Arch Linux Full Disk Encryption

Full Disk Encryption is probable one of the most important things to do first, when setting up a new system in a world in which #BigBrother is always watching you. The issue we had was, having a keyfile which is needed to decrypt your system is nice, but if its [the keyfile] unencrypted on a USB device it doesn't satisfy our paranoia. So the solution is to encrypt to USB device as well; with a passphrase. And that's what we're going to show here.

This HowTo was initially written in 2015, and was updated in 2017.

Write the ISO to a removable flash drive. You can also use the traditional way and simply burn the ISO on a CD/DVD.

~$: shasum archlinux-$VERSION-dual.iso
~$: dd if=archlinux-$VERSION-dual.iso of=/dev/$DEVICE bs=8192
# if necessary reconfigure your keyboard layout
~$ loadkeys fr
# check for network connectivity
~$ ping
# request IP address
~$ ifconfig -a
~$ dhclient $NIC
~$ fdisk -l | grep Disk
~$ mkdir ./mytmpfs
~$ mount tmpfs ./mytmpfs -t tmpfs -o size=32m
~$ cd ./mytmpfs
~$ dd if=/dev/urandom of=secretkey bs=1024 count=4
~$ mkdir /mnt/boot && mkdir /mnt/home

The partitioning structure of a disk is every users own choice, that's why we recommend reading the paragraph Partition Scheme in order to get a short introduction about the subject and make up your mind.

Get a pen and a piece of paper and start-off drawing your structure. When done, continue to the next paragraph.

Basically there exist two "formats" of partitioning a disk: MBR and GPT. As MBR is from the last century and has many disadvantages in comparison with GTP, we are going to use the latter one. For more detailed information about MBR and other possibility, please refer to the Partion table paragraph.

# gdisk disk-device

You will be thrown in a own commandline of the gdisk program, so proceed as follows:

Step Command Explanation
1 o Create a new GUID partition table.
2 n Create a new partition. (All partition with GPT are primary)
X w Write the partition table to disk.
Y q Exit gdisk commandline.

with keyfile

~$ cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom luksFormat <device> keyfile
~$ cryptsetup luksOpen -d keyfile /dev/$DEVICE root
~$ cryptsetup luksOpen -d keyfile /dev/$DEVICE home
~$ cfdisk /dev/$DEVICE
~$ cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/$DEVICE # USB storage device
~$ mkfs.vfat -F 32 -I /dev/mapper/bootdevice
~$ cfdisk /dev/$DEVICE1 # make it bootable

with password

~$ cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom --verify-passphrase luksFormat <device> 
~$ cryptsetup luksOpen /dev/$DEVICE $CRYPTSETUP_DEVICE_NAME
~$ mkfs.btrfs /dev/mapper/$CRYPTSETUP_DEVICE_NAME
~$ mount /dev/mapper/$CRYPTSETUP_DEVICE_NAME /mnt

on disk boot device

~$ mkfs.ext3 -L boot /dev/$BOOTDEVICE
# DOS; primary partition + bootable
~$ cfdisk /dev/$BOOTDEVICE
~$ mount /dev/$BOOTDEVICE /mnt/boot

external boot device

~$ mkfs.ext3 -L boot /dev/$BOOTDEVICE
~$ cfdisk /dev/$BOOTDEVICE # DOS; primary partition + bootable
~$ mkfs.ext3 -L boot /dev/$BOOTDEVICE
~$ mount /dev/$BOOTDEVICE /mnt/boot
~$ mkdir /mnt/boot
~$ mount /dev/mapper/$CRYPTSETUP_DEVICE_NAME /mnt
~$ mount /dev/$BOOTDEVICE /mnt/boot
~$ pacstrap -i /mnt base base-devel
~$ genfstab -U /mnt > /mnt/etc/fstab
~$ arch-chroot /mnt /bin/bash
~$ nano /etc/locale.gen
~$ locale-gen
~$ echo LANG=en_IE.UTF-8 > /etc/locale.conf
~$ nano /etc/vconsole.conf # KEYMAP=fr
~$ ln -sf /usr/share/zoneinfo/$CONTINENT/$COUNTRY /etc/localtime
~$ hwclock --systohc --utc
~$ echo $HOSTNAME > /etc/hostname
~$ nano /etc/mkinitcpio.conf 
# add: keymap keyboard encrypt **before** filesystem in the HOOKS variable
~$ mkinitcpio -p linux
~$ passwd root
~$ pacman -S syslinux gptfdisk
~$ syslinux-install_update -iam
~$ nano /boot/syslinux/syslinux.cfg # APPEND root=/dev/mapper/group-name cryptdevice=/dev/sda2:name rw

Good luck!

~$ exit
~$ umount -R /mnt

Tiny troubles might pup up. The few below have a tendency to occur due to human interaction failure. ;)

Command failed with code 22: Invalid argument

Enter the 'yes' in capslock: YES and hit Enter?

Error: /boot/syslinux is empty!
Is /boot mounted?

Reinstall syslinux package.

If mount /dev/bootdevice /mnt gives you an error about write protection; ask yourself if you have formatted the relative partition in the first place.

~$ cryptsetup luksOpen /dev/$ROOTPARTITION root
~$ mount /dev/mapper/root /mnt
~$ mkfs.ext2 /dev/$BOOTPARTITION
~$ mount /dev/$BOOTPARTITION /mnt/boot
~$ genfstab -U /mnt > /mnt/etc/fstab
~$ arch-chroot /mnt /bin/bash
~$ pacman -R syslinux
~$ pacman -Syy syslinux
~$ syslinux-install_update -iam
~$ nano /boot/syslinux/syslinux.cfg # APPEND root=/dev/mapper/group-name cryptdevice=/dev/sda2:name rw
~$ pacman -S linux
~$ exit
~$ umount -R /mnt
  • projects/howtos/archlinux-full-disk-encryption.txt
  • Last modified: 2021/07/19 23:58
  • by xbr