Differences

This shows you the differences between two versions of the page.

--- projects:howtos:archlinux-full-disk-encryption [2017/02/05 22:42] – prometheus
+++ projects:howtos:archlinux-full-disk-encryption [2021/07/19 23:47] – update warning xbr
@@ Line 3: / Line 3: @@
 Full Disk Encryption is probable one of the most important things to do first, when setting up a new system in a world in which #BigBrother is always watching you. The issue we had was, having a keyfile which is needed to decrypt your system is nice, but if its [the keyfile] unencrypted on a USB device it doesn't satisfy our paranoia. So the solution is to encrypt to USB device as well; with a passphrase. And that's what we're going to show here.
-<note tip>The **Paranoia** paragraphs haven't been finished just yet.</note>
+<note warning>This HowTo was initially written in 2015, and was updated in 2017.</note>
 ===== Requirements =====
@@ Line 23: / Line 23: @@
 <sxh bash;>
 # if necessary reconfigure your keyboard layout
-root@archiso ~ # loadkeys fr
+~$ loadkeys fr
 # check for network connectivity
-root@archiso ~ # ping 8.8.8.8
+~$ ping 8.8.8.8
 # request IP address
-root@archiso ~ # ifconfig -a
+~$ ifconfig -a
-root@archiso ~ # dhclient $NIC
+~$ dhclient $NIC
 </sxh>
@@ Line 34: / Line 34: @@
 <sxh>
-root@archiso ~ # fdisk -l | grep Disk
+~$ fdisk -l | grep Disk
-root@archiso ~ # mkdir ./mytmpfs
+~$ mkdir ./mytmpfs
-root@archiso ~ # mount tmpfs ./mytmpfs -t tmpfs -o size=32m
+~$ mount tmpfs ./mytmpfs -t tmpfs -o size=32m
-root@archiso ~ # cd ./mytmpfs
+~$ cd ./mytmpfs
-root@archiso ~ # dd if=/dev/urandom of=secretkey bs=1024 count=4
+~$ dd if=/dev/urandom of=secretkey bs=1024 count=4
-root@archiso ~ # mkdir /mnt/boot && mkdir /mnt/home
+~$ mkdir /mnt/boot && mkdir /mnt/home
 </sxh>
@@ Line 67: / Line 67: @@
 <sxh bash; title: with keyfile>
-root@archiso ~ # cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom luksFormat <device> keyfile
+~$ cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom luksFormat <device> keyfile
-root@archiso ~ # cryptsetup luksOpen -d keyfile /dev/$DEVICE root
+~$ cryptsetup luksOpen -d keyfile /dev/$DEVICE root
-root@archiso ~ # cryptsetup luksOpen -d keyfile /dev/$DEVICE home
+~$ cryptsetup luksOpen -d keyfile /dev/$DEVICE home
-root@archiso ~ # cfdisk /dev/$DEVICE
+~$ cfdisk /dev/$DEVICE
-root@archiso ~ # cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/$DEVICE # USB storage device
+~$ cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/$DEVICE # USB storage device
-root@archiso ~ # mkfs.vfat -F 32 -I /dev/mapper/bootdevice
+~$ mkfs.vfat -F 32 -I /dev/mapper/bootdevice
-root@archiso ~ # cfdisk /dev/$DEVICE1 # make it bootable
+~$ cfdisk /dev/$DEVICE1 # make it bootable
 </sxh>
 <sxh bash; title: with password>
-root@archiso ~ # cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom --verify-passphrase luksFormat <device>
+~$ cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom --verify-passphrase luksFormat <device>
-root@archiso ~ # cryptsetup luksOpen /dev/$DEVICE $CRYPTSETUP_DEVICE_NAME
+~$ cryptsetup luksOpen /dev/$DEVICE $CRYPTSETUP_DEVICE_NAME
-root@archiso ~ # mkfs.btrfs /dev/mapper/$CRYPTSETUP_DEVICE_NAME
+~$ mkfs.btrfs /dev/mapper/$CRYPTSETUP_DEVICE_NAME
-root@archiso ~ # mount /dev/mapper/$CRYPTSETUP_DEVICE_NAME /mnt
+~$ mount /dev/mapper/$CRYPTSETUP_DEVICE_NAME /mnt
 </sxh>
@@ Line 86: / Line 86: @@
 <sxh bash; title: on disk boot device>
-root@archiso ~ # mkfs.ext3 -L boot /dev/$BOOTDEVICE
+~$ mkfs.ext3 -L boot /dev/$BOOTDEVICE
 # DOS; primary partition + bootable
-root@archiso ~ # cfdisk /dev/$BOOTDEVICE
+~$ cfdisk /dev/$BOOTDEVICE
-root@archiso ~ # mount /dev/$BOOTDEVICE /mnt/boot
+~$ mount /dev/$BOOTDEVICE /mnt/boot
 </sxh>
 <sxh bash; title: external boot device>
-root@archiso ~ # mkfs.ext3 -L boot /dev/$BOOTDEVICE
+~$ mkfs.ext3 -L boot /dev/$BOOTDEVICE
