projects:howtos:archlinux-full-disk-encryption

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
projects:howtos:archlinux-full-disk-encryption [2017/02/05 22:46] – [/boot partition] prometheusprojects:howtos:archlinux-full-disk-encryption [2021/07/19 23:58] (current) – fix formatting xbr
Line 3: Line 3:
 Full Disk Encryption is probable one of the most important things to do first, when setting up a new system in a world in which #BigBrother is always watching you. The issue we had was, having a keyfile which is needed to decrypt your system is nice, but if its [the keyfile] unencrypted on a USB device it doesn't satisfy our paranoia. So the solution is to encrypt to USB device as well; with a passphrase. And that's what we're going to show here. Full Disk Encryption is probable one of the most important things to do first, when setting up a new system in a world in which #BigBrother is always watching you. The issue we had was, having a keyfile which is needed to decrypt your system is nice, but if its [the keyfile] unencrypted on a USB device it doesn't satisfy our paranoia. So the solution is to encrypt to USB device as well; with a passphrase. And that's what we're going to show here.
  
-<note tip>The **Paranoia** paragraphs haven't been finished just yet.</note>+<note warning>This HowTo was initially written in 2015, and was updated in 2017.</note>
  
 ===== Requirements ===== ===== Requirements =====
Line 14: Line 14:
 Write the ISO to a removable flash drive. You can also use the traditional way and simply burn the ISO on a CD/DVD. Write the ISO to a removable flash drive. You can also use the traditional way and simply burn the ISO on a CD/DVD.
  
-<sxh bash;>+<code>
 ~$: shasum archlinux-$VERSION-dual.iso ~$: shasum archlinux-$VERSION-dual.iso
 ~$: dd if=archlinux-$VERSION-dual.iso of=/dev/$DEVICE bs=8192 ~$: dd if=archlinux-$VERSION-dual.iso of=/dev/$DEVICE bs=8192
-</sxh>+</code>
  
 ===== Booting ===== ===== Booting =====
  
-<sxh bash;>+<code>
 # if necessary reconfigure your keyboard layout # if necessary reconfigure your keyboard layout
-root@archiso loadkeys fr+~loadkeys fr
 # check for network connectivity # check for network connectivity
-root@archiso ping 8.8.8.8+~ping 8.8.8.8
 # request IP address # request IP address
-root@archiso ifconfig -a +~ifconfig -a 
-root@archiso dhclient $NIC +~dhclient $NIC 
-</sxh>+</code>
  
 ===== tmpfs (Paranoia) ===== ===== tmpfs (Paranoia) =====
  
-<sxh+<code
-root@archiso fdisk -l | grep Disk +~fdisk -l | grep Disk 
-root@archiso mkdir ./mytmpfs +~mkdir ./mytmpfs 
-root@archiso mount tmpfs ./mytmpfs -t tmpfs -o size=32m +~mount tmpfs ./mytmpfs -t tmpfs -o size=32m 
-root@archiso cd ./mytmpfs +~cd ./mytmpfs 
-root@archiso dd if=/dev/urandom of=secretkey bs=1024 count=4 +~dd if=/dev/urandom of=secretkey bs=1024 count=4 
-root@archiso mkdir /mnt/boot && mkdir /mnt/home +~mkdir /mnt/boot && mkdir /mnt/home 
-</sxh>+</code>
  
 ===== Partitioning ===== ===== Partitioning =====
Line 52: Line 52:
 Basically there exist two "formats" of partitioning a disk: MBR and GPT. As MBR is from the last century and has many disadvantages in comparison with [[https://wiki.archlinux.org/index.php/Partitioning#Using_GPT_-_modern_method|GTP]], we are going to use the latter one. For more detailed information about MBR and other possibility, please refer to the [[https://wiki.archlinux.org/index.php/Partitioning#Partition_table|Partion table]] paragraph. Basically there exist two "formats" of partitioning a disk: MBR and GPT. As MBR is from the last century and has many disadvantages in comparison with [[https://wiki.archlinux.org/index.php/Partitioning#Using_GPT_-_modern_method|GTP]], we are going to use the latter one. For more detailed information about MBR and other possibility, please refer to the [[https://wiki.archlinux.org/index.php/Partitioning#Partition_table|Partion table]] paragraph.
  
