s configuration file:

grub-install –recheck /dev/sda grub-mkconfig –output /boot/grub/grub.cfg

Exit new system and go into the cd shell

exit

Unmount all partitions

umount -R /mnt swapoff -a

Reboot into the new system, don’t forget to remove the cd/usb

reboot