-root@archiso ~ # cfdisk /dev/$BOOTDEVICE # DOS; primary partition + bootable
+~$ cfdisk /dev/$BOOTDEVICE # DOS; primary partition + bootable
-root@archiso ~ # mkfs.ext3 -L boot /dev/$BOOTDEVICE
+~$ mkfs.ext3 -L boot /dev/$BOOTDEVICE
-root@archiso ~ # mount /dev/$BOOTDEVICE /mnt/boot
+~$ mount /dev/$BOOTDEVICE /mnt/boot
 </sxh>
 ===== Mounting =====
-<sxh bash; title: external boot device>
+<sxh bash; title: mounting>
+~$ mkdir /mnt/boot
+~$ mount /dev/mapper/$CRYPTSETUP_DEVICE_NAME /mnt
+~$ mount /dev/$BOOTDEVICE /mnt/boot
 </sxh>
@@ Line 107: / Line 110: @@
 <sxh bash;>
-root@archiso ~ # pacstrap -i /mnt base base-devel
+~$ pacstrap -i /mnt base base-devel
-root@archiso ~ # genfstab -U /mnt > /mnt/etc/fstab
+~$ genfstab -U /mnt > /mnt/etc/fstab
-root@archiso ~ # arch-chroot /mnt /bin/bash
+~$ arch-chroot /mnt /bin/bash
-root@archiso ~ # nano /etc/locale.gen
+~$ nano /etc/locale.gen
-root@archiso ~ # locale-gen
+~$ locale-gen
-root@archiso ~ # echo LANG=en_IE.UTF-8 > /etc/locale.conf
+~$ echo LANG=en_IE.UTF-8 > /etc/locale.conf
-root@archiso ~ # nano /etc/vconsole.conf # KEYMAP=fr
+~$ nano /etc/vconsole.conf # KEYMAP=fr
-root@archiso ~ # ln -sf /usr/share/zoneinfo/$CONTINENT/$COUNTRY /etc/localtime
+~$ ln -sf /usr/share/zoneinfo/$CONTINENT/$COUNTRY /etc/localtime
-root@archiso ~ # hwclock --systohc --utc
+~$ hwclock --systohc --utc
-root@archiso ~ # echo $HOSTNAME > /etc/hostname
+~$ echo $HOSTNAME > /etc/hostname
-root@archiso ~ # nano /etc/mkinitcpio.conf # add: keymap keyboard encrypt **before** filesystem in the HOOKS variable
+~$ nano /etc/mkinitcpio.conf
-root@archiso ~ # mkinitcpio -p linux
+# add: keymap keyboard encrypt **before** filesystem in the HOOKS variable
-root@archiso ~ # passwd root
+~$ mkinitcpio -p linux
-root@archiso ~ # pacman -S syslinux
+~$ passwd root
-root@archiso ~ # syslinux-install_update -iam
+</sxh>
-root@archiso ~ # nano /boot/syslinux/syslinux.cfg # APPEND root=/dev/mapper/group-name cryptdevice=/dev/sda2:name rw
-root@archiso ~ # exit
-root@archiso ~ # umount -R /mnt
+===== syslinux =====
+<sxh bash;>
+~$ pacman -S syslinux gptfdisk
+~$ syslinux-install_update -iam
+~$ nano /boot/syslinux/syslinux.cfg # APPEND root=/dev/mapper/group-name cryptdevice=/dev/sda2:name rw
 </sxh>
+===== Unmount & Reboot =====
+Good luck!
+<sxh bash;>
+~$ exit
+~$ umount -R /mnt
+</sxh>
 ===== Troubleshooting =====
+Tiny troubles might pup up. The few below have a tendency to occur due to human interaction failure. ;)
+==== cryptsetup failed ====
+  Command failed with code 22: Invalid argument
+Enter the 'yes' in capslock: YES and hit Enter?
 ==== syslinux ====
@@ Line 135: / Line 156: @@
   Is /boot mounted?
- Reinstall syslinux package.
+Reinstall syslinux package.
 ==== Write-Protected ====
@@ Line 144: / Line 165: @@
 <sxh bash;>
-root@archiso ~ # cryptsetup luksOpen /dev/$ROOTPARTITION root
+~$ cryptsetup luksOpen /dev/$ROOTPARTITION root
-root@archiso ~ # mount /dev/mapper/root /mnt
+~$ mount /dev/mapper/root /mnt
-root@archiso ~ # mkfs.ext2 /dev/$BOOTPARTITION
+~$ mkfs.ext2 /dev/$BOOTPARTITION
-root@archiso ~ # mount /dev/$BOOTPARTITION /mnt/boot
+~$ mount /dev/$BOOTPARTITION /mnt/boot
-root@archiso ~ # genfstab -U /mnt > /mnt/etc/fstab
+~$ genfstab -U /mnt > /mnt/etc/fstab
-root@archiso ~ # arch-chroot /mnt /bin/bash
+~$ arch-chroot /mnt /bin/bash
-root@archiso ~ # pacman -R syslinux
+~$ pacman -R syslinux
-root@archiso ~ # pacman -Syy syslinux
+~$ pacman -Syy syslinux
-root@archiso ~ # syslinux-install_update -iam
+~$ syslinux-install_update -iam
-root@archiso ~ # nano /boot/syslinux/syslinux.cfg # APPEND root=/dev/mapper/group-name cryptdevice=/dev/sda2:name rw
+~$ nano /boot/syslinux/syslinux.cfg # APPEND root=/dev/mapper/group-name cryptdevice=/dev/sda2:name rw
-root@archiso ~ # exit
+~$ pacman -S linux
-root@archiso ~ # umount -R /mnt
+~$ exit
+~$ umount -R /mnt
 </sxh>