Mettre à jour 'arch_install.md'

This commit is contained in:
vincent 2019-04-16 15:38:08 +02:00
parent 73ca4ff756
commit 2c1b1aeb64

View File

@ -1,21 +1,12 @@
The following is a brief installation tutorial for [Arch Linux][1]. It assumes The following is a brief installation tutorial for [Arch Linux][1]. It assumes
familiarity with the Arch [Beginner's Guide][2] and [Installation Guide][3]. familiarity with the Arch [Beginner's Guide][2] and [Installation Guide][3].
It will provide a system with full-disk encryption using [LVM on LUKS][4]. It will provide a system using [LVM on LUKS][4].
Two methods are presented here, the more traditional "BIOS mode", where
there is no separate `/boot` partition. The entire installation is encrypted
and booted via [Grub's crypto hooks][5]. The second method is "UEFI mode" which
will use a GPT and show you how to make [separately-encrypted boot and root partitions][6],
while only /boot/efi is left unecrypted.
Use your system's setup interface to choose UEFI or legacy/BIOS mode as appropriate.
Note that this guide assumes you are performing the install to `/dev/sda`. In Note that this guide assumes you are performing the install to `/dev/sda`. In
some cases, you may find that your USB install disk claimed `/dev/sda` and you some cases, you may find that your USB install disk claimed `/dev/sda` and you
want to install to `/dev/sdb`. Confirm which disk is which before proceeding. want to install to `/dev/sdb`. Confirm which disk is which before proceeding.
On some newer systems (e.g. Dell XPS 15), set SATA operation mode to AHCI.
Boot into the Arch installer. Boot into the Arch installer.
If your console font is tiny ([HiDPI][7] systems), set a new font. If your console font is tiny ([HiDPI][7] systems), set a new font.
@ -28,10 +19,6 @@ Verify that the [system clock is up to date][8].
$ timedatectl set-ntp true $ timedatectl set-ntp true
(BIOS mode) Create a single partition for LUKS.
$ parted -s /dev/sda mklabel msdos
$ parted -s /dev/sda mkpart primary 2048s 100%
(UEFI mode) Create partitions for EFI, boot, and root. (UEFI mode) Create partitions for EFI, boot, and root.
@ -41,16 +28,17 @@ Verify that the [system clock is up to date][8].
$ parted -s /dev/sda set 1 esp on $ parted -s /dev/sda set 1 esp on
$ parted -s /dev/sda mkpart primary 513MiB 1024MiB $ parted -s /dev/sda mkpart primary 513MiB 1024MiB
$ parted -s /dev/sda mkpart primary 1024MiB 100% $ parted -s /dev/sda mkpart primary 1024MiB 100%
$ mkfs.vfat -F32 /dev/nvme0n1p1 $ mkfs.ext4 /dev/sda2
$ mkfs.fat -F32 /dev/sda1
Create and mount the encrypted root filesystem. Note that for UEFI systems Create and mount the encrypted root filesystem. Note that for UEFI systems
this will be partition 3. this will be partition 3.
$ cryptsetup luksFormat /dev/sda1
$ cryptsetup luksOpen /dev/sda1 lvm $ pvcreate /dev/sda3pc
$ pvcreate /dev/mapper/lvm
$ vgcreate arch /dev/mapper/lvm $ vgcreate arch /dev/mapper/lvm
$ lvcreate -L 8G arch -n swap $ lvcreate -L 4G arch -n swap
$ lvcreate -L 30G arch -n root $ lvcreate -L 30G arch -n root
$ lvcreate -l +100%FREE arch -n home $ lvcreate -l +100%FREE arch -n home
$ lvdisplay $ lvdisplay
@ -65,11 +53,8 @@ this will be partition 3.
