stafwag Blog

staf wagemakers blog

Install Arch on an Encrypted Btrfs Partition

"Arch Linux Logo"

I’m preparing to move my workstation to arch linux Before I’ll install it on my physical workstation I did the installation on a virtual machine. I’ll use btrfs as the filesystem during the installation. btrfs is a nice filesystem but it had some serious dataloss issue with RAID5/RAID6 recently.

btrfs might not stable enough for a production environment but it has some nice features like snapshots, send/recieve, compression etc. I use zfs for my important date anyway.

To encrypt or not to encrypt…

It’s possible to encrypt your boot partition grub has support for luks volumes. This cause grub to ask for a password during the system startup you’ll need to type in your password a second time during the system startup when you Linux initrd image is booted. It’s possible to avoid this by adding a keyfile to your crypttab - which migh be considered as a security risk -.

In this howto we’ll setup a single root partition to have full disk encryption. I’m not sure I go with an encrypted boot partition during my final installation. I might just create an empty partition of 1G so I can move switch between an encrypted and an non-encrypted boot filesystem.

"00_boot.png"

Download the arch linux iso and boot it

After arch linux is booted verify that you have internet access if the network card is support and dchp is enabled on you network you should get a network address.

Network access

To setup the system remotely we first need to setup network to our system.

Verify the interface

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@archiso ~ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:69:d4:94 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.23/24 brd 192.168.122.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a7b:481f:2f70:e688/64 scope link 
       valid_lft forever preferred_lft forever
root@archiso ~ # 

Verify internet access

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
root@archiso ~ # ping -c 3 8.8.8.8                                                                                      :(
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=49 time=49.2 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=49 time=45.8 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=49 time=46.8 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 45.896/47.329/49.201/1.406 ms
root@archiso ~ # nslookup www.google.be
Server:         192.168.122.1
Address:        192.168.122.1#53

Non-authoritative answer:
Name:   www.google.be
Address: 64.233.167.94

root@archiso ~ # ping www.google.be
PING www.google.be (64.233.167.94) 56(84) bytes of data.
64 bytes from wl-in-f94.1e100.net (64.233.167.94): icmp_seq=1 ttl=46 time=58.7 ms
64 bytes from wl-in-f94.1e100.net (64.233.167.94): icmp_seq=2 ttl=46 time=58.7 ms
64 bytes from wl-in-f94.1e100.net (64.233.167.94): icmp_seq=3 ttl=46 time=58.4 ms
^C
--- www.google.be ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 58.479/58.645/58.742/0.230 ms
root@archiso ~ #                   

ssh access

If you want to install arch linux over ssh you need to assign a root passwd and start the sshd service.

root password

1
2
3
4
5
root@archiso ~ # passwd root       
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
root@archiso ~ # 

start sshd

1
2
3
4
5
6
root@archiso ~ # systemctl list-unit-files -t service | grep ssh
sshd.service                               disabled
sshd@.service                              static  
sshdgenkeys.service                        static  
root@archiso ~ # systemctl start sshd                           
root@archiso ~ #

Logon remotely

1
2
3
4
[staf@vicky ~]$ ssh -l root 192.168.122.23
root@192.168.122.23's password: 
Last login: Tue Jun 30 09:06:00 2015 from 192.168.122.1
root@archiso ~ # 

Partition

Find your harddisk device name

1
2
3
4
5
6
7
root@archiso ~ # cat /proc/partitions
major minor  #blocks  name

   8        0  268435456 sda
  11        0     759808 sr0
   7        0     328616 loop0
root@archiso ~ # 

Overwrite it with random data

Because we are creating an ecrypted filesystem it’s a good idea to overwrite it with random data.

We’ll use badblocks for this another method is to use “dd if=/dev/random of=/dev/xxx” the “dd” method is probably the best method but is a lot slower.

1
2
3
4
5
6
7
8
root@archiso ~ # badblocks -c 10240 -s -w -t random -v /dev/sda
Checking for bad blocks in read-write mode
From block 0 to 268435455
Testing with random pattern: done                                                 
Reading and comparing: done                                                 
Pass completed, 0 bad blocks found. (0/0/0 errors)
badblocks -c 10240 -s -w -t random -v /dev/sda  49.22s user 21.72s system 3% cpu 33:48.40 total
root@archiso ~ # 

Partition the harddisk

Create 3 partitions:

  • 1G /boot (we’ll not use this during the installation - see above - )
  • 32G swap
  • root btrfs partition
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
root@archiso ~ # fdisk /dev/sda                                

Welcome to fdisk (util-linux 2.28).                                                    
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0x7ff944e5.

