projects:howtos:archlinux-full-disk-encryption

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
projects:howtos:archlinux-full-disk-encryption [2017/02/06 18:47] – [Arch Linux Full Disk Encryption] prometheusprojects:howtos:archlinux-full-disk-encryption [2021/07/19 23:58] (current) – fix formatting xbr
Line 2: Line 2:
  
 Full Disk Encryption is probable one of the most important things to do first, when setting up a new system in a world in which #BigBrother is always watching you. The issue we had was, having a keyfile which is needed to decrypt your system is nice, but if its [the keyfile] unencrypted on a USB device it doesn't satisfy our paranoia. So the solution is to encrypt to USB device as well; with a passphrase. And that's what we're going to show here. Full Disk Encryption is probable one of the most important things to do first, when setting up a new system in a world in which #BigBrother is always watching you. The issue we had was, having a keyfile which is needed to decrypt your system is nice, but if its [the keyfile] unencrypted on a USB device it doesn't satisfy our paranoia. So the solution is to encrypt to USB device as well; with a passphrase. And that's what we're going to show here.
 +
 +<note warning>This HowTo was initially written in 2015, and was updated in 2017.</note>
  
 ===== Requirements ===== ===== Requirements =====
Line 12: Line 14:
 Write the ISO to a removable flash drive. You can also use the traditional way and simply burn the ISO on a CD/DVD. Write the ISO to a removable flash drive. You can also use the traditional way and simply burn the ISO on a CD/DVD.
  
-<sxh bash;>+<code>
 ~$: shasum archlinux-$VERSION-dual.iso ~$: shasum archlinux-$VERSION-dual.iso
 ~$: dd if=archlinux-$VERSION-dual.iso of=/dev/$DEVICE bs=8192 ~$: dd if=archlinux-$VERSION-dual.iso of=/dev/$DEVICE bs=8192
-</sxh>+</code>
  
 ===== Booting ===== ===== Booting =====
  
-<sxh bash;>+<code>
 # if necessary reconfigure your keyboard layout # if necessary reconfigure your keyboard layout
-root@archiso loadkeys fr+~loadkeys fr
 # check for network connectivity # check for network connectivity
-root@archiso ping 8.8.8.8+~ping 8.8.8.8
 # request IP address # request IP address
-root@archiso ifconfig -a +~ifconfig -a 
-root@archiso dhclient $NIC +~dhclient $NIC 
-</sxh>+</code>
  
 ===== tmpfs (Paranoia) ===== ===== tmpfs (Paranoia) =====
  
-<sxh+<code
-root@archiso fdisk -l | grep Disk +~fdisk -l | grep Disk 
-root@archiso mkdir ./mytmpfs +~mkdir ./mytmpfs 
-root@archiso mount tmpfs ./mytmpfs -t tmpfs -o size=32m +~mount tmpfs ./mytmpfs -t tmpfs -o size=32m 
-root@archiso cd ./mytmpfs +~cd ./mytmpfs 
-root@archiso dd if=/dev/urandom of=secretkey bs=1024 count=4 +~dd if=/dev/urandom of=secretkey bs=1024 count=4 
-root@archiso mkdir /mnt/boot && mkdir /mnt/home +~mkdir /mnt/boot && mkdir /mnt/home 
-</sxh>+</code>
  
 ===== Partitioning ===== ===== Partitioning =====
Line 50: Line 52:
 Basically there exist two "formats" of partitioning a disk: MBR and GPT. As MBR is from the last century and has many disadvantages in comparison with [[https://wiki.archlinux.org/index.php/Partitioning#Using_GPT_-_modern_method|GTP]], we are going to use the latter one. For more detailed information about MBR and other possibility, please refer to the [[https://wiki.archlinux.org/index.php/Partitioning#Partition_table|Partion table]] paragraph. Basically there exist two "formats" of partitioning a disk: MBR and GPT. As MBR is from the last century and has many disadvantages in comparison with [[https://wiki.archlinux.org/index.php/Partitioning#Using_GPT_-_modern_method|GTP]], we are going to use the latter one. For more detailed information about MBR and other possibility, please refer to the [[https://wiki.archlinux.org/index.php/Partitioning#Partition_table|Partion table]] paragraph.
  
-<sxh>+<code>
 # gdisk disk-device # gdisk disk-device
-</sxh>+</code>
  
 You will be thrown in a own commandline of the gdisk program, so proceed as follows: You will be thrown in a own commandline of the gdisk program, so proceed as follows:
Line 64: Line 66:
 ===== Encryption ===== ===== Encryption =====
  
-<sxh bash; title: with keyfile>+=== with keyfile === 
 +<code>
 ~$ cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom luksFormat <device> keyfile ~$ cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom luksFormat <device> keyfile
 ~$ cryptsetup luksOpen -d keyfile /dev/$DEVICE root ~$ cryptsetup luksOpen -d keyfile /dev/$DEVICE root
Line 72: Line 75:
 ~$ mkfs.vfat -F 32 -I /dev/mapper/bootdevice ~$ mkfs.vfat -F 32 -I /dev/mapper/bootdevice
 ~$ cfdisk /dev/$DEVICE1 # make it bootable ~$ cfdisk /dev/$DEVICE1 # make it bootable
-</sxh>+</code>
  
