We all love archlinux, or if we don’t, we’re using Fedora or Debian, and trolling is (almost) out of the scope of this article.
But let’s be honest, even if the wiki is great, it can be intimidating sometimes. That’s what happened to me yesterday. Here at AlloMedia, for security reasons, we’re encrypting every laptop disk by default. As I’m using archlinux, I went to the wiki to follow how to “just” encrypt my disk. And well, the page is a little bit overcrowded, at the very least.
You have first to read about 10 pages of documentation, to learn that you now have to choose between 6 methods (Loop-AES, dm-crypt +/- LUKS, Truecrypt, eCryptfs, EncFS) and read every *#! page to understand which one you may want to choose. I’ve choosen for you.
This is shipped with the kernel and seems to be the “default” on other distributions. It totally fits my needs: encrypt the whole system, swap included, and decrypt the system on boot using a passphrase.
If that’s what you want to do too, follow the white rabbit, Neo.
Following the rabbit
We will assume that you can erase your disk and start with a fresh install, if it’s not the case, this article may not be for you. For the sake of this article, we will use
/dev/nvme0n1 as the main disk of the laptop. You may have something different like
/dev/sda, that’s fine, just replace
/dev/sda in the rest of the article.
First, follow the Archlinux installation guide to the point just before Format the partitions, where they are telling you to modify the partition tables using fdisk or parted. Here, you will need to erase all your partitions and create what’s needed for the encryption.
Clean and safely erase your disk
gdisk (if you’re using UEFI) to wipe out what’s on your disk, i.e. removing all existing partitions (of course, this will delete all the data on your disk…).
For example, for
gdisk /dev/nvme0n1 GPT fdisk (gdisk) version 1.0.3 Partition table scan: MBR: protective BSD: not present APM: not present GPT: present Found valid GPT with protective MBR; using GPT. Command (? for help):
p to print your partition schema, and
d to delete partitions. Once it’s done, use
w to write your changes to the disk (that is to say, again, deleting all the data on your disk) and quit
Every page on the archlinux wiki says you should first be sure that no previous data will still be readable on your disk (if you have a new computer with nothing on it, this doesn’t apply to you).
So we will put random stuff on our disk to be sure to overwrite everything that may still be on it. You can read the wiki page or just run the following command:
dd if=/dev/urandom > /dev/nvme0n1
We now have a clean disk, let’s create what’s needed for our encrypted system, that is to say 2 partitions: a partition for
/boot (that will not be encrypted) and another one for our encrypted volumes (where we will later put
/ and our
Here is what we want to have (output of my
gdisk with the
Number Start (sector) End (sector) Size Code Name 1 2048 1050623 512.0 MiB EF00 EFI System 2 1050624 1000215182 476.4 GiB 8E00 Linux LVM
First, create the partition where
/boot will be mounted of type
8300 (512Mo is a good size) following the archlinux wiki. I’m assuming you’re using a system compatible with UEFI, if it’s not the case, you may want to document yourself a little bit more using the wiki. Format the partition using FAT32.
mkfs.fat -F32 /dev/nvme0n1p1
Create the other partition of code
8E00 using the remaining space.
You should now have only 2 partitions, one for
/boot that will not be encrypted, and another one that you will first encrypt, and then put your volumes on it (
swap). In my case, the first partition that will be used for
/boot is named
/dev/nvme0n1p1, and the other one
/dev/nvme0n1p2. You may have something like
/dev/sda2 if your partition naming scheme is not the same than mine.
You can then follow the (LVM on LUKS section)[https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS] section.
I don’t like having separate partitions for
/home. Every time I’ve done that, I always regretted the amount of space I allocated for each. So now, I’m only creating one
/ partition with everything inside.
In short, below are the commands you should be running for your encrypted volumes (I’m creating a 8Go swap partition).
Crypt the partition and open it with your key:
cryptsetup luksFormat --type luks2 /dev/nvme0n1p2 cryptsetup open /dev/nvme0n1p2 cryptolvm
Create the LVM volumes on it (swap and root):
pvcreate /dev/mapper/cryptolvm vgcreate MyVol /dev/mapper/cryptolvm lvcreate -L 8G MyVol -n swap lvcreate -l 100%FREE MyVol -n root
Format the root and swap volumes:
mkfs.ext4 /dev/mapper/MyVol-root mkswap /dev/mapper/MyVol-swap
Mount the file systems:
mount /dev/mapper/MyVol-root /mnt swapon /dev/mapper/MyVol-swap
The arch wiki tells you to format you boot partition using
ext2, but for me this was a bad idea, as I want the UEFI manager of my Dell XPS 9550 to be able to boot on my
/boot partition. So, as I said above, I formatted this partition using
mkdir /mnt/boot mount /dev/nvme0n1p2 /mnt/boot
You can then follow the (
mkinitcpio part of the archlinux wiki)[https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Configuring_mkinitcpio_2].
Be sure to have something like that in your
HOOKS=(... keyboard keymap block encrypt lvm2 ... filesystems ...)
Then continue to install you system normally. Of course, be sure to configure your grub accordingly to your encrypted setup by following the wiki.
For the record, here is my
/etc/defaults/grub file (it’s used to generate the
/boot/grub/grub.cfg file by using
grub-mkconfig -o /boot/grub/grub.cfg):
# GRUB boot loader configuration GRUB_DEFAULT=0 GRUB_TIMEOUT=1 GRUB_DISTRIBUTOR="Arch" GRUB_CMDLINE_LINUX_DEFAULT="resume=/dev/mapper/MyVol-swap nouveau.modeset=0 i915.preliminary_hw_support=1 acpi_backlight=vendor acpi_osi=Linux" #GRUB_CMDLINE_LINUX_DEFAULT="" #GRUB_CMDLINE_LINUX="" GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p2:cryptolvm" GRUB_ENABLE_CRYPTODISK=y # Preload both GPT and MBR modules so that they are not missed GRUB_PRELOAD_MODULES="part_gpt part_msdos" # Uncomment to enable booting from LUKS encrypted devices #GRUB_ENABLE_CRYPTODISK=y # Uncomment to enable Hidden Menu, and optionally hide the timeout count #GRUB_HIDDEN_TIMEOUT=5 #GRUB_HIDDEN_TIMEOUT_QUIET=true # Uncomment to use basic console GRUB_TERMINAL_INPUT=console # Uncomment to disable graphical terminal #GRUB_TERMINAL_OUTPUT=console # The resolution used on graphical terminal # note that you can use only modes which your graphic card supports via VBE # you can see them in real GRUB with the command `vbeinfo' GRUB_GFXMODE=auto # Uncomment to allow the kernel use the same resolution used by grub GRUB_GFXPAYLOAD_LINUX=keep # Uncomment if you want GRUB to pass to the Linux kernel the old parameter # format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx" #GRUB_DISABLE_LINUX_UUID=true # Uncomment to disable generation of recovery mode menu entries GRUB_DISABLE_RECOVERY=true # Uncomment and set to the desired menu colors. Used by normal and wallpaper # modes only. Entries specified as foreground/background. #GRUB_COLOR_NORMAL="light-blue/black" #GRUB_COLOR_HIGHLIGHT="light-cyan/blue" # Uncomment one of them for the gfx desired, a image background or a gfxtheme #GRUB_BACKGROUND="/path/to/wallpaper" #GRUB_THEME="/path/to/gfxtheme" # Uncomment to get a beep at GRUB start #GRUB_INIT_TUNE="480 440 1" # Uncomment to make GRUB remember the last selection. This requires to # set 'GRUB_DEFAULT=saved' above. #GRUB_SAVEDEFAULT="true"
Enjoy your encrypted archlinux!