Arch Luks Installation
Arch Luks Installation
Arch Luks Installation
system with full hard drive encryption using LUKS ( Linux Unified Key
Setup). LUKS is a disk encryption specification which helps you
achieve file encryption, disk encryption, data encryption in one bundle.
LUKS helps you secure your drive against things like theft, but it doesn't
protect your data from access once unlocked. It can be used with other
encryption software applications to achieve bullet-proof data security.
Previously i had written an article on how to install Arch Linux on LVM but
it was lacking luks encryption feature.
This blog post aims at filling that gap of disk encryption, so definitely
expect less theory.
parted /dev/sda
mklabel gpt
set 1 boot on
name 1 ef
set 3 lvm on
name 3 lvm
Confgure LUKS
modprobe dm-crypt
modprobe dm-mod
$ cryptsetup --help
Options used:
<name> is the device to create under /dev/mapper
<device> is the encrypted device
When you execute command above, you'll get a warning message. Just
type YES to continue, then enter and verify passphrase to use.
Now that we have created luks encrypted device, we need to open the
device as mapping <name>. The syntax is:
LVM Confguration
For those new to LVM, the basic building blocks of LVM are:
pvcreate /dev/mapper/luks_lvm
Mount Partitions:
swapon /dev/mapper/arch-swap
swapon -a ; swapon -s
mount /dev/mapper/arch-root /mnt
mkdir -p /mnt/{home,boot}
mount /dev/sda2 /mnt/boot
mount /dev/mapper/arch-home /mnt/home
mkdir /mnt/boot/ef
mount /dev/sda1 /mnt/boot/ef
Confirm if all are mounted properly:
lsblk -f
Configuring mkinitcpio
vim /etc/mkinitcpio.conf
Scroll down till you find HOOKS section. Then add these lines before
filesystem:
encrypt lvm2
Hooks are referred to by their name, and executed in the order they exist
in the HOOKS setting in the config file. The HOOKS line will look
something like this:
mkinitcpio -v -p linux
mkinitcpio -v -p linux
cryptdevice=/dev/<partition>:devicemapper_name cryptkey=<path>
For example:
GRUB_CMDLINE_LINUX_DEFAULT="quiet resume=/dev/mapper/swap
cryptdevice=/dev/sda3:luks_lvm"
To unlock root filesystem at boot using keyfile, you'll have to generate the
keyfile, give it suitable permissions and add it as a LUKS key:
The default Linux kernel parameter line should contain cryptkey directive.
For a file in a device the format is:
cryptkey=device:fstype:path
device is the raw block device where the key exists.
fstype is the filesystem type of device (or auto).
path is the absolute path of the keyfile within the device.
GRUB_CMDLINE_LINUX_DEFAULT="quiet resume=/dev/mapper/swap
cryptkey=/dev/sdb1:vfat:/crypto_keyfle.bin"
grub-mkconfg -o /boot/grub/grub.cfg
grub-mkconfg -o /boot/ef/EFI/arch/grub.cfg
You can modify live-setup script to change timezone settings and system
hostname. After successful setup, exit chroot environment, unmount the
partitions and reboot your system.
exit
umount -R /mnt
reboot