4 results for tags
arch x
install_arch_total_chiffree.pdf
- archchiffrementlinux -
- Wed 17 Apr 2019 10:48:25 PM CEST - permalink -
- https://www.fgtools.fr/install_arch_total_chiffree.pdf -
LVM_on_LUKS · master · Eugenio Rossi / archlinux-fde-uefi · GitLab
+
#
###
#####
######
; #####; Arch Linux
+##.##### FDE LVM on LUKS install over a UEFI system
+##########
#############; iso: 2018.04.01
###############+ kernel: 4.15.15-1
####### #######
.######; ;###;`".
.#######; ;#####.
#########. .########`
######' '######
;#### ####;
##' '##
#' `#
# Make sure you've actually booted in UEFI mode by checking if efivars
# folder was populated. If not, stop now and setup your system to boot
# in UEFI mode, as you've probably booted in CSM (legacy) mode. Make
# sure that Secure Boot is DISABLED as well.
ls /sys/firmware/efi/efivars | wc -l
# Verify a connection to the web was actually established (dhcp daemon is
# enabled on boot for wired devices, use wifi-menu for wireless ones).
ping <whatever address you prefer>
# Use timedatectl to ensure the system clock is accurate, then check for the
# service status.
timedatectl set-ntp true
timedatectl status
# Use lsblk to list all your drives and chose the one you want to install
# onto: from further on, the whole guide will use drive sda as an example.
lsblk
# Now the idea is to replicate the following partition scheme, as we want to
# build LVM on LUKS (you can customize LVM partitions as you prefer later):
# +-------------+-------------+-----------+-----------+-----------+
# |ESP: |Boot: | LVM |
# | | +-----------+-----------+-----------+
# |/boot/efi |/boot |Volume 1: |Volume 2: |Volume 3: |
# | | |swap |root |home |
# |/dev/sda1 |/dev/sda2 +-----------+-----------+-----------+
# |unencrypted |encrypted |/dev/sda3 encrypted |
# +-------------+-------------+-----------------------------------+
# Setup a UEFI-compliant GPT partition scheme as follows (you can use whatever
# tool you prefer, just make sure it can handle GPT stuff). In order to prevent
# misalignment warnings when using parted, please use MiB instead of MB.
parted /dev/sda
|-- (parted) mklabel gpt # Create a GPT partition table.
|-- (parted) mkpart ESP fat32 1MiB 101MiB # Create the UEFI partition.
|-- (parted) set 1 boot on # Set UEFI parition as bootable.
|-- (parted) mkpart primary ext4 101MiB 301MiB # Create the boot partition.
|-- (parted) mkpart primary ext4 301MiB 100% # Create the LVM partition.
|-- (parted) set 3 lvm on # Set LVM partition as LVMable.
+-- (parted) quit # We're done.
