projects:howtos:archlinux-full-disk-encryption

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
projects:howtos:archlinux-full-disk-encryption [2021/07/19 23:47] – update warning xbrprojects:howtos:archlinux-full-disk-encryption [2021/07/19 23:58] (current) – fix formatting xbr
Line 14: Line 14:
 Write the ISO to a removable flash drive. You can also use the traditional way and simply burn the ISO on a CD/DVD. Write the ISO to a removable flash drive. You can also use the traditional way and simply burn the ISO on a CD/DVD.
  
-<sxh bash;>+<code>
 ~$: shasum archlinux-$VERSION-dual.iso ~$: shasum archlinux-$VERSION-dual.iso
 ~$: dd if=archlinux-$VERSION-dual.iso of=/dev/$DEVICE bs=8192 ~$: dd if=archlinux-$VERSION-dual.iso of=/dev/$DEVICE bs=8192
-</sxh>+</code>
  
 ===== Booting ===== ===== Booting =====
  
-<sxh bash;>+<code>
 # if necessary reconfigure your keyboard layout # if necessary reconfigure your keyboard layout
 ~$ loadkeys fr ~$ loadkeys fr
Line 29: Line 29:
 ~$ ifconfig -a ~$ ifconfig -a
 ~$ dhclient $NIC ~$ dhclient $NIC
-</sxh>+</code>
  
 ===== tmpfs (Paranoia) ===== ===== tmpfs (Paranoia) =====
  
-<sxh>+<code>
 ~$ fdisk -l | grep Disk ~$ fdisk -l | grep Disk
 ~$ mkdir ./mytmpfs ~$ mkdir ./mytmpfs
Line 40: Line 40:
 ~$ dd if=/dev/urandom of=secretkey bs=1024 count=4 ~$ dd if=/dev/urandom of=secretkey bs=1024 count=4
 ~$ mkdir /mnt/boot && mkdir /mnt/home ~$ mkdir /mnt/boot && mkdir /mnt/home
-</sxh>+</code>
  
 ===== Partitioning ===== ===== Partitioning =====
Line 52: Line 52:
 Basically there exist two "formats" of partitioning a disk: MBR and GPT. As MBR is from the last century and has many disadvantages in comparison with [[https://wiki.archlinux.org/index.php/Partitioning#Using_GPT_-_modern_method|GTP]], we are going to use the latter one. For more detailed information about MBR and other possibility, please refer to the [[https://wiki.archlinux.org/index.php/Partitioning#Partition_table|Partion table]] paragraph. Basically there exist two "formats" of partitioning a disk: MBR and GPT. As MBR is from the last century and has many disadvantages in comparison with [[https://wiki.archlinux.org/index.php/Partitioning#Using_GPT_-_modern_method|GTP]], we are going to use the latter one. For more detailed information about MBR and other possibility, please refer to the [[https://wiki.archlinux.org/index.php/Partitioning#Partition_table|Partion table]] paragraph.
  
-<sxh>+<code>
 # gdisk disk-device # gdisk disk-device
-</sxh>+</code>
  
 You will be thrown in a own commandline of the gdisk program, so proceed as follows: You will be thrown in a own commandline of the gdisk program, so proceed as follows:
Line 66: Line 66:
 ===== Encryption ===== ===== Encryption =====
  
-<sxh bash; title: with keyfile>+=== with keyfile === 
 +<code>
 ~$ cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom luksFormat <device> keyfile ~$ cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom luksFormat <device> keyfile
 ~$ cryptsetup luksOpen -d keyfile /dev/$DEVICE root ~$ cryptsetup luksOpen -d keyfile /dev/$DEVICE root
Line 74: Line 75:
 ~$ mkfs.vfat -F 32 -I /dev/mapper/bootdevice ~$ mkfs.vfat -F 32 -I /dev/mapper/bootdevice
 ~$ cfdisk /dev/$DEVICE1 # make it bootable ~$ cfdisk /dev/$DEVICE1 # make it bootable
-</sxh>+</code>
  
-<sxh bash; title: with password>+=== with password === 
 +<code>
 ~$ cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom --verify-passphrase luksFormat <device>  ~$ cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom --verify-passphrase luksFormat <device> 
 ~$ cryptsetup luksOpen /dev/$DEVICE $CRYPTSETUP_DEVICE_NAME ~$ cryptsetup luksOpen /dev/$DEVICE $CRYPTSETUP_DEVICE_NAME
 ~$ mkfs.btrfs /dev/mapper/$CRYPTSETUP_DEVICE_NAME ~$ mkfs.btrfs /dev/mapper/$CRYPTSETUP_DEVICE_NAME
 ~$ mount /dev/mapper/$CRYPTSETUP_DEVICE_NAME /mnt ~$ mount /dev/mapper/$CRYPTSETUP_DEVICE_NAME /mnt
-</sxh>+</code>
  
