Encrypted Arch Installation Guide

What this guide assumes:

  • You should have basic familiarity with the process of installing Arch manually (i.e. no install script); this is no hard requirement, but since this guide presents a fairly advanced setup process certain "common" or "basic" commands will not be explained in great detail, if at all. Always know and understand what you are doing.
  • You plan to use a single drive for the Arch Linux installation
  • The drive you are about to use contains data that will be deleted
  • You double-checked that the drive is safe to wipe before you wipe
  • You are fine with using GRUB as the bootloader
  • You are fine with entering a password on bootup (to decrypt encrypted drives)
  • You understand that there is virtually no chance to access your files on an encrypted drive if you forget or lose your password
  • You understand that no device or file system encryption can be 100% fool-proof considering there are a myriad of factors at play (e.g. the threat level you are trying to protect yourself against, the safety practices you follow when handling encrypted data once it is decrypted, etc.)

This guide's goal:

  • Set up encrypted Boot, Swap, and other paritions using dm-crypt
  • Install Arch Linux

What I've done so far:

  1. Optional: Establish a remote connection to the target machine via SSH(Wiki):

    2. It might be desirable to perform operations on the target machine via SSH from an already set up device in order to easily access this guide or other helpful documentation. The following steps assume physical access to the target machine.

    1. On the target machine:
      1. Follow the steps from Installation guide#Pre-installation up to and including connecting to the internet (setting the keyboard layout and font can be skipped)
      2. Set a root password: # passwd
    2. On the machine you want to use SSH from:
      1. Assuming both machines are on the same local network: $ ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@archiso.local
      2. Otherwise: $ ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@ip.address.of.target
  2. Drive Preparation (Single drive solution)
    1. Destroy GPT (General Partitioning Layout):
      1. Indentify drive to be wiped with # lsblk
      2. # gdisk /dev/sdX
      3. Enter 'x' for 'Expert'
      4. Enter 'z' for 'Zap'
      5. 'Blank out MBR?' -> Enter 'y'
    2. Wipe device(Wiki):
      1. Create a temporary encrypted container on the device to be encrypted: # cryptsetup open --type plain --key-file /dev/urandom --sector-size 4096 /dev/block-device to_be_wiped
      2. Verify that it exists: # lsblk
      3. Wipe the container with zeros: # dd if=/dev/zero of=/dev/mapper/to_be_wiped status=progress bs=1M
      4. Close the temporary container: # cryptsetup close to_be_wiped
    3. Preparing the partition layout(Wiki):
      1. # cgdisk /dev/sdX -> The warning / error message is to be expected since we previously destroyed the drives's GPT. 'Press any key to continue' -> '*'
      2. BIOS boot partition:
        1. 'New' -> Enter
        2. 'Default sector' -> Enter
        3. 'Size' -> 1024 KiB
        4. 'Hexcode or GUID' -> 'EF02'
        5. 'Enter new partition name' -> boot
      3. EFI system partition:
        1. 'New' -> Enter
        2. 'Default sector' -> Enter
        3. 'Size' -> 1024 MiB
        4. 'Hexcode or GUID' -> 'EF00'
        5. 'Enter new partition name' -> efi
      4. LUKS partition (for Swap and other OS-related partitions):
        1. 'New' -> Enter
        2. 'Default sector' -> Enter
        3. 'Size' -> X MiB
        4. 'Hexcode or GUID' -> '8309'
        5. 'Enter new partition name' -> linux
      5. 'Write' -> Enter
      6. 'Are you sure?' -> yes
      7. 'Quit' -> Enter
      8. LUKS encrypted container (on LUKS partition):
        1. # cryptsetup luksFormat --pbkdf pbkdf2 /dev/sdXY
        2. 'This will overwrite data on /dev/sdXY irrevocably. Are you sure?' -> YES
        3. 'Enter passphrase for /dev/sdX:' -> SuperSecretPassphrase
        4. 'Verify passphrase:' -> SuperSecretPassphrase
        5. Verify current layout -> # gdisk -l /dev/sdX
        6. Open the container -> # cryptsetup open /dev/sdXY cryptlinux
    4. Preparing the logical volumes(Wiki):
      1. Create a physical volume on top of the opened LUKS container -> # pvcreate /dev/mapper/cryptlinux
      2. Create a volume group (in this example named MyVolGroup, but it can be whatever you want) and add the previously created physical volume to it -> # vgcreate MyVolGroup /dev/mapper/cryptlinux

Considerations

Encrypted Boot partition (using GRUB) + LVM on LUKS