Encrypted Install on Btrfs with Arch Linux on UEFI
Sat, May 1, 2021 01:00 CEST
Tags: Security, Encryption
So easy!
- Bootloader:
bootctl- Encryption:
LUKS - Filesystem:
Btrfs
- Encryption:
Check you are in EFI mode
ls /sys/firmware/efi
...
Update the system clock
timedatectl set-ntp true
List disks
lsblk
Partition the storage device
gdisk /dev/sda
o
y
n
<enter>
<enter>
+512MiB
ef00
n
<enter>
<enter>
<enter>
8309
w
y
Format boot partition
mkfs.fat -F32 /dev/sda1
Encrypt main partition
cryptsetup luksFormat /dev/sda2
YES
<passphrase>
<passphrase>
Open main partition
cryptsetup luksOpen /dev/sda2 main
<passphrase>
Format Btrfs volume
mkfs.btrfs -d single -m single /dev/mapper/main
Mount Btrfs volume
mount /dev/mapper/main /mnt
Create Btrfs subvolumes
cd /mnt
btrfs subvolume create @
btrfs subvolume create @home
btrfs subvolume create @snapshots
btrfs subvolume create @swap
Mount Btrfs main volume, boot partition, and Btrfs subvolumes
cd
umount /mnt
mount -o noatime,subvol=@ /dev/mapper/main /mnt
mkdir /mnt/boot
mount -o fmask=0077,dmask=0077 /dev/sda1 /mnt/boot
mkdir /mnt/home
mount -o noatime,subvol=@home /dev/mapper/main /mnt/home
mkdir /mnt/.snapshots
mount -o noatime,subvol=@snapshots /dev/mapper/main /mnt/.snapshots
mkdir /mnt/swap
mount -o noatime,subvol=@swap /dev/mapper/main /mnt/swap
Create swap file
btrfs filesystem mkswapfile --size 4g --uuid clear /mnt/swap/swapfile
swapon /mnt/swap/swapfile
Bootstrap installation (tweak /etc/pacman.d/mirrorlist if too slow)
pacstrap /mnt mkinitcpio linux linux-firmware btrfs-progs base base-devel dhcpcd vi gvim git firefox iwd
pacstrap /mnt mkinitcpio linux linux-firmware btrfs-progs base base-devel dhcpcd vi gvim git firefox # without WiFi
Generate /etc/fstab
genfstab -p /mnt >> /mnt/etc/fstab
Chroot
arch-chroot /mnt
Configure time
rm /etc/localtime
ln -s /usr/share/zoneinfo/Europe/Brussels /etc/localtime
hwclock --systohc --utc
Create root password
passwd
<password>
<password>
Uncomment UTF8 and ISO-8859-1 en_US lines in /etc/locale.gen.
# /etc/locale.gen
en_US.UTF-8 UTF-8
en_US ISO-8859-1
Then
locale-gen
locale > /etc/locale.conf
Configure the hostname
echo "hostname" > /etc/hostname
Give keyboard access before mounting to type encryption password
# /etc/mkinitcpio.conf
HOOKS=(base udev autodetect modconf kms keyboard block encrypt filesystems fsck)
Optionally throw in some consolefont and keymap hooks if you plan to
customize them.
# /etc/mkinitcpio.conf
HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt filesystems fsck)
Regenerate initramfs
mkinitcpio -p linux
Install the bootloader
bootctl --path=/boot install
Create boot loader
# /boot/loader/loader.conf
default arch.conf
timeout 3
editor 0
console-mode auto # see https://github.com/systemd/systemd/pull/8086/commits/68d4b8ac9b9673637fa198b735f6e64b78b35d3b
# console-mode max
Create boot loader entry
# /boot/loader/entries/arch.conf
title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
options cryptdevice=UUID=<UUID>:main:allow-discards root=/dev/mapper/main rootflags=subvol=@ rw
NOTE: :allow-discards should not be used if not SSD storage.
Replace <UUID> with the UUID found in :read !blkid /dev/sda2.
Unmount and reboot
exit
cd
sync
swapoff /mnt/swap/swapfile
umount -R /mnt
reboot
Create an admin user (uncomment the appropriate %wheel line via visudo)
useradd -m -G wheel theadminusername
passwd theadminusername
<password>
<password>
Note that the login shell can be changed with
chsh -s <shell> <username>
The list of available shells is available at less /etc/shells.