This is a brief tutorial on how to installArch Linuxon UEFI enabled

system with full hard drive encryption using LUKS ( Linux Unified Key
Setup). LUKS is a disk encryption specification which helps you
achieve file encryption, disk encryption, data encryption in one bundle.

LUKS helps you secure your drive against things like theft, but it doesn't
protect your data from access once unlocked. It can be used with other
encryption software applications to achieve bullet-proof data security.

Previously i had written an article on how to install Arch Linux on LVM but
it was lacking luks encryption feature.

Install Arch Linux with LVM on UEFI system

This blog post aims at filling that gap of disk encryption, so definitely
expect less theory.

Setting up disk partitions:

My partition scheme will have /dev/sda1 as efi partition, /dev/sda2 as

boot partition, /dev/sda3 as LVM physical volume, /dev/arch/root as
root partition, /dev/arch/home as home
partition, /dev/arch/swap as swap partition. My tool of choice for
partitioning is Parted, you can use gdisk for efi or fdisk for MBR as well.
parted work for both though. Please replace gpt label with mbr for the
correct disk label type.

parted /dev/sda

mklabel gpt

mkpart ESP fat32 1MiB 200MiB

set 1 boot on

name 1 ef

mkpart primary 200MiB 800MiB

name 2 boot

mkpart primary 800MiB 100%

set 3 lvm on

name 3 lvm

print

Confgure LUKS

Next step is to load kernel modules. Before usingcryptsetup, always

make sure the dm_crypt kernel module is loaded.

modprobe dm-crypt

modprobe dm-mod

Then go ahead and create encrypted device using cryptseup command.

Cryptsetup is the command line tool to interface with dm-crypt for
creating, accessing and managing encrypted device.

The tool is used as follows:

# cryptsetup <OPTIONS> <action> <action-specifc-options> <device>

<dmname>

Cryptsetup is the command line tool to interface with dm-crypt for

creating, accessing and managing encrypted devices. It has support for
different encryption types that rely on the Linux kernel device-mapper
and the cryptographic modules. The devices accessed via the device-
mapper are called blockdevices.

You can check available options using:

$ cryptsetup --help

Let's now create a new LUKS device on /dev/sda3

# cryptsetup luksFormat -v -s 512 -h sha512 /dev/sda3

Options used:
<name> is the device to create under /dev/mapper
<device> is the encrypted device

luksFormat: formats a LUKS device

-v, --verbose: Shows more detailed error messages
-s, --key-size: The size of the encryption key, 512 bits in this case.
-h, --hash: The hash used to create the encryption key from the
passphrase

When you execute command above, you'll get a warning message. Just
type YES to continue, then enter and verify passphrase to use.

Now that we have created luks encrypted device, we need to open the
device as mapping <name>. The syntax is:

# cryptsetup open <device> <name>

<name> is the device to create under /dev/mapper

<device> is the encrypted device

So mine will look something like below:

# cryptsetup open /dev/sda3 luks_lvm

LVM Confguration

For those new to LVM, the basic building blocks of LVM are:

Physical volume (PV)

- Partition on hard disk (or even the disk itself or loopback file) on which
you can have volume groups.
- It has a special header and is divided into physical extents.
- Think of physical volumes as big building blocks used to build your hard
drive.

Volume group (VG)

- Group of physical volumes used as a storage volume (as one disk).
- They contain logical volumes.
- Think of volume groups as hard drives.
Logical volume (LV)
- A "virtual/logical partition" that resides in a volume group and is
composed of physical extents.
- Think of logical volumes as normal partitions.

Physical extent (PE)

- The smallest size in the physical volume that can be assigned to a logical
volume (default 4MiB).
- Think of physical extents as parts of disks that can be allocated to any
partition.