Command (m for help): p
Disk /dev/sda: 256 GiB, 274877906944 bytes, 536870912 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x7ff944e5

Command (m for help): n
Partition type
   p   primary (0 primary, 0 extended, 4 free)
   e   extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-536870911, default 2048): +1G
Value out of range.
First sector (2048-536870911, default 2048): 
Last sector, +sectors or +size{K,M,G,T,P} (2048-536870911, default 536870911): 
Do you really want to quit? y
1 root@archiso ~ # fdisk /dev/sda                                                   :(

Welcome to fdisk (util-linux 2.28).                                                    
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0xa806e281.

Command (m for help): p
Disk /dev/sda: 256 GiB, 274877906944 bytes, 536870912 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xa806e281

Command (m for help): n
Partition type
   p   primary (0 primary, 0 extended, 4 free)
   e   extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-536870911, default 2048): 
Last sector, +sectors or +size{K,M,G,T,P} (2048-536870911, default 536870911): +1G

Created a new partition 1 of type 'Linux' and of size 1 GiB.

Command (m for help): n
Partition type
   p   primary (1 primary, 0 extended, 3 free)
   e   extended (container for logical partitions)
Select (default p): p
Partition number (2-4, default 2): 
First sector (2099200-536870911, default 2099200): 
Last sector, +sectors or +size{K,M,G,T,P} (2099200-536870911, default 536870911): +32G

Created a new partition 2 of type 'Linux' and of size 32 GiB.

Command (m for help): n
Partition type
   p   primary (2 primary, 0 extended, 2 free)
   e   extended (container for logical partitions)
Select (default p): p
Partition number (3,4, default 3): 
First sector (69208064-536870911, default 69208064): 
Last sector, +sectors or +size{K,M,G,T,P} (69208064-536870911, default 536870911): 

Created a new partition 3 of type 'Linux' and of size 223 GiB.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

root@archiso ~ # 

Format the root partition

We’ll continue with the root filesystem - we’ll initialize the swapspace after the installation -

Create the root luks volume;

1
2
3
4
5
6
7
8
9
10
11
root@archiso ~ # cryptsetup luksFormat --cipher aes-xts-plain64 --key-size 256 --hash sha256 --use-random /dev/sda3

WARNING!
========
This will overwrite data on /dev/sda3 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase: 
5.01s user 0.04s system 21% cpu 23.750 total
root@archiso ~ # 

Open the root luks volume

1
2
3
root@archiso ~ # cryptsetup luksOpen /dev/sda3 cryptroot
Enter passphrase for /dev/sda3: 
root@archiso ~ # 

Format the root volume with btrfs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@archiso ~ # mkfs.btrfs /dev/mapper/cryptroot
btrfs-progs v4.6.1
See http://btrfs.wiki.kernel.org for more information.

Label:              (null)
UUID:               cbfcc8d6-0cf9-4656-bcda-2525faeadfe6
Node size:          16384
Sector size:        4096
Filesystem size:    217.00GiB
Block group profiles:
  Data:             single            8.00MiB
  Metadata:         DUP               1.01GiB
  System:           DUP              12.00MiB
SSD detected:       no
Incompat features:  extref, skinny-metadata
Number of devices:  1
Devices:
   ID        SIZE  PATH
    1   217.00GiB  /dev/mapper/cryptroot

root@archiso ~ # 

Mount the root filesystem

1
2
root@archiso ~ # mount -o noatime,compress=lzo,discard,ssd,defaults /dev/mapper/cryptroot /mnt
root@archiso ~ # 

Create the subvolumes

1
2
3
4
5
6
7
8
9
10
11
12
root@archiso ~ # cd /mnt
root@archiso /mnt # btrfs subvolume create __active
Create subvolume './__active'
root@archiso /mnt # btrfs subvolume create __active/rootvol
Create subvolume '__active/rootvol'
root@archiso /mnt # btrfs subvolume create __active/home
Create subvolume '__active/home'
root@archiso /mnt # btrfs subvolume create __active/var
Create subvolume '__active/var'
root@archiso /mnt # btrfs subvolume create __snapshots
Create subvolume './__snapshots'
root@archiso /mnt #