 ===== /boot partition ===== ===== /boot partition =====
  
-<sxh bash; title: on disk boot device>+=== on disk boot device === 
 +<code>
 ~$ mkfs.ext3 -L boot /dev/$BOOTDEVICE ~$ mkfs.ext3 -L boot /dev/$BOOTDEVICE
 # DOS; primary partition + bootable # DOS; primary partition + bootable
 ~$ cfdisk /dev/$BOOTDEVICE ~$ cfdisk /dev/$BOOTDEVICE
 ~$ mount /dev/$BOOTDEVICE /mnt/boot ~$ mount /dev/$BOOTDEVICE /mnt/boot
-</sxh>+</code>
  
-<sxh bash; title: external boot device>+=== external boot device === 
 +<code>
 ~$ mkfs.ext3 -L boot /dev/$BOOTDEVICE ~$ mkfs.ext3 -L boot /dev/$BOOTDEVICE
 ~$ cfdisk /dev/$BOOTDEVICE # DOS; primary partition + bootable ~$ cfdisk /dev/$BOOTDEVICE # DOS; primary partition + bootable
 ~$ mkfs.ext3 -L boot /dev/$BOOTDEVICE ~$ mkfs.ext3 -L boot /dev/$BOOTDEVICE
 ~$ mount /dev/$BOOTDEVICE /mnt/boot ~$ mount /dev/$BOOTDEVICE /mnt/boot
-</sxh>+</code>
  
 ===== Mounting ===== ===== Mounting =====
  
-<sxh bash; title: mounting>+<code>
 ~$ mkdir /mnt/boot ~$ mkdir /mnt/boot
 ~$ mount /dev/mapper/$CRYPTSETUP_DEVICE_NAME /mnt ~$ mount /dev/mapper/$CRYPTSETUP_DEVICE_NAME /mnt
 ~$ mount /dev/$BOOTDEVICE /mnt/boot ~$ mount /dev/$BOOTDEVICE /mnt/boot
-</sxh>+</code>
  
 ===== Bootstrapping ===== ===== Bootstrapping =====
  
-<sxh bash;>+<code>
 ~$ pacstrap -i /mnt base base-devel ~$ pacstrap -i /mnt base base-devel
 ~$ genfstab -U /mnt > /mnt/etc/fstab ~$ genfstab -U /mnt > /mnt/etc/fstab
Line 124: Line 128:
 ~$ mkinitcpio -p linux ~$ mkinitcpio -p linux
 ~$ passwd root ~$ passwd root
-</sxh>+</code>
  
 ===== syslinux ===== ===== syslinux =====
  
-<sxh bash;>+<code>
 ~$ pacman -S syslinux gptfdisk ~$ pacman -S syslinux gptfdisk
 ~$ syslinux-install_update -iam ~$ syslinux-install_update -iam
 ~$ nano /boot/syslinux/syslinux.cfg # APPEND root=/dev/mapper/group-name cryptdevice=/dev/sda2:name rw ~$ nano /boot/syslinux/syslinux.cfg # APPEND root=/dev/mapper/group-name cryptdevice=/dev/sda2:name rw
-</sxh>+</code>
  
 ===== Unmount & Reboot ===== ===== Unmount & Reboot =====
Line 138: Line 142:
 Good luck! Good luck!
  
-<sxh bash;>+<code>
 ~$ exit ~$ exit
 ~$ umount -R /mnt ~$ umount -R /mnt
-</sxh>+</code>
 ===== Troubleshooting ===== ===== Troubleshooting =====
  
Line 147: Line 151:
 ==== cryptsetup failed ==== ==== cryptsetup failed ====
  
-  Command failed with code 22: Invalid argument+<code> 
 +Command failed with code 22: Invalid argument 
 +</code>
      
 Enter the 'yes' in capslock: YES and hit Enter? Enter the 'yes' in capslock: YES and hit Enter?
Line 153: Line 159:
 ==== syslinux ==== ==== syslinux ====
  
-  Error: /boot/syslinux is empty! +<code> 
-  Is /boot mounted?+Error: /boot/syslinux is empty! 
 +Is /boot mounted? 
 +</code>
      
 Reinstall syslinux package. Reinstall syslinux package.
Line 160: Line 168:
 ==== Write-Protected ==== ==== Write-Protected ====
  
-If mount /dev/bootdevice /mnt gives you an error about write protection; ask yourself if you have formatted the relative partition in the first place.+If ''mount /dev/bootdevice /mnt'' gives you an error about write protection; ask yourself if you have formatted the relative partition in the first place.
  
 ==== Repairing boot partition ==== ==== Repairing boot partition ====
  
-<sxh bash;>+<code>
 ~$ cryptsetup luksOpen /dev/$ROOTPARTITION root ~$ cryptsetup luksOpen /dev/$ROOTPARTITION root
 ~$ mount /dev/mapper/root /mnt ~$ mount /dev/mapper/root /mnt
Line 178: Line 186:
 ~$ exit ~$ exit
 ~$ umount -R /mnt ~$ umount -R /mnt
-</sxh>+</code>
  
 ===== References ===== ===== References =====
  • projects/howtos/archlinux-full-disk-encryption.txt
  • Last modified: 2021/07/19 23:58
  • by xbr