-<sxh bash; title: with password>+=== with password === 
 +<code>
 ~$ cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom --verify-passphrase luksFormat <device>  ~$ cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom --verify-passphrase luksFormat <device> 
 ~$ cryptsetup luksOpen /dev/$DEVICE $CRYPTSETUP_DEVICE_NAME ~$ cryptsetup luksOpen /dev/$DEVICE $CRYPTSETUP_DEVICE_NAME
 ~$ mkfs.btrfs /dev/mapper/$CRYPTSETUP_DEVICE_NAME ~$ mkfs.btrfs /dev/mapper/$CRYPTSETUP_DEVICE_NAME
 ~$ mount /dev/mapper/$CRYPTSETUP_DEVICE_NAME /mnt ~$ mount /dev/mapper/$CRYPTSETUP_DEVICE_NAME /mnt
-</sxh>+</code>
  
 ===== /boot partition ===== ===== /boot partition =====
  
-<sxh bash; title: on disk boot device>+=== on disk boot device === 
 +<code>
 ~$ mkfs.ext3 -L boot /dev/$BOOTDEVICE ~$ mkfs.ext3 -L boot /dev/$BOOTDEVICE
 # DOS; primary partition + bootable # DOS; primary partition + bootable
 ~$ cfdisk /dev/$BOOTDEVICE ~$ cfdisk /dev/$BOOTDEVICE
 ~$ mount /dev/$BOOTDEVICE /mnt/boot ~$ mount /dev/$BOOTDEVICE /mnt/boot
-</sxh>+</code>
  
-<sxh bash; title: external boot device>+=== external boot device === 
 +<code>
 ~$ mkfs.ext3 -L boot /dev/$BOOTDEVICE ~$ mkfs.ext3 -L boot /dev/$BOOTDEVICE
 ~$ cfdisk /dev/$BOOTDEVICE # DOS; primary partition + bootable ~$ cfdisk /dev/$BOOTDEVICE # DOS; primary partition + bootable
 ~$ mkfs.ext3 -L boot /dev/$BOOTDEVICE ~$ mkfs.ext3 -L boot /dev/$BOOTDEVICE
 ~$ mount /dev/$BOOTDEVICE /mnt/boot ~$ mount /dev/$BOOTDEVICE /mnt/boot
-</sxh>+</code>
  
 ===== Mounting ===== ===== Mounting =====
  
-<sxh bash; title: mounting>+<code>
 ~$ mkdir /mnt/boot ~$ mkdir /mnt/boot
 ~$ mount /dev/mapper/$CRYPTSETUP_DEVICE_NAME /mnt ~$ mount /dev/mapper/$CRYPTSETUP_DEVICE_NAME /mnt
 ~$ mount /dev/$BOOTDEVICE /mnt/boot ~$ mount /dev/$BOOTDEVICE /mnt/boot
-</sxh>+</code>
  
 ===== Bootstrapping ===== ===== Bootstrapping =====
  
-<sxh bash;>+<code>
 ~$ pacstrap -i /mnt base base-devel ~$ pacstrap -i /mnt base base-devel
 ~$ genfstab -U /mnt > /mnt/etc/fstab ~$ genfstab -U /mnt > /mnt/etc/fstab
Line 122: Line 128:
 ~$ mkinitcpio -p linux ~$ mkinitcpio -p linux
 ~$ passwd root ~$ passwd root
-</sxh>+</code>
  
 ===== syslinux ===== ===== syslinux =====
  
-<sxh bash;>+<code>
 ~$ pacman -S syslinux gptfdisk ~$ pacman -S syslinux gptfdisk
 ~$ syslinux-install_update -iam ~$ syslinux-install_update -iam
 ~$ nano /boot/syslinux/syslinux.cfg # APPEND root=/dev/mapper/group-name cryptdevice=/dev/sda2:name rw ~$ nano /boot/syslinux/syslinux.cfg # APPEND root=/dev/mapper/group-name cryptdevice=/dev/sda2:name rw
-</sxh>+</code>
  
 ===== Unmount & Reboot ===== ===== Unmount & Reboot =====
Line 136: Line 142:
 Good luck! Good luck!
  
-<sxh bash;>+<code>
 ~$ exit ~$ exit
 ~$ umount -R /mnt ~$ umount -R /mnt
-</sxh>+</code>
 ===== Troubleshooting ===== ===== Troubleshooting =====
  
Line 145: Line 151:
 ==== cryptsetup failed ==== ==== cryptsetup failed ====
  
-  Command failed with code 22: Invalid argument+<code> 
 +Command failed with code 22: Invalid argument 
 +</code>
      
 Enter the 'yes' in capslock: YES and hit Enter? Enter the 'yes' in capslock: YES and hit Enter?
Line 151: Line 159:
 ==== syslinux ==== ==== syslinux ====
  
-  Error: /boot/syslinux is empty! +<code> 
-  Is /boot mounted?+Error: /boot/syslinux is empty! 
 +Is /boot mounted? 
 +</code>
      
 Reinstall syslinux package. Reinstall syslinux package.
Line 158: Line 168:
 ==== Write-Protected ==== ==== Write-Protected ====
  
-If mount /dev/bootdevice /mnt gives you an error about write protection; ask yourself if you have formatted the relative partition in the first place.+If ''mount /dev/bootdevice /mnt'' gives you an error about write protection; ask yourself if you have formatted the relative partition in the first place.
  
 ==== Repairing boot partition ==== ==== Repairing boot partition ====
  
-<sxh bash;>+<code>
 ~$ cryptsetup luksOpen /dev/$ROOTPARTITION root ~$ cryptsetup luksOpen /dev/$ROOTPARTITION root
 ~$ mount /dev/mapper/root /mnt ~$ mount /dev/mapper/root /mnt
Line 176: Line 186:
 ~$ exit ~$ exit
 ~$ umount -R /mnt ~$ umount -R /mnt
-</sxh>+</code>
  
 ===== References ===== ===== References =====
  • projects/howtos/archlinux-full-disk-encryption.1486403274.txt.gz
  • Last modified: 2017/02/06 18:47
  • by prometheus