Mount the subvolumes

1
2
3
4
5
6
7
8
root@archiso /mnt # cd 
root@archiso ~ # umount /mnt
root@archiso ~ # mount -o noatime,compress=lzo,discard,ssd,defaults,subvol=__active/rootvol /dev/mapper/cryptroot /mnt
root@archiso ~ # mkdir /mnt/{home,var}
root@archiso ~ # mount -o noatime,compress=lzo,discard,ssd,defaults,subvol=__active/home /dev/mapper/cryptroot /mnt/home
root@archiso ~ # mount -o noatime,compress=lzo,discard,ssd,defaults,subvol=__active/var /dev/mapper/cryptroot /mnt/var
root@archiso ~ # sync
root@archiso ~ # 

System installation

bootstrap the system

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
root@archiso ~ # pacstrap /mnt base base-devel btrfs-progs
==> Creating install root at /mnt
==> Installing packages to /mnt
:: Synchronizing package databases...
 core                     119.9 KiB   652K/s 00:00 [######################] 100%
 extra                   1760.1 KiB   688K/s 00:03 [######################] 100%
 community                  3.6 MiB   906K/s 00:04 [######################] 100%
:: There are 50 members in group base:
:: Repository core
   1) bash  2) bzip2  3) coreutils  4) cryptsetup  5) device-mapper  6) dhcpcd
   7) diffutils  8) e2fsprogs  9) file  10) filesystem  11) findutils  12) gawk
   13) gcc-libs  14) gettext  15) glibc  16) grep  17) gzip  18) inetutils
   19) iproute2  20) iputils  21) jfsutils  22) less  23) licenses  24) linux
   25) logrotate  26) lvm2  27) man-db  28) man-pages  29) mdadm  30) nano
   31) netctl  32) pacman  33) pciutils  34) pcmciautils  35) perl
   36) procps-ng  37) psmisc  38) reiserfsprogs  39) s-nail  40) sed
   41) shadow  42) sysfsutils  43) systemd-sysvcompat  44) tar  45) texinfo
   46) usbutils  47) util-linux  48) vi  49) which  50) xfsprogs

Enter a selection (default=all): 
:: There are 25 members in group base-devel:
:: Repository core
   1) autoconf  2) automake  3) binutils  4) bison  5) fakeroot  6) file
   7) findutils  8) flex  9) gawk  10) gcc  11) gettext  12) grep  13) groff
   14) gzip  15) libtool  16) m4  17) make  18) pacman  19) patch
   20) pkg-config  21) sed  22) sudo  23) texinfo  24) util-linux  25) which

Enter a selection (default=all): 
warning: skipping target: file
warning: skipping target: findutils
warning: skipping target: gawk
warning: skipping target: gettext
warning: skipping target: grep
warning: skipping target: gzip
warning: skipping target: pacman
warning: skipping target: sed
warning: skipping target: texinfo
warning: skipping target: util-linux
warning: skipping target: which
resolving dependencies...
looking for conflicting packages...

Packages (144) acl-2.2.52-2  archlinux-keyring-20160812-1  attr-2.4.47-1
               ca-certificates-20160507-1  ca-certificates-cacert-20140824-3
               ca-certificates-mozilla-3.26-1  ca-certificates-utils-20160507-1
               cracklib-2.9.6-1  curl-7.50.1-1  db-5.3.28-3  dbus-1.10.8-1
               expat-2.2.0-2  gc-7.4.2-4  gdbm-1.12-2  glib2-2.48.1-1
<snip>
               procps-ng-3.3.12-1  psmisc-22.21-3  reiserfsprogs-3.6.25-1
               s-nail-14.8.10-1  sed-4.2.2-4  shadow-4.2.1-3  sudo-1.8.17.p1-1
               sysfsutils-2.1.0-9  systemd-sysvcompat-231-1  tar-1.29-1
               texinfo-6.1-4  usbutils-008-1  util-linux-2.28.1-1
               vi-1:070224-2  which-2.21-2  xfsprogs-4.7.0-1

Total Download Size:   231.85 MiB
Total Installed Size:  801.27 MiB

:: Proceed with installation? [Y/n] 
:: Retrieving packages...
 linux-api-headers-4...   810.7 KiB   891K/s 00:01 [######################] 100%
 tzdata-2016f-1-any       215.4 KiB   909K/s 00:00 [######################] 100%
 iana-etc-20160513-1-any  352.2 KiB   723K/s 00:00 [######################] 100%
 filesystem-2015.09-...     8.8 KiB   875K/s 00:00 [######################] 100%
 glibc-2.24-2-x86_64        8.1 MiB   918K/s 00:09 [######################] 100%
 gcc-libs-6.1.1-5-x86_64   14.9 MiB   899K/s 00:17 [######################] 100%
<snip>
(144/144) installing btrfs-progs                   [######################] 100%
:: Running post-transaction hooks...
(1/4) Updating manpage index...
mandb: can't set the locale; make sure $LC_* and $LANG are correct
(2/4) Updating the info directory file...
(3/4) Updating udev Hardware Database...
(4/4) Rebuilding certificate stores...
pacstrap /mnt base base-devel btrfs-progs  27.81s user 10.20s system 10% cpu 5:50.56 total
root@archiso ~ # 