# Format the ESP partition using fat32 filesystem.
mkfs.fat -F32 /dev/sda1
# Check if entropy is high enough (returned value has to be 1000 or higher for
# the safest results) then ecrypt the LVM partition using LUKS.
cat /proc/sys/kernel/random/entropy_avail
# Encrypt the LVM partition using LUKS. You can specify cipher, key size and
# hash to be used with the --cipher=<chosen cipher>, --key-size=<chosen key size>
# and --hash=<chosen hash> options. Again, please note that the cryptsetup
# defaults are ABSOLUTELY SANE, therefore using those options is not necessary
# unless you KNOW what you're doing. Recently LUKS2 format has been introduced
# since cryptsetp 2.0 onwards, from my own experience it's still not supported
# by many bootloaders. If you'd like give it a shot, do it at your own risk by
# passing --type=luks2 option to cryptsetup.
#
# https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode
#
# Suggested options (if you don't like defaults):
# --cipher=aes-xts-plain64
# --key-size=256
# --hash=sha512
# --iter-time=5000
# --use-random
cryptsetup luksFormat /dev/sda3
# Open the encrypted LVM partition.
cryptsetup open /dev/sda3 cryptlvm
# Create a physical volume on top of the opened LUKS container, then add it
# to a volume group (you can name the group as you prefer).
pvcreate /dev/mapper/cryptlvm
vgcreate <volume name> /dev/mapper/cryptlvm
# Create all the logical volumes on such group.
lvcreate -L <swap size>G <volume name> -n swap
lvcreate -L <root size>G <volume name> -n root
lvcreate -l 100%FREE <volume name> -n home
# Format logical volumes.
mkfs.ext4 /dev/mapper/<volume name>-root
mkfs.ext4 /dev/mapper/<volume name>-home
mkswap /dev/mapper/<volume name>-swap
# Mount filesystems. LVM part is done.
mount /dev/mapper/<volume name>-root /mnt
mkdir /mnt/home
mount /dev/mapper/<volume name>-home /mnt/home
swapon /dev/mapper/<volume name>-swap
# Encrypt the boot partition using LUKS. You can specify cipher, key size and
# hash to be used with the --cipher=<chosen cipher>, --key-size=<chosen key size>
# and --hash=<chosen hash> options. Again, please note that the cryptsetup
# defaults are ABSOLUTELY SANE, therefore using those options is not necessary
# unless you KNOW what you're doing. Recently LUKS2 format has been introduced
# since cryptsetp 2.0 onwards, from my own experience it's still not supported
# by many bootloaders. If you'd like give it a shot, do it at your own risk by
# passing --type=luks2 option to cryptsetup.
#
# https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode
#
# Suggested options (if you don't like defaults):
# --cipher=aes-xts-plain64
# --key-size=256
# --hash=sha512
# --iter-time=5000
# --use-random
cryptsetup luksFormat /dev/sda2
# Open the encrypted boot partition.
cryptsetup open /dev/sda2 cryptboot
# Format the partition using an eligible filesystem for the bootloader,
# then mount it.
mkfs.ext4 /dev/mapper/cryptboot
mkdir /mnt/boot
mount /dev/mapper/cryptboot /mnt/boot
# Create a mount point for the EFI system partition at /mnt/boot/efi (for
# compatibility with grub-install), then mount it.
mkdir /mnt/boot/efi
mount /dev/sda1 /mnt/boot/efi
# Install base system using pacstrap.
pacstrap /mnt base base-devel
# Generate fstab using UUIDs then check its content for errors.
genfstab -U /mnt > /mnt/etc/fstab
cat /mnt/etc/fstab | less
# Chroot to current install.
arch-chroot /mnt
# Setup time zone and hardware clock.
ln -sf /usr/share/zoneinfo/<region>/<city> /etc/localtime
hwclock --systohc --utc
# Uncomment the locale you want to be generated from /etc/locale.gen, then
# generate locale and set the LANG variable in /etc/locale.conf accoringly.
# You can set the keymap for your current language as well as the hostname
# you prefer.
locale-gen
echo LANG=<chosen locale> > /etc/locale.conf
echo KEYMAP=<chosen keymap> > /etc/vconsole.conf
echo <chosen hostname> > /etc/hostname
# Add the encrypted partitions to crypttab file. Use blkid to list UUIDs.
--> /etc/crypttab
cryptboot UUID=</dev/sda2 UUID> none luks
cryptlvm UUID=</dev/sda3 UUID> none luks
# Configure mkinitcpio by adding encrypt and lvm2 hooks before filesystems.
# Then regenerate the ramfs. If you'd like to skip multiple password entries
# during the boot process, keyfiles to unlock encrypted partitions can be
# embedded in the initramfs. Please follow this section of the wiki to do so:
# https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#With_a_keyfile_embedded_in_the_initramfs
--> /etc/mkinitcpio.conf
HOOKS="... block encrypt lvm2 ... filesystems ..."
mkinitcpio -p linux
# Update the root password.
passwd
# If you have an Intel CPU, it is recommended to install the intel-ucode
# package to enable microcode updates. Also, install GRUB bootloader and
# efibootmgr for UEFI compatibility.
pacman -S intel-ucode grub efibootmgr
# Configure GRUB to recognize the LUKS encrypted boot partition and unlock
# the root LVM one at boot.
--> /etc/default/grub
GRUB_CMDLINE_LINUX="... cryptdevice=UUID=</dev/sda3 UUID>:cryptlvm ..."
GRUB_ENABLE_CRYPTODISK=y
# Install GRUB to the mounted ESP then generate a config file for it
# (BEWARE: the first command is a one liner). It may happen that a warning
# about lvmetad is thrown at you: don't panic, as this happens due to /run
# not being available in chroot environment. Just ignore it.
# https://wiki.archlinux.org/index.php/GRUB#Warning_when_installing_in_chroot
grub-install --target=x86_64-efi
--efi-directory=/boot/efi
--bootloader-id=<chosen entry name>
--recheck
grub-mkconfig -o /boot/grub/grub.cfg
# Installation is finished: exit chroot, unmount all drives then reboot.
exit
umount -R /mnt
#
###
#####
######
; #####; Arch Linux
+##.##### FDE LVM on LUKS install over a UEFI system
+##########
#############; iso: 2018.04.01
###############+ kernel: 4.15.15-1
####### #######
.######; ;###;`".
