Arch Linux installation with full disk encryption using LVM, LUKS and GRUB2

This is gonna be a “quick” walk-through on how to install Arch Linux with a nearly (/boot won’t be) fully encrypted HDD.
I have tested this guide with the archlinux-2012.09.07-dual.iso which uses systemV and archlinux-2012.10.06-dual.iso which was the first one using systemd, so this tutorial covers both init daemons.

Update: This article got translated to Swedish. Thx Sam!

The tutorials I found were all outdated or caused problems because of one of the following:

  • The former included Arch Linux Installation Framework (AIF) executed by /arch/setup is no longer included in the Arch Linux-isos, the command will only respond with: “no such file or directory”.
  • GRUB2 replaces GRUB legacy and needs to be configured differently.
  • The keyboard layout didn’t fit to mine so i got some problems entering my passphrase;)

Let’s start…

Arch Linux Logo

Arch Linux Logo from archlinux.org/art/

Step 1: Prepare the Harddisk

Boot gparted from an usb-stick and configure your disk as follows:

1. Set your partition table to MBR

2. Create the fist partition (later used as /boot): 200 MB, set the bootable flag, filesystem: ext3

3. Create the second partition (later used with LVM, containing /, /swap and /home): use the remaining space, leave it unformatted, set the LVM flag

PS: For more information on partitioning have a look at the Arch Linux wiki. If you don’t want to use gparted you can just boot the Arch Linux Iso and use “parted” or “fdisk”. It’s also possible to use GPT instead of MBR you will need a third partition with about 2MB, but I won’t describe this here – just come back when you figured it out. Using a UEFI setup you also have to search for an other source of information ;)

Step 2: Boot Arch Linux Iso from usb-stick

Search for your keyboard layout and activate it:

loadkeys de-latin1-nodeadkeys.map.gz

Establish WiFi-connection if you don’t have wired access to the Internet:

wifi-menu

 

Step 3: Encrypt partition, configure LVM

Load the kernel module for encryption:

modprobe dm-crypt

Encrypt the big partition (sda2) with AES, 256 bit keylength (XTS splitts the keylenght). Have fun with the man and faq.

cryptsetup -c aes-xts-plain64 -y -s 512 luksFormat /dev/sda2

And open it, so it will be in /dev/mapper/lvm:

cryptsetup luksOpen /dev/sda2 lvm

 

Create a physical volume, volume group, logical volumes (details):

pvcreate /dev/mapper/lvm
vgcreate main /dev/mapper/lvm
lvcreate -L 20GB -n root main
lvcreate -L 8GB -n swap main
lvcreate -l 100%FREE -n home main

Now we need a filesystem on them:

mkswap /dev/mapper/main-swap
mkfs.ext4 /dev/mapper/main-root
mkfs.ext4 /dev/mapper/main-home

 

Step 4: Mount volumes, install Arch Linux

Mount the volumes into the running livesystem:

mount /dev/mapper/main-root /mnt
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot
mkdir /mnt/home
mount /dev/mapper/main-home /mnt/home

Install the base and base-devel packets to /mnt (Internet-connection required):

pacstrap /mnt base base-devel

Install GRUB2 to /mnt (part 1):

pacstrap /mnt grub-bios

Generate fstab:

genfstab -p -U /mnt > /mnt/etc/fstab

 

Step 5: chroot and configure the system

chroot:

arch-chroot /mnt

delete the # in front of your language of choise (e.g. de_DE.UTF-8 UTF-8) in locale.gen and generate the locale:

vi /etc/locale.gen
locale-gen
echo LANG=de_DE.UTF-8 > /etc/locale.conf
export LANG=de_DE.UTF-8

Generate /etc/vconsole.conf with the following 3 lines to bind your keys correctly:

KEYMAP="de-latin1-nodeadkeys"
FONT=Lat2-Terminus16
FONT_MAP=

Create a symbolic link /etc/localtime to your zone file /usr/share/zoneinfo/<Zone>/<SubZone>:

ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime

Define yout hostename:

echo archserv > /etc/hostname

 

!Outdated: Edit /etc/rc.conf: delete the # and set USELVM=”yes”

!Update: If you’re using archlinux-2012.10.06-dual.iso or newer the default init-daemon is systemd and rc.conf won’t be used anymore. Use the following command to activate the the lvm service for systemd:

systemctl enable lvm.service

Edit /etc/mkinitcpio.conf: Put “keymap”, “encrypt” and “lvm2″ (in that order!) before “filesystems” in the HOOKS array.

Regenerate the ramdisk:

mkinitcpio -p linux

 

Now install GRUB (part 2), on a device not a partition or a volume:

grub-install /dev/sda

In /etc/default/grub edit the line GRUB_CMDLINE_LINUX=”” to GRUB_CMDLINE_LINUX=”cryptdevice=/dev/sda2:main” then run:

grub-mkconfig -o /boot/grub/grub.cfg

 

set your root password:

passwd

 

Exit the chroot:

exit

 

Unmount:

umount /mnt/boot
umount /mnt/home
umount/mnt

 

Reboot into your new system.

Backup your luks cryptheader!

Have fun.

PS: If you want to open your LVM from within an other (live-)system this commands can come in handy:

cryptsetup luksOpen /dev/sd??
sudo pvscan
sudo vgscan
sudo lvscan
sudo vgchange -a y

12 Kommentare

  1. zes sagt:

    Hi, thanks for that fantastic & easy how-to.

    In my usb-install i prefer modify /etc/default/grub with /dev/disk/by-uuid/ instead of /de/sd#. Using blkid to discover UUID partitions.

    anyway, thanks again
    cu

  2. kxx sagt:

    Dosen’t work with archlinux_2013.07.01

  3. honkzongo sagt:

    !!! IT DOES WORK !!!

    I just set up a system with this guide,
    adding the changes provided here:

    https://www.archlinux.org/news/changes-to-lvm/

    Too bad Arch does not have an installer… could have saved a lot of time.

  4. bitnukl sagt:

    Thx for the guide, successful installed Arch 201310 from USB.

    When installed from USB you have to add “–target i386-pc” to the “grub-install” command, otherwise it will try to install efibootmgr.

  5. PukingMonkey sagt:

    Works flawlessly

  6. Philipp sagt:

    Hi everybody,

    thx for your comments!
    I’m happy to hear that my stuff is useful for some of you.

  7. sergkog sagt:

    nano /etc/default/grub
    # Fix broken grub.cfg gen
    GRUB_DISABLE_SUBMENU=y

  8. ste sagt:

    Perfect, just tried it in Virtualbox before installing on real disk.

    Two things do not work:

    1) systemctl enable lvm-monitoring.service (lvm.service does not exist)

    2) cryptsetup luksOpen /dev/sd?? needs argument;
    cryptsetup luksOpen /dev/sd?? main

    II think you agree if I translate it in italian, with backlink of course, I do not see any license so I prefer to ask.

  9. zaz sagt:

    Excellent guide, works like a charm with no hassle. Thanks a lot !

  10. Sagar Behere sagt:

    Worked perfectly. Thanks. I messed about with my first arch installation by following the official install guide, but kept getting encryption related errors. Your guide ‘simply worked’ :)

Hinterlasse eine Antwort

Deine E-Mail-Adresse wird nicht veröffentlicht.