Arch Linux with LVM on LUKS (dm-crypt) Disk Encryption Installation Guide (Legacy/BIOS System)

operatingsystem
encryption
tutorial
guide
linux

#1

Hello 0x00’ers.
Today I will be writing a guide on an encrypted Arch install via LUKS, then installing the lightweight XFCE desktop environment. The way we will be going about this is we will create a non-encrypted boot partition, and then we will create a LUKS encrypted partition with 2 logical volumes (home and root). Think of the LUKS partition as a container for our root and home partitions. Lets get started.

Pre-install + Setting Up Your Hard Drive and Partitions

You will need a bootable flash drive with arch on it. If you choose to erase your hard drive, now would be the time to do it. I use dban on a dvd. Boot up arch and you should see
Arch Linux <Version of Arch> (tty1)
archiso login: root (automatic login)
[email protected] ~ #

First lets connect to the interwebz and set up the clock.

if you are connected to Ethernet it should have automatically connected to your network via dhcp but if it didnt you can run
[email protected] ~ # dhcpcd <your interface here ex: enp0s25>

You can get a list of your interfaces by typing
[email protected] ~ # ip link

If you are using wifi you can use the included tool, “wifi-menu”
[email protected] ~ # wifi-menu -o (the “o” shows asterisks when you type in the wifi password and stores it as a hexadecimal string.)

A dialog menu will pop up with a list of essid’s. Choose yours via arrow keys and hit enter. Next, it should say "Enter a name for the new profile. It should be already filled out, but if it isn’t type something in here like “home-wifi”. Hit enter. Next, type in your wifi password. Hit enter, if it asks you if you would like to save this profile select yes and hit enter again. Finally ping a website to see if the internet is working.
[email protected] ~ # ping www.google.com

to set the system clock via ntp type
[email protected] ~ # timedatectl set-ntp true

Now lets partition the disks, and be aware that this will erase your hard drive.
Identify your hard drive via fdisk.
[email protected] ~ # fdisk -l

For me it is /dev/sda

now enter the disk tool “parted”
[email protected] ~ # parted

notice how instead of [email protected] ~ # it shows (parted). Now select your hard drive
(parted) select /dev/sdX where X is your hard drive label. For me it was (parted) select /dev/sda
Next, create a msdos disk label
(parted) mklabel msdos
then create the boot partition
(parted) mkpart primary ext2 1MB 512MB
Then create a partition for the lvm using the rest of the disk space.
(parted) mkpart primary ext4 512MB 100%
(parted) print should list all of your partitions, you should have 2.
now set the boot flag on your boot partition
(parted) set 1 boot on (1 should be the number of your boot partition)
now type
(parted) quit
and verify that the changes have been made.
[email protected] ~ # fdisk -l
you should see two partitions with one having an asterisk under “boot”. For my hard drive /dev/sda1 is my boot partition, and /dev/sda2 is the partition I will be using for the lvm so that is what I will be going off of for this part of the tutorial.

Now lets set up luks
type
[email protected] ~ # cryptsetup luksFormat /dev/sda2
(2 being the bigger partition…the one you will be using for the lvm)
type YES and your password for the encrypted partition. Be sure to have a strong password.

now open the luks container
[email protected] ~ # cryptsetup open /dev/sda2 name
name can be anything. The container will now be at /dev/mapper/name

next lets create the physical volume.
[email protected] ~ # pvcreate /dev/mapper/name
now create a volume group, it can be whatever name you want.
[email protected]archiso ~ # vgcreate x /dev/mapper/name where x is anything you want
now lets create the logical volumes.
[email protected] ~ # lvcreate -L 8GB x -n swap where x is the name of your volume group
[email protected] ~ # lvcreate -L 30G x -n root
[email protected] ~ # lvcreate -l 100%FREE x -n home

Now lets create the file systems on each volume + boot partition.
[email protected] ~ # mkfs.ext4 /dev/mapper/x-home
[email protected] ~ # mkfs.ext4 /dev/mapper/x-root
[email protected] ~ # mkswap /dev/mapper/x-swap
[email protected] ~ # mkfs.ext2 /dev/sda1 where /dev/sda1 is your boot partiton (the one where we set the boot flag on)