The confguration part:

Create physical volume:

pvcreate /dev/mapper/luks_lvm

Create volume group named arch:

vgcreate arch /dev/mapper/luks_lvm

Create Logical volumes for root, home and swap partitions:

lvcreate -n home -L 70G arch

lvcreate -n root -L 120G arch
lvcreate -n swap -L 1G -C y arch

Format the partitions:

mkfs.fat -F32 /dev/sda1

mkfs.ext4 /dev/sda2
mkfs.btrfs -L root /dev/mapper/arch-root
mkfs.btrfs -L home /dev/mapper/arch-home
mkswap /dev/mapper/arch-swap

Mount Partitions:

swapon /dev/mapper/arch-swap
swapon -a ; swapon -s
mount /dev/mapper/arch-root /mnt
mkdir -p /mnt/{home,boot}
mount /dev/sda2 /mnt/boot
mount /dev/mapper/arch-home /mnt/home
mkdir /mnt/boot/ef
mount /dev/sda1 /mnt/boot/ef
Confirm if all are mounted properly:

lsblk -f

Install Arch Linux:

Install base system:

pacstrap /mnt base base-devel efbootmgr vim dialog xterm btrfs-progs

grub --noconfrm

Generate fstab file:

genfstav -U -p /mnt > /mnt/etc/fstab

Switch to chroot environment:

arch-chroot /mnt /bin/bash

Configuring mkinitcpio

vim /etc/mkinitcpio.conf

Scroll down till you find HOOKS section. Then add these lines before
filesystem:

encrypt lvm2

Hooks are referred to by their name, and executed in the order they exist
in the HOOKS setting in the config file. The HOOKS line will look
something like this:

HOOKS="base udev autodetect modconf block encrypt lvm2 flesystems

keyboard fsck"

Generate a new initramfs image:

mkinitcpio -v -p linux

Generate a new initramfs image:

mkinitcpio -v -p linux

Install grub and generate grub.cnf file:

pacman -s grub --noconfrm
grub-install --ef-directory=/boot/ef

Confguring the kernel parameters

In order to enable booting an encrypted root partition, a subset of the

following kernel parameters need to be set. Add the options to the kernel
parameters if using the encrypt hook. The file to modify
is /etc/default/grub.

cryptdevice=/dev/<partition>:devicemapper_name cryptkey=<path>

device is the path to the device backing the encrypted device.

devicemapper_name is the device-mapper name given to the device
after decryption, which will be available
as /dev/mapper/devicemapper_name.

For example:

GRUB_CMDLINE_LINUX_DEFAULT="quiet resume=/dev/mapper/swap
cryptdevice=/dev/sda3:luks_lvm"

Note that relevant parameters are best added to /etc/default/grub before

generating the boot configuration.

Unlocking the root partition at boot

To unlock root filesystem at boot using keyfile, you'll have to generate the
keyfile, give it suitable permissions and add it as a LUKS key:

# dd if=/dev/urandom of=/boot/ef/crypto_keyfle.bin bs=512 count=10

# chmod 000 /boot/ef/crypto_keyfle.bin
# chmod 600 /boot/initramfs-linux*
# cryptsetup luksAddKey /dev/sda3 /boot/ef/crypto_keyfle.bin

The default Linux kernel parameter line should contain cryptkey directive.
For a file in a device the format is:

cryptkey=device:fstype:path
device is the raw block device where the key exists.
fstype is the filesystem type of device (or auto).
path is the absolute path of the keyfile within the device.

Example of CMDLINE in /etc/default/grub file :

GRUB_CMDLINE_LINUX_DEFAULT="quiet resume=/dev/mapper/swap
cryptkey=/dev/sdb1:vfat:/crypto_keyfle.bin"

Generate grub.cfg file:

grub-mkconfg -o /boot/grub/grub.cfg
grub-mkconfg -o /boot/ef/EFI/arch/grub.cfg

Post installation confgurations.

The remaining part is to install essential software packages like Xorg

server, pulseaudio, alsa utilities, synaptics touchpad drivers, set root
password, add standard user account, set timezone, add aur and multilib
repositories.

I wrote a simple bash script to automate this process. Below is a

procedure on how to use the script.

pacman -S git --noconfrm

git clone https://github.com/jmutai/dotfles.git
cp dotfles/setup/pacman.conf /etc/pacman.conf
cp dotfles/setup/live-setup.sh .
chmod +x live-setup.sh
./live-setup.sh

You can modify live-setup script to change timezone settings and system
hostname. After successful setup, exit chroot environment, unmount the
partitions and reboot your system.

exit
umount -R /mnt
reboot