.#######; ;#####.
#########. .########`
######' '######
;#### ####;
##' '##
#' `#
# Make sure you've actually booted in UEFI mode by checking if efivars
# folder was populated. If not, stop now and setup your system to boot
# in UEFI mode, as you've probably booted in CSM (legacy) mode. Make
# sure that Secure Boot is DISABLED as well.
ls /sys/firmware/efi/efivars | wc -l
# Verify a connection to the web was actually established (dhcp daemon is
# enabled on boot for wired devices, use wifi-menu for wireless ones).
ping <whatever address you prefer>
# Use timedatectl to ensure the system clock is accurate, then check for the
# service status.
timedatectl set-ntp true
timedatectl status
# Use lsblk to list all your drives and chose the one you want to install
# onto: from further on, the whole guide will use drive sda as an example.
lsblk
# Now the idea is to replicate the following partition scheme, as we want to
# build LVM on LUKS (you can customize LVM partitions as you prefer later):
# +-------------+-------------+-----------+-----------+-----------+
# |ESP: |Boot: | LVM |
# | | +-----------+-----------+-----------+
# |/boot/efi |/boot |Volume 1: |Volume 2: |Volume 3: |
# | | |swap |root |home |
# |/dev/sda1 |/dev/sda2 +-----------+-----------+-----------+
# |unencrypted |encrypted |/dev/sda3 encrypted |
# +-------------+-------------+-----------------------------------+
# Setup a UEFI-compliant GPT partition scheme as follows (you can use whatever
# tool you prefer, just make sure it can handle GPT stuff). In order to prevent
# misalignment warnings when using parted, please use MiB instead of MB.
parted /dev/sda
|-- (parted) mklabel gpt # Create a GPT partition table.
|-- (parted) mkpart ESP fat32 1MiB 101MiB # Create the UEFI partition.
|-- (parted) set 1 boot on # Set UEFI parition as bootable.
|-- (parted) mkpart primary ext4 101MiB 301MiB # Create the boot partition.
|-- (parted) mkpart primary ext4 301MiB 100% # Create the LVM partition.
|-- (parted) set 3 lvm on # Set LVM partition as LVMable.
+-- (parted) quit # We're done.