(UEFI mode) Encrypt the boot partition using a separate passphrase from (UEFI mode) Encrypt the boot partition using a separate passphrase from
the root partition, then mount the boot and EFI partitions. the root partition, then mount the boot and EFI partitions.
$ cryptsetup luksFormat /dev/sda2
$ cryptsetup luksOpen /dev/sda2 cryptboot
$ mkfs.ext4 /dev/mapper/cryptboot
$ mkdir /mnt/boot $ mkdir /mnt/boot
$ mount /dev/mapper/cryptboot /mnt/boot $ mount /dev/sda2 /mnt/boot
$ mkdir /mnt/boot/efi $ mkdir /mnt/boot/efi
$ mount /dev/sda1 /mnt/boot/efi $ mount /dev/sda1 /mnt/boot/efi
@ -90,52 +75,23 @@ Generate and verify [fstab][11].
Change root into the base install and perform [base configuration tasks][12]. Change root into the base install and perform [base configuration tasks][12].
$ arch-chroot /mnt /bin/bash $ arch-chroot /mnt /bin/bash
$ export LANG=en_US.UTF-8
$ echo $LANG UTF-8 >> /etc/locale.gen
$ locale-gen
$ echo LANG=$LANG > /etc/locale.conf
$ ln -s /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
$ hwclock --systohc --utc
$ echo mymachine > /etc/hostname
$ systemctl enable dhcpcd.service $ systemctl enable dhcpcd.service
$ passwd $ passwd
Set your mkinitcpio encrypt/lvm2 hooks and rebuild. Set your mkinitcpio.
$ sed -i 's/^HOOKS=.*/HOOKS="base udev autodetect modconf block keyboard lvm2 resume filesystems fsck"/' /etc/mkinitcpio.conf
$ sed -i 's/^HOOKS=.*/HOOKS="base udev autodetect modconf block keyboard encrypt lvm2 resume filesystems fsck"/' /etc/mkinitcpio.conf
$ mkinitcpio -p linux $ mkinitcpio -p linux
(BIOS mode) Add a keyfile to decrypt the root volume and properly set the hooks.
$ dd bs=512 count=8 if=/dev/urandom of=/crypto_keyfile.bin
$ cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
$ chmod 000 /crypto_keyfile.bin
$ sed -i 's/^FILES=.*/FILES="\/crypto_keyfile.bin"/' /etc/mkinitcpio.conf
$ mkinitcpio -p linux
(UEFI mode) Add a keyfile to decrypt and mount the boot volume during startup.
$ dd bs=512 count=8 if=/dev/urandom of=/crypto_keyfile.bin
$ cryptsetup luksAddKey /dev/sda2 /crypto_keyfile.bin
$ chmod 000 /crypto_keyfile.bin
$ echo "cryptboot /dev/sda2 /crypto_keyfile.bin luks" >> /etc/crypttab
Configure GRUB. Configure GRUB.
$ echo GRUB_ENABLE_CRYPTODISK=y >> /etc/default/grub # BIOS mode
$ grub-install /dev/sdat
# BIOS mode - set the UUID of the encrypted root device
$ ROOTUUID=$(blkid /dev/sda1 | awk '{print $2}' | cut -d '"' -f2)
$ sed -i "s/^GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX=\"cryptdevice=UUID="$ROOTUUID":lvm:allow-discards resume=\/dev\/mapper\/arch-swap\"/" /etc/default/grub
$ grub-mkconfig -o /boot/grub/grub.cfg $ grub-mkconfig -o /boot/grub/grub.cfg
$ grub-install /dev/sda
$ chmod -R g-rwx,o-rwx /boot
# UEFI mode - set the UUID of the encrypted root device
$ ROOTUUID=$(blkid /dev/sda3 | awk '{print $2}' | cut -d '"' -f2) # UEFI mode
$ sed -i "s/^GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX=\"cryptdevice=UUID="$ROOTUUID":lvm:allow-discards root=\/dev\/mapper\/arch-root resume=\/dev\/mapper\/arch-swap\"/" /etc/default/grub
$ grub-mkconfig -o /boot/grub/grub.cfg
$ grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck $ grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck
$ grub-mkconfig -o /boot/grub/grub.cfg
$ chmod -R g-rwx,o-rwx /boot $ chmod -R g-rwx,o-rwx /boot
Cleanup and reboot! Cleanup and reboot!