diff --git a/arch_install.md b/arch_install.md index e85bcec..ec5a12d 100644 --- a/arch_install.md +++ b/arch_install.md @@ -1,21 +1,12 @@ The following is a brief installation tutorial for [Arch Linux][1]. It assumes familiarity with the Arch [Beginner's Guide][2] and [Installation Guide][3]. -It will provide a system with full-disk encryption using [LVM on LUKS][4]. -Two methods are presented here, the more traditional "BIOS mode", where -there is no separate `/boot` partition. The entire installation is encrypted -and booted via [Grub's crypto hooks][5]. The second method is "UEFI mode" which -will use a GPT and show you how to make [separately-encrypted boot and root partitions][6], -while only /boot/efi is left unecrypted. - -Use your system's setup interface to choose UEFI or legacy/BIOS mode as appropriate. +It will provide a system using [LVM on LUKS][4]. Note that this guide assumes you are performing the install to `/dev/sda`. In some cases, you may find that your USB install disk claimed `/dev/sda` and you want to install to `/dev/sdb`. Confirm which disk is which before proceeding. -On some newer systems (e.g. Dell XPS 15), set SATA operation mode to AHCI. - Boot into the Arch installer. If your console font is tiny ([HiDPI][7] systems), set a new font. @@ -28,10 +19,6 @@ Verify that the [system clock is up to date][8]. $ timedatectl set-ntp true -(BIOS mode) Create a single partition for LUKS. - - $ parted -s /dev/sda mklabel msdos - $ parted -s /dev/sda mkpart primary 2048s 100% (UEFI mode) Create partitions for EFI, boot, and root. @@ -41,16 +28,17 @@ Verify that the [system clock is up to date][8]. $ parted -s /dev/sda set 1 esp on $ parted -s /dev/sda mkpart primary 513MiB 1024MiB $ parted -s /dev/sda mkpart primary 1024MiB 100% - $ mkfs.vfat -F32 /dev/nvme0n1p1 + $ mkfs.ext4 /dev/sda2 + $ mkfs.fat -F32 /dev/sda1 + Create and mount the encrypted root filesystem. Note that for UEFI systems this will be partition 3. - $ cryptsetup luksFormat /dev/sda1 - $ cryptsetup luksOpen /dev/sda1 lvm - $ pvcreate /dev/mapper/lvm + + $ pvcreate /dev/sda3pc $ vgcreate arch /dev/mapper/lvm - $ lvcreate -L 8G arch -n swap + $ lvcreate -L 4G arch -n swap $ lvcreate -L 30G arch -n root $ lvcreate -l +100%FREE arch -n home $ lvdisplay @@ -65,11 +53,8 @@ this will be partition 3. (UEFI mode) Encrypt the boot partition using a separate passphrase from the root partition, then mount the boot and EFI partitions. - $ cryptsetup luksFormat /dev/sda2 - $ cryptsetup luksOpen /dev/sda2 cryptboot - $ mkfs.ext4 /dev/mapper/cryptboot $ mkdir /mnt/boot - $ mount /dev/mapper/cryptboot /mnt/boot + $ mount /dev/sda2 /mnt/boot $ mkdir /mnt/boot/efi $ mount /dev/sda1 /mnt/boot/efi @@ -90,52 +75,23 @@ Generate and verify [fstab][11]. Change root into the base install and perform [base configuration tasks][12]. $ arch-chroot /mnt /bin/bash - $ export LANG=en_US.UTF-8 - $ echo $LANG UTF-8 >> /etc/locale.gen - $ locale-gen - $ echo LANG=$LANG > /etc/locale.conf - $ ln -s /usr/share/zoneinfo/America/Los_Angeles /etc/localtime - $ hwclock --systohc --utc - $ echo mymachine > /etc/hostname $ systemctl enable dhcpcd.service $ passwd -Set your mkinitcpio encrypt/lvm2 hooks and rebuild. - - $ sed -i 's/^HOOKS=.*/HOOKS="base udev autodetect modconf block keyboard encrypt lvm2 resume filesystems fsck"/' /etc/mkinitcpio.conf +Set your mkinitcpio. + $ sed -i 's/^HOOKS=.*/HOOKS="base udev autodetect modconf block keyboard lvm2 resume filesystems fsck"/' /etc/mkinitcpio.conf $ mkinitcpio -p linux -(BIOS mode) Add a keyfile to decrypt the root volume and properly set the hooks. - - $ dd bs=512 count=8 if=/dev/urandom of=/crypto_keyfile.bin - $ cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin - $ chmod 000 /crypto_keyfile.bin - $ sed -i 's/^FILES=.*/FILES="\/crypto_keyfile.bin"/' /etc/mkinitcpio.conf - $ mkinitcpio -p linux - -(UEFI mode) Add a keyfile to decrypt and mount the boot volume during startup. - - $ dd bs=512 count=8 if=/dev/urandom of=/crypto_keyfile.bin - $ cryptsetup luksAddKey /dev/sda2 /crypto_keyfile.bin - $ chmod 000 /crypto_keyfile.bin - $ echo "cryptboot /dev/sda2 /crypto_keyfile.bin luks" >> /etc/crypttab - Configure GRUB. - $ echo GRUB_ENABLE_CRYPTODISK=y >> /etc/default/grub - - # BIOS mode - set the UUID of the encrypted root device - $ ROOTUUID=$(blkid /dev/sda1 | awk '{print $2}' | cut -d '"' -f2) - $ sed -i "s/^GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX=\"cryptdevice=UUID="$ROOTUUID":lvm:allow-discards resume=\/dev\/mapper\/arch-swap\"/" /etc/default/grub + # BIOS mode + $ grub-install /dev/sdat $ grub-mkconfig -o /boot/grub/grub.cfg - $ grub-install /dev/sda - $ chmod -R g-rwx,o-rwx /boot + - # UEFI mode - set the UUID of the encrypted root device - $ ROOTUUID=$(blkid /dev/sda3 | awk '{print $2}' | cut -d '"' -f2) - $ sed -i "s/^GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX=\"cryptdevice=UUID="$ROOTUUID":lvm:allow-discards root=\/dev\/mapper\/arch-root resume=\/dev\/mapper\/arch-swap\"/" /etc/default/grub - $ grub-mkconfig -o /boot/grub/grub.cfg + # UEFI mode $ grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck + $ grub-mkconfig -o /boot/grub/grub.cfg $ chmod -R g-rwx,o-rwx /boot Cleanup and reboot!