Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
projects:howtos:archlinux-full-disk-encryption [2017/02/06 23:03] – [tmpfs (Paranoia)] prometheus | projects:howtos:archlinux-full-disk-encryption [2021/07/19 23:58] (current) – fix formatting xbr | ||
---|---|---|---|
Line 3: | Line 3: | ||
Full Disk Encryption is probable one of the most important things to do first, when setting up a new system in a world in which #BigBrother is always watching you. The issue we had was, having a keyfile which is needed to decrypt your system is nice, but if its [the keyfile] unencrypted on a USB device it doesn' | Full Disk Encryption is probable one of the most important things to do first, when setting up a new system in a world in which #BigBrother is always watching you. The issue we had was, having a keyfile which is needed to decrypt your system is nice, but if its [the keyfile] unencrypted on a USB device it doesn' | ||
- | <note warning>We're updating. It works but some things might fail.</ | + | <note warning>This HowTo was initially written in 2015, and was updated in 2017.</ |
===== Requirements ===== | ===== Requirements ===== | ||
Line 14: | Line 14: | ||
Write the ISO to a removable flash drive. You can also use the traditional way and simply burn the ISO on a CD/DVD. | Write the ISO to a removable flash drive. You can also use the traditional way and simply burn the ISO on a CD/DVD. | ||
- | <sxh bash;> | + | <code> |
~$: shasum archlinux-$VERSION-dual.iso | ~$: shasum archlinux-$VERSION-dual.iso | ||
~$: dd if=archlinux-$VERSION-dual.iso of=/ | ~$: dd if=archlinux-$VERSION-dual.iso of=/ | ||
- | </sxh> | + | </code> |
===== Booting ===== | ===== Booting ===== | ||
- | <sxh bash;> | + | <code> |
# if necessary reconfigure your keyboard layout | # if necessary reconfigure your keyboard layout | ||
- | root@archiso | + | ~$ loadkeys fr |
# check for network connectivity | # check for network connectivity | ||
- | root@archiso | + | ~$ ping 8.8.8.8 |
# request IP address | # request IP address | ||
- | root@archiso | + | ~$ ifconfig -a |
- | root@archiso | + | ~$ dhclient $NIC |
- | </sxh> | + | </code> |
===== tmpfs (Paranoia) ===== | ===== tmpfs (Paranoia) ===== | ||
- | <sxh> | + | <code> |
~$ fdisk -l | grep Disk | ~$ fdisk -l | grep Disk | ||
~$ mkdir ./mytmpfs | ~$ mkdir ./mytmpfs | ||
Line 40: | Line 40: | ||
~$ dd if=/ | ~$ dd if=/ | ||
~$ mkdir /mnt/boot && mkdir /mnt/home | ~$ mkdir /mnt/boot && mkdir /mnt/home | ||
- | </sxh> | + | </code> |
===== Partitioning ===== | ===== Partitioning ===== | ||
Line 52: | Line 52: | ||
Basically there exist two " | Basically there exist two " | ||
- | <sxh> | + | <code> |
# gdisk disk-device | # gdisk disk-device | ||
- | </sxh> | + | </code> |
You will be thrown in a own commandline of the gdisk program, so proceed as follows: | You will be thrown in a own commandline of the gdisk program, so proceed as follows: | ||
Line 66: | Line 66: | ||
===== Encryption ===== | ===== Encryption ===== | ||
- | <sxh bash; title: | + | === with keyfile |
+ | <code> | ||
~$ cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom luksFormat < | ~$ cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom luksFormat < | ||
~$ cryptsetup luksOpen -d keyfile / | ~$ cryptsetup luksOpen -d keyfile / | ||
Line 74: | Line 75: | ||
~$ mkfs.vfat -F 32 -I / | ~$ mkfs.vfat -F 32 -I / | ||
~$ cfdisk / | ~$ cfdisk / | ||
- | </sxh> | + | </code> |
- | <sxh bash; title: | + | === with password |
+ | <code> | ||
~$ cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom --verify-passphrase luksFormat < | ~$ cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom --verify-passphrase luksFormat < | ||
~$ cryptsetup luksOpen / | ~$ cryptsetup luksOpen / | ||
~$ mkfs.btrfs / | ~$ mkfs.btrfs / | ||
~$ mount / | ~$ mount / | ||
- | </sxh> | + | </code> |
===== /boot partition ===== | ===== /boot partition ===== | ||
- | <sxh bash; title: | + | === on disk boot device |
+ | <code> | ||
~$ mkfs.ext3 -L boot / | ~$ mkfs.ext3 -L boot / | ||
# DOS; primary partition + bootable | # DOS; primary partition + bootable | ||
~$ cfdisk / | ~$ cfdisk / | ||
~$ mount / | ~$ mount / | ||
- | </sxh> | + | </code> |
- | <sxh bash; title: | + | === external boot device |
+ | <code> | ||
~$ mkfs.ext3 -L boot / | ~$ mkfs.ext3 -L boot / | ||
~$ cfdisk / | ~$ cfdisk / | ||
~$ mkfs.ext3 -L boot / | ~$ mkfs.ext3 -L boot / | ||
~$ mount / | ~$ mount / | ||
- | </sxh> | + | </code> |
===== Mounting ===== | ===== Mounting ===== | ||
- | <sxh bash; title: mounting> | + | <code> |
~$ mkdir /mnt/boot | ~$ mkdir /mnt/boot | ||
~$ mount / | ~$ mount / | ||
~$ mount / | ~$ mount / | ||
- | </sxh> | + | </code> |
===== Bootstrapping ===== | ===== Bootstrapping ===== | ||
- | <sxh bash;> | + | <code> |
~$ pacstrap -i /mnt base base-devel | ~$ pacstrap -i /mnt base base-devel | ||
~$ genfstab -U /mnt > / | ~$ genfstab -U /mnt > / | ||
Line 124: | Line 128: | ||
~$ mkinitcpio -p linux | ~$ mkinitcpio -p linux | ||
~$ passwd root | ~$ passwd root | ||
- | </sxh> | + | </code> |
===== syslinux ===== | ===== syslinux ===== | ||
- | <sxh bash;> | + | <code> |
~$ pacman -S syslinux gptfdisk | ~$ pacman -S syslinux gptfdisk | ||
~$ syslinux-install_update -iam | ~$ syslinux-install_update -iam | ||
~$ nano / | ~$ nano / | ||
- | </sxh> | + | </code> |
===== Unmount & Reboot ===== | ===== Unmount & Reboot ===== | ||
Line 138: | Line 142: | ||
Good luck! | Good luck! | ||
- | <sxh bash;> | + | <code> |
~$ exit | ~$ exit | ||
~$ umount -R /mnt | ~$ umount -R /mnt | ||
- | </sxh> | + | </code> |
===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
Line 147: | Line 151: | ||
==== cryptsetup failed ==== | ==== cryptsetup failed ==== | ||
- | | + | < |
+ | Command failed with code 22: Invalid argument | ||
+ | </ | ||
| | ||
Enter the ' | Enter the ' | ||
Line 153: | Line 159: | ||
==== syslinux ==== | ==== syslinux ==== | ||
- | | + | < |
- | Is /boot mounted? | + | Error: / |
+ | Is /boot mounted? | ||
+ | </ | ||
| | ||
Reinstall syslinux package. | Reinstall syslinux package. | ||
Line 160: | Line 168: | ||
==== Write-Protected ==== | ==== Write-Protected ==== | ||
- | If mount / | + | If '' |
==== Repairing boot partition ==== | ==== Repairing boot partition ==== | ||
- | <sxh bash;> | + | <code> |
~$ cryptsetup luksOpen / | ~$ cryptsetup luksOpen / | ||
~$ mount / | ~$ mount / | ||
Line 178: | Line 186: | ||
~$ exit | ~$ exit | ||
~$ umount -R /mnt | ~$ umount -R /mnt | ||
- | </sxh> | + | </code> |
===== References ===== | ===== References ===== |