-<sxh>+<code>
 # gdisk disk-device # gdisk disk-device
-</sxh>+</code>
  
 You will be thrown in a own commandline of the gdisk program, so proceed as follows: You will be thrown in a own commandline of the gdisk program, so proceed as follows:
Line 66: Line 66:
 ===== Encryption ===== ===== Encryption =====
  
-<sxh bash; title: with keyfile> +=== with keyfile === 
-root@archiso cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom luksFormat <device> keyfile +<code
-root@archiso cryptsetup luksOpen -d keyfile /dev/$DEVICE root +~cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom luksFormat <device> keyfile 
-root@archiso cryptsetup luksOpen -d keyfile /dev/$DEVICE home +~cryptsetup luksOpen -d keyfile /dev/$DEVICE root 
-root@archiso cfdisk /dev/$DEVICE +~cryptsetup luksOpen -d keyfile /dev/$DEVICE home 
-root@archiso cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/$DEVICE # USB storage device +~cfdisk /dev/$DEVICE 
-root@archiso mkfs.vfat -F 32 -I /dev/mapper/bootdevice +~cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/$DEVICE # USB storage device 
-root@archiso cfdisk /dev/$DEVICE1 # make it bootable +~mkfs.vfat -F 32 -I /dev/mapper/bootdevice 
-</sxh>+~cfdisk /dev/$DEVICE1 # make it bootable 
 +</code>
  
-<sxh bash; title: with password> +=== with password === 
-root@archiso cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom --verify-passphrase luksFormat <device>  +<code
-root@archiso cryptsetup luksOpen /dev/$DEVICE $CRYPTSETUP_DEVICE_NAME +~cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom --verify-passphrase luksFormat <device>  
-root@archiso mkfs.btrfs /dev/mapper/$CRYPTSETUP_DEVICE_NAME +~cryptsetup luksOpen /dev/$DEVICE $CRYPTSETUP_DEVICE_NAME 
-root@archiso mount /dev/mapper/$CRYPTSETUP_DEVICE_NAME /mnt +~mkfs.btrfs /dev/mapper/$CRYPTSETUP_DEVICE_NAME 
-</sxh>+~mount /dev/mapper/$CRYPTSETUP_DEVICE_NAME /mnt 
 +</code>
  
 ===== /boot partition ===== ===== /boot partition =====
  
-<sxh bash; title: on disk boot device> +=== on disk boot device === 
-root@archiso ~ mkfs.ext3 -L boot /dev/$BOOTDEVICE+<code
 +~mkfs.ext3 -L boot /dev/$BOOTDEVICE
 # DOS; primary partition + bootable # DOS; primary partition + bootable
-root@archiso cfdisk /dev/$BOOTDEVICE +~cfdisk /dev/$BOOTDEVICE 
-root@archiso mount /dev/$BOOTDEVICE /mnt/boot +~mount /dev/$BOOTDEVICE /mnt/boot 
-</sxh>+</code>
  
-<sxh bash; title: external boot device> +=== external boot device === 
-root@archiso mkfs.ext3 -L boot /dev/$BOOTDEVICE +<code
-root@archiso cfdisk /dev/$BOOTDEVICE # DOS; primary partition + bootable +~mkfs.ext3 -L boot /dev/$BOOTDEVICE 
-root@archiso mkfs.ext3 -L boot /dev/$BOOTDEVICE +~cfdisk /dev/$BOOTDEVICE # DOS; primary partition + bootable 
-root@archiso mount /dev/$BOOTDEVICE /mnt/boot +~mkfs.ext3 -L boot /dev/$BOOTDEVICE 
-</sxh>+~mount /dev/$BOOTDEVICE /mnt/boot 
 +</code>
  
 ===== Mounting ===== ===== Mounting =====
  
-<sxh bash; title: external boot device+<code> 
-</sxh>+~$ mkdir /mnt/boot 
 +~$ mount /dev/mapper/$CRYPTSETUP_DEVICE_NAME /mnt 
 +~$ mount /dev/$BOOTDEVICE /mnt/boot 
 +</code>
  