Generate /etc/fstab

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@archiso ~ # genfstab -p /mnt >> /mnt/etc/fstab
root@archiso ~ # vi /mnt/etc/fstab
# 
# /etc/fstab: static file system information
#
# <file system> <dir>   <type>  <options>       <dump>  <pass>
# UUID=c8ca38de-4e58-4c7c-8f5b-c9c3f92f6a24
/dev/mapper/cryptroot   /               btrfs           rw,noatime,compress=lzo,ssd,dis
card,space_cache,subvolid=258,subvol=/__active/rootvol,subvol=__active/rootvol  0 0

# UUID=c8ca38de-4e58-4c7c-8f5b-c9c3f92f6a24
/dev/mapper/cryptroot   /home           btrfs           rw,noatime,compress=lzo,ssd,dis
card,space_cache,subvolid=259,subvol=/__active/home,subvol=__active/home        0 0

# UUID=c8ca38de-4e58-4c7c-8f5b-c9c3f92f6a24
/dev/mapper/cryptroot   /var            btrfs           rw,noatime,compress=lzo,ssd,dis
card,space_cache,subvolid=260,subvol=/__active/var,subvol=__active/var  0 0

chroot

1
2
root@archiso ~ # arch-chroot /mnt
[root@archiso /]# 

Set the timezone

Link for timezone to /etc/localtime

1
2
[root@archiso /]# ln -s /usr/share/zoneinfo/Europe/Brussels /etc/localtime
[root@archiso /]# 

Set the hardwareclock to UTC

1
hwclock --systohc --utc

Generate the required locales

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@archiso /]# vi /etc/locale.gen 
[root@archiso /]# locale-gen
Generating locales...
  en_IE.UTF-8... done
  en_IE.ISO-8859-1... done
  en_IE.ISO-8859-15@euro... done
  en_US.UTF-8... done
  en_US.ISO-8859-1... done
  nl_BE.UTF-8... done
  nl_BE.ISO-8859-1... done
  nl_BE.ISO-8859-15@euro... done
Generation complete.
[root@archiso /]# 

Hostname

1
2
[root@archiso /]# vi /etc/hostname
[root@archiso /]# 
1
[root@archiso /]# vi /etc/hosts

mkinitcpio

HOOKS

Add encrypt to HOOKS before filesystems in /etc/mkinitcpio.conf

1
[root@archiso /]# vi /etc/mkinitcpio.conf 
1
HOOKS="base udev autodetect modconf block encrypt filesystems keyboard fsck"

Create boot image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
[root@archiso /]# mkinitcpio -p linux
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
  -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img
==> Starting build: 4.7.1-1-ARCH
  -> Running build hook: [base]
  -> Running build hook: [udev]
  -> Running build hook: [autodetect]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
  -> Running build hook: [encrypt]
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img
==> Image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'
  -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect
==> Starting build: 4.7.1-1-ARCH
  -> Running build hook: [base]
  -> Running build hook: [udev]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: wd719x
==> WARNING: Possibly missing firmware for module: aic94xx
  -> Running build hook: [encrypt]
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-fallback.img
==> Image generation successful
[root@archiso /]#

set the root password

1
2
3
4
5
[root@archiso /]# passwd root
New password: 
Retype new password: 
passwd: password updated successfully
[root@archiso /]# 

GRUB

install Grub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
[root@archiso /]# pacman -Sy grub
:: Synchronizing package databases...
 core is up to date
 extra                   1760.1 KiB   917K/s 00:02 [######################] 100%
 community                  3.6 MiB   896K/s 00:04 [######################] 100%
resolving dependencies...
looking for conflicting packages...