# Format the ESP partition using fat32 filesystem.
mkfs.fat -F32 /dev/sda1
# Check if entropy is high enough (returned value has to be 1000 or higher for
# the safest results) then ecrypt the LVM partition using LUKS.
cat /proc/sys/kernel/random/entropy_avail
# Encrypt the LVM partition using LUKS. You can specify cipher, key size and
# hash to be used with the --cipher=<chosen cipher>, --key-size=<chosen key size>
# and --hash=<chosen hash> options. Again, please note that the cryptsetup
# defaults are ABSOLUTELY SANE, therefore using those options is not necessary
# unless you KNOW what you're doing. Recently LUKS2 format has been introduced
# since cryptsetp 2.0 onwards, from my own experience it's still not supported
# by many bootloaders. If you'd like give it a shot, do it at your own risk by
# passing --type=luks2 option to cryptsetup.
#
# https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode
#
# Suggested options (if you don't like defaults):
# --cipher=aes-xts-plain64
# --key-size=256
# --hash=sha512
# --iter-time=5000
# --use-random
cryptsetup luksFormat /dev/sda3
# Open the encrypted LVM partition.
cryptsetup open /dev/sda3 cryptlvm
# Create a physical volume on top of the opened LUKS container, then add it
# to a volume group (you can name the group as you prefer).
pvcreate /dev/mapper/cryptlvm
vgcreate <volume name> /dev/mapper/cryptlvm
# Create all the logical volumes on such group.
lvcreate -L <swap size>G <volume name> -n swap
lvcreate -L <root size>G <volume name> -n root
lvcreate -l 100%FREE <volume name> -n home
# Format logical volumes.
mkfs.ext4 /dev/mapper/<volume name>-root
mkfs.ext4 /dev/mapper/<volume name>-home
mkswap /dev/mapper/<volume name>-swap
# Mount filesystems. LVM part is done.
mount /dev/mapper/<volume name>-root /mnt
mkdir /mnt/home
mount /dev/mapper/<volume name>-home /mnt/home
swapon /dev/mapper/<volume name>-swap
# Encrypt the boot partition using LUKS. You can specify cipher, key size and
# hash to be used with the --cipher=<chosen cipher>, --key-size=<chosen key size>
# and --hash=<chosen hash> options. Again, please note that the cryptsetup
# defaults are ABSOLUTELY SANE, therefore using those options is not necessary
# unless you KNOW what you're doing. Recently LUKS2 format has been introduced
# since cryptsetp 2.0 onwards, from my own experience it's still not supported
# by many bootloaders. If you'd like give it a shot, do it at your own risk by
# passing --type=luks2 option to cryptsetup.
#
# https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode
#
# Suggested options (if you don't like defaults):
# --cipher=aes-xts-plain64
# --key-size=256
# --hash=sha512
# --iter-time=5000
# --use-random
cryptsetup luksFormat /dev/sda2
# Open the encrypted boot partition.
cryptsetup open /dev/sda2 cryptboot
# Format the partition using an eligible filesystem for the bootloader,
# then mount it.
mkfs.ext4 /dev/mapper/cryptboot
mkdir /mnt/boot
mount /dev/mapper/cryptboot /mnt/boot
# Create a mount point for the EFI system partition at /mnt/boot/efi (for
# compatibility with grub-install), then mount it.
mkdir /mnt/boot/efi
mount /dev/sda1 /mnt/boot/efi
# Install base system using pacstrap.
pacstrap /mnt base base-devel
# Generate fstab using UUIDs then check its content for errors.
genfstab -U /mnt > /mnt/etc/fstab
cat /mnt/etc/fstab | less
# Chroot to current install.
arch-chroot /mnt
# Setup time zone and hardware clock.
ln -sf /usr/share/zoneinfo/<region>/<city> /etc/localtime
hwclock --systohc --utc
# Uncomment the locale you want to be generated from /etc/locale.gen, then
# generate locale and set the LANG variable in /etc/locale.conf accoringly.
# You can set the keymap for your current language as well as the hostname
# you prefer.
locale-gen
echo LANG=<chosen locale> > /etc/locale.conf
echo KEYMAP=<chosen keymap> > /etc/vconsole.conf
echo <chosen hostname> > /etc/hostname
# Add the encrypted partitions to crypttab file. Use blkid to list UUIDs.
--> /etc/crypttab
cryptboot UUID=</dev/sda2 UUID> none luks
cryptlvm UUID=</dev/sda3 UUID> none luks
# Configure mkinitcpio by adding encrypt and lvm2 hooks before filesystems.
# Then regenerate the ramfs. If you'd like to skip multiple password entries
# during the boot process, keyfiles to unlock encrypted partitions can be
# embedded in the initramfs. Please follow this section of the wiki to do so:
# https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#With_a_keyfile_embedded_in_the_initramfs
--> /etc/mkinitcpio.conf
HOOKS="... block encrypt lvm2 ... filesystems ..."
mkinitcpio -p linux
# Update the root password.
passwd
# If you have an Intel CPU, it is recommended to install the intel-ucode
# package to enable microcode updates. Also, install GRUB bootloader and
# efibootmgr for UEFI compatibility.
pacman -S intel-ucode grub efibootmgr
# Configure GRUB to recognize the LUKS encrypted boot partition and unlock
# the root LVM one at boot.
--> /etc/default/grub
GRUB_CMDLINE_LINUX="... cryptdevice=UUID=</dev/sda3 UUID>:cryptlvm ..."
GRUB_ENABLE_CRYPTODISK=y
# Install GRUB to the mounted ESP then generate a config file for it
# (BEWARE: the first command is a one liner). It may happen that a warning
# about lvmetad is thrown at you: don't panic, as this happens due to /run
# not being available in chroot environment. Just ignore it.
# https://wiki.archlinux.org/index.php/GRUB#Warning_when_installing_in_chroot
grub-install --target=x86_64-efi
--efi-directory=/boot/efi
--bootloader-id=<chosen entry name>
--recheck
grub-mkconfig -o /boot/grub/grub.cfg
# Installation is finished: exit chroot, unmount all drives then reboot.
exit
umount -R /mnt
- archlukslvm -
- Fri 08 Jun 2018 10:58:12 AM CEST - permalink -
- https://gitlab.com/archmirak/archlinux-fde-uefi/blob/master/LVM_on_LUKS -
Wyzko/Archlinux-setup: Différentes commandes pour installer Archlinux
- archarchlinuxinstall -
- Thu 31 May 2018 09:01:14 PM CEST - permalink -
- https://github.com/Wyzko/Archlinux-setup -
Improving performance - ArchWiki
- archperf -
- Thu 31 May 2018 08:41:37 PM CEST - permalink -
- https://wiki.archlinux.org/index.php/improving_performance -