Index ¦ Archives ¦ Atom

Setting Up Full Disk Encryption on Arch Linux

Posted on: Thu 21 July 2016

I recently switched my laptop over from Debian Stretch to Arch Linux.

Debian is still my go to distribution for any server, but I felt like I was in a bit of a no man's land with my laptop. Debian stable (currently Jessie) is rock solid and reliable but I want to install new packages, like the latest version of Firefox. Debian testing and unstable (Stretch and Sid) are well ... unstable, and you really can't complain when things break1.

I've been using Arch Linux on my desktop for a while and for a bleeding edge distribution it's surprisingly stable2.

These my notes on installing Arch Linux on my laptop with Full Disk Encryption. As I noted in my post on Setting Up Full Disk Encryption on Debian Jessie it's not really "Full" disk encryption, there is still a small partition /boot that's unencrypted and will contain the kernel and initramfs.

Download

First I downloaded the latest Arch Linux iso, verified it, and copied it to a USB flash drive.

gpg --recv-keys 0x7f2d434b9741e8ac
gpg --verify archlinux-2016.07.01-dual.iso.sig
dd if=archlinux-2016.07.01-dual.iso of=/dev/sdb

Install

Then I booted the USB drive and, updated the time, because that's what it says in the documentation and it's a good idea.

timedatectl set-ntp true

I created 3 partitions on my hard drive an 80GB SSD:

  1. 512MB FAT32 partition to boot from.
  2. A big partition to be used as the root.
  3. A 4GB partition for swap space.
parted /dev/sda
 > mklabel gpt
 > mkpart ESP fat32 1MiB 513MiB
 > set 1 boot on
 > mkpart primary 513MiB -4G
 > mkpart primary 76GB 100%

I setup a LUKs volume on the second partition, formated it to btrfs then mounted it to /mnt/ and mounted the FAT32 volume to /mnt/boot

cryptsetup luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 arch_root

mkfs.btrfs /dev/mapper/arch_root

mount /dev/mapper/arch_root /mtn/
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot

I updated the mirrors list and installed Arch Linux following the install guide and installed vim3 and added a host name.

vim /etc/pacman.d/mirrorlist

pacstrap /mnt base

genfstab -p /mnt >> /mnt/etc/fstab

arch-chroot /mnt

ln -s /usr/share/zoneinfo/Australia/Perth /etc/localtime

nano /etc/locale.gen

locale-gen

nano /etc/locale.conf
# LANG=en_AU.UTF-8

pacman -S vim

vim /etc/hostname

I edited /etc/mkinitcpio.conf to add encrypt after udev on line 51 and then created my initramfs

vim /etc/mkinitcpio.conf
# HOOKS="base udev encrypt autodetect modconf block filesystems keyboard fsck"
mkinitcpio -p linux

Next I used efibootmgr to add an entry into my EFI boot options to boot the Linux kernel directly rather than using a boot loader like GRUB which then boots the kernel.

I think this is an extremely elegant solution as it means I end up with only 3 files in my /boot/ volume: The kernel, The initramfs, and a fallback initramfs (which isn't really necessary). It's much neater than a bunch of GRUB scripts and config files.

pacman -S efibootmgr

efibootmgr -d /dev/sda -p 1 -c -L "Arch Linux" -l /vmlinuz-linux -u "cryptdevice=/dev/sda2:arch_root root=/dev/mapper/archroot rw initrd=/initramfs-linux.img"

Next I added a user and setup sudo so they could become root.

useradd michael --create-home --groups wheel
passwd michael

pacman -S sudo
visudo
# Uncomment line 82. %wheel ALL=(ALL) ALL

Lastly I setup my swap partition to be a LUKs volume with a random key.

vim /etc/crypttab
# arch_swap /dev/sda3 /dev/urandom swap

vim /etc/fstab
# /dev/mapper/arch_swap none swap sw 0 0

I exited the chroot and rebooted.

exit
reboot

Post install

I installed KDE because that's my desktop of choice but the lovely thing about Arch Linux is you can make it almost anything you want.

# Logged in as Michael, but run as root
dhcpcd enp0s25

pacman -S xorg-server
pacman -S plasma-meta
pacman -S kde-applications-meta
pacann -S sddm

systemctl enable sddm.service
systemctl enable NetworkManager.service

Added the track pad driver

pacman -S xf86-input-synaptics

Set time to NTP, I would have though this would be done automatically because I'd synced the time when I started the installer, but apparently not.

timedatectl set-ntp true

And set the KDE Wallet to automatically unlock with my user password. This is a slight trade off in security because with the default setup I could have two different passwords, or I could login but choose not to unlock the wallet. But in this case I've decided to go with it because it's much more convenient and secure enough.

sudo pacman -S kwallet-pam

vim /etc/pam.d/sddm

My sddm file

#%PAM-1.0

auth            include         system-login
auth            optional        pam_kwallet5.so
auth            optional        pam_kwallet.so kdehome=.kde4

account         include         system-login

password        include         system-login

session         include         system-login
session         optional        pam_kwallet5.so
session         optional        pam_kwallet.so

  1. You can't complain but you can file bug reports, which is helpful to the Debian maintainers. 

  2. Things still break in new and interesting ways on Arch Linux, just less often than I would expect for the rate of package churn. 

  3. Vim is included in the installer .iso file, so you can use it while your installing, but it's not part of the base packages so once you run arch-chroot you can't use it until you install it pacman -S vim 

Category: Posts – Tags: Arch Linux, Debian, Full Disk Encryption, UEFI, LUKS

Creative Commons License
Content on this site is licensed under a Creative Commons Attribution 4.0 International License.
Built using Pelican. Based on a theme by Giulio Fidente on github.