 ===== Bootstrapping ===== ===== Bootstrapping =====
  
-<sxh bash;+<code
-root@archiso pacstrap -i /mnt base base-devel +~pacstrap -i /mnt base base-devel 
-root@archiso genfstab -U /mnt > /mnt/etc/fstab +~genfstab -U /mnt > /mnt/etc/fstab 
-root@archiso arch-chroot /mnt /bin/bash +~arch-chroot /mnt /bin/bash 
-root@archiso nano /etc/locale.gen +~nano /etc/locale.gen 
-root@archiso locale-gen +~locale-gen 
-root@archiso echo LANG=en_IE.UTF-8 > /etc/locale.conf +~echo LANG=en_IE.UTF-8 > /etc/locale.conf 
-root@archiso nano /etc/vconsole.conf # KEYMAP=fr +~nano /etc/vconsole.conf # KEYMAP=fr 
-root@archiso ln -sf /usr/share/zoneinfo/$CONTINENT/$COUNTRY /etc/localtime +~ln -sf /usr/share/zoneinfo/$CONTINENT/$COUNTRY /etc/localtime 
-root@archiso hwclock --systohc --utc +~hwclock --systohc --utc 
-root@archiso echo $HOSTNAME > /etc/hostname +~echo $HOSTNAME > /etc/hostname 
-root@archiso nano /etc/mkinitcpio.conf # add: keymap keyboard encrypt **before** filesystem in the HOOKS variable +~nano /etc/mkinitcpio.conf  
-root@archiso mkinitcpio -p linux +# add: keymap keyboard encrypt **before** filesystem in the HOOKS variable 
-root@archiso passwd root +~mkinitcpio -p linux 
-root@archiso ~ # pacman -S syslinux +~passwd root 
-root@archiso ~ # syslinux-install_update -iam +</code>
-root@archiso ~ # nano /boot/syslinux/syslinux.cfg # APPEND root=/dev/mapper/group-name cryptdevice=/dev/sda2:name rw +
-root@archiso ~ # exit +
-root@archiso ~ # umount -R /mnt+
  
-</sxh>+===== syslinux =====
  
 +<code>
 +~$ pacman -S syslinux gptfdisk
 +~$ syslinux-install_update -iam
 +~$ nano /boot/syslinux/syslinux.cfg # APPEND root=/dev/mapper/group-name cryptdevice=/dev/sda2:name rw
 +</code>
 +
 +===== Unmount & Reboot =====
 +
 +Good luck!
 +
 +<code>
 +~$ exit
 +~$ umount -R /mnt
 +</code>
 ===== Troubleshooting ===== ===== Troubleshooting =====
 +
 +Tiny troubles might pup up. The few below have a tendency to occur due to human interaction failure. ;)
 +==== cryptsetup failed ====
 +
 +<code>
 +Command failed with code 22: Invalid argument
 +</code>
 +  
 +Enter the 'yes' in capslock: YES and hit Enter?
  
 ==== syslinux ==== ==== syslinux ====
  
-  Error: /boot/syslinux is empty! +<code> 
-  Is /boot mounted?+Error: /boot/syslinux is empty! 
 +Is /boot mounted? 
 +</code>
      
- Reinstall syslinux package.+Reinstall syslinux package.
  
 ==== Write-Protected ==== ==== Write-Protected ====
  
-If mount /dev/bootdevice /mnt gives you an error about write protection; ask yourself if you have formatted the relative partition in the first place.+If ''mount /dev/bootdevice /mnt'' gives you an error about write protection; ask yourself if you have formatted the relative partition in the first place.
  
 ==== Repairing boot partition ==== ==== Repairing boot partition ====
  
-<sxh bash;+<code
-root@archiso cryptsetup luksOpen /dev/$ROOTPARTITION root +~cryptsetup luksOpen /dev/$ROOTPARTITION root 
-root@archiso mount /dev/mapper/root /mnt +~mount /dev/mapper/root /mnt 
-root@archiso mkfs.ext2 /dev/$BOOTPARTITION +~mkfs.ext2 /dev/$BOOTPARTITION 
-root@archiso mount /dev/$BOOTPARTITION /mnt/boot +~mount /dev/$BOOTPARTITION /mnt/boot 
-root@archiso genfstab -U /mnt > /mnt/etc/fstab +~genfstab -U /mnt > /mnt/etc/fstab 
-root@archiso arch-chroot /mnt /bin/bash +~arch-chroot /mnt /bin/bash 
-root@archiso pacman -R syslinux +~pacman -R syslinux 
-root@archiso pacman -Syy syslinux +~pacman -Syy syslinux 
-root@archiso syslinux-install_update -iam +~syslinux-install_update -iam 
-root@archiso nano /boot/syslinux/syslinux.cfg # APPEND root=/dev/mapper/group-name cryptdevice=/dev/sda2:name rw +~nano /boot/syslinux/syslinux.cfg # APPEND root=/dev/mapper/group-name cryptdevice=/dev/sda2:name rw 
-root@archiso exit +~$ pacman -S linux 
-root@archiso umount -R /mnt +~$ exit 
-</sxh>+~umount -R /mnt 
 +</code>
  
 ===== References ===== ===== References =====
  • projects/howtos/archlinux-full-disk-encryption.1486331170.txt.gz
  • Last modified: 2017/02/05 22:46
  • by prometheus