Packages (1) grub-1:2.02.beta3-3

Total Download Size:    5.83 MiB
Total Installed Size:  28.70 MiB

:: Proceed with installation? [Y/n] y
:: Retrieving packages...
 grub-1:2.02.beta3-3...     5.8 MiB   917K/s 00:07 [######################] 100%
(1/1) checking keys in keyring                     [######################] 100%
(1/1) checking package integrity                   [######################] 100%
(1/1) loading package files                        [######################] 100%
(1/1) checking for file conflicts                  [######################] 100%
(1/1) checking available disk space                [######################] 100%
:: Processing package changes...
(1/1) installing grub                              [######################] 100%
Generating grub.cfg.example config file...
This may fail on some machines running a custom kernel.
done.
Optional dependencies for grub
    freetype2: For grub-mkfont usage
    fuse: For grub-mount usage
    dosfstools: For grub-mkrescue FAT FS and EFI support
    efibootmgr: For grub-install EFI support
    libisoburn: Provides xorriso for generating grub rescue iso using
    grub-mkrescue
    os-prober: To detect other OSes when generating grub.cfg in BIOS systems
    mtools: For grub-mkrescue FAT FS support
:: Running post-transaction hooks...
(1/2) Updating manpage index...
(2/2) Updating the info directory file...
[root@archiso /]# 

Install grub to your boot disk

1
2
3
4
[root@archiso /]# grub-install --target=i386-pc /dev/sda
Installing for i386-pc platform.
grub-install: error: attempt to install to encrypted disk without cryptodisk enabled. Set `GRUB_ENABLE_CRYPTODISK=y' in file `/etc/default/grub'.
[root@archiso /]# 

Enable cryptodisk

Because we use an encrypted boot disk we need to enable cryptdisk support.

Add GRUB_ENABLE_CRYPTODISK=y to /etc/default/grub

1
2
[root@archiso /]# vi /etc/default/grub
[root@archiso /]# 
1
2
3
4
5
6
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX=""
GRUB_ENABLE_CRYPTODISK=y

And run grub-install again

1
2
3
4
[root@archiso /]# grub-install --target=i386-pc /dev/sda
Installing for i386-pc platform.
Installation finished. No error reported.
[root@archiso /]# 

Create grub.cfg

Add your encrypted root partition to GRUB_CMDLINE_LINUX= in /etc/default/grub

1
2
3
4
5
6
GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX=""cryptdevice=/dev/sda3:cryptroot""
ENABLE_CRYPTODISK=y 

And generate grub.cfg

1
2
3
4
5
6
7
[root@archiso /]# grub-mkconfig -o /boot/grub/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-linux
Found initrd image(s) in /boot: initramfs-linux.img
Found fallback initrd image(s) in /boot: initramfs-linux-fallback.img
done
[root@archiso /]# 

Reboot

1
2
3
4
5
6
7
[root@archiso /]# vi /boot/grub/grub.cfg
[root@archiso /]# sync
[root@archiso /]# reboot
Running in chroot, ignoring request.
[root@archiso /]# exit
arch-chroot /mnt  9.76s user 1.37s system 0% cpu 23:13.29 total
root@archiso ~ # reboot

Finish the installation

1st boot

As mentioned before the GRUB will as for a passphrase to decrypt the boot partition.

"01_1st_boot.png" "01_1st_boot.png"

You’ll need to type it the password a secod time during the loading of initrd.

"01_1st_boot.png"

Setup swap space

Update /etc/crypttab

1
2
swap         /dev/sda2                                    /dev/urandom            swap,
cipher=aes-cbc-essiv:sha256,size=256

reboot the system to verify that the encrypted swap partition is mapper correctly during the system startup

1
2
3
4
5
6
[root@vicky ~]# ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 236 Aug 29 15:43 control
lrwxrwxrwx 1 root root       7 Aug 29 15:43 cryptroot -> ../dm-0
lrwxrwxrwx 1 root root       7 Aug 29 15:43 swap -> ../dm-1
[root@vicky ~]# 

Create swap

1
2
3
4
[root@vicky ~]# mkswap /dev/mapper/swap 
Setting up swapspace version 1, size = 32 GiB (34359734272 bytes)
no label, UUID=66ea5a08-0833-4e84-8b95-f1a9c2d772b2
[root@vicky ~]# 

Activate swap

1
2
3
4
5
6
[root@vicky ~]# swapon /dev/mapper/swap
[root@vicky ~]# free
              total        used        free      shared  buff/cache   available
Mem:        4051236       85932     3890708         440       74596     3807084
Swap:      33554428           0    33554428
[root@vicky ~]# 

Update /etc/fstab

1
/dev/mapper/swap swap                    swap    defaults,discard,pri=3        0 0 

Have fun

Links

Comments