Now we mount
[email protected] ~ # mount /dev/mapper/x-root /mnt
[email protected] ~ # mkdir /mnt/home
[email protected] ~ # mount /dev/mapper/x-home /mnt/home
[email protected] ~ # mkdir /mnt/boot
[email protected] ~ # mount /dev/sda1 /mnt/boot
[email protected] ~ # swapon /dev/mapper/x-swap

Installation

Now let us install arch
[email protected] ~ # pacstrap /mnt base base-devel
Lets generate the fstab file
[email protected] ~ # genfstab -U /mnt >> /mnt/etc/fstab
Then lets chroot into the system.
[email protected] ~ # arch-chroot /mnt
Notice how the prompt changes to [[email protected] /] #

Setting the timezone and locales
To set the time zone type
[[email protected] /] # ln -s /usr/share/zoneinfo/YourRegionHere/YourCityHere /etc/localtime
Run the hardware clock
[[email protected] /] # hwclock --systohc
Next, type
[[email protected] /] # nano /etc/locale.gen
and uncomment (delete the #) on the line with “en_US.UTF-8 UTF-8” (or your localization)
then run
[[email protected] /] # locale-gen
now type
[[email protected] /] # nano /etc.locale.conf
and type LANG=en_US.UTF-8 or what you need for your local.
type
[[email protected] /] # echo myhostname > /etc/hostname where myhostname is what you want your hostname to be.
Now lets install wpa_supplicant, iw, dialog, and netctl
[[email protected] /] # pacman -S wpa_supplicant iw
now type
[[email protected] /] # nano /etc/mkinitcpio.conf
and where it says HOOKS="bla bla bla make sure “keyboard”, “encrypt”, and “lvm2” are in that list.

Now we install and configure Grub
[[email protected] /] # pacman -S grub
[[email protected] /] # grub-install /dev/sda where /dev/sda is the hard drive you are installing arch onto.
[[email protected] /] # nano /etc/default/grub
and where it says GRUB_CMDLINE_LINUX="" make it say
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:x root=/dev/mapper/x-root"
where x is the name of your volume group, and /dev/sda2 should be your partition with the volume group.
Now type
[[email protected] /] # grub-mkconfig -o /boot/grub/grub.cfg
and type
[[email protected] /] # mkinitcpio -p linux
to set the root password type
[[email protected] /] # passwd
Now lets add a user account and give it sudo privleges.
[[email protected] /] # useradd -m -G wheel yourusername
where yourusername is…of course…the username you want…duh.
Set the password with
[[email protected] /] # passwd yourusername
now type
[[email protected] /] # visudo
Navigate to where it says # %wheel ALL=(ALL) ALL and uncomment it.
(its like vi so navigate so that the cursor is over the #, hit del, and type ":wq"
Now you should be able to reboot into your new system. You can log into root or your newly created account to install a couple more packages.

Installing XFCE and more things.

First lets install the sound manager
[[email protected] ~] # pacman -S alsa-utils
Now install the Xorg display server and other goodies.
[[email protected] ~] # pacman -S xorg-server xorg-server-utils xorg-xinit
[[email protected] ~] # pacman -S xfce4 xfce4-goodies
[[email protected] ~] # pacman -S lxdm
[[email protected] ~] # systemctl enable lxdm
This will install xfce, lxdm, and bring the “login screen” up on boot.

More packages
To install firefox type
[[email protected] ~] # pacman -S firefox

To install wicd network manager type
[[email protected] ~] # pacman -S wicd wicd-gtk
[[email protected] ~] # systemctl start wicd.service && systemctl enable wicd.service

If you have a Thinkpad like me and would like to use the dedicated volume control keys do this:
Main Menu > Settings -> Keyboard -> Application Shortcuts. Add a shortcut and type amixer set Master 1+; click ok; then press the volume up key when it prompts you too. Add another; amixer set Master 1-; ok; press volume down key. then add one and type “amixer set Master toggle”; ok; press mute key.

Final Words

Thank your for reading this guide. I really hope it helps, In a time like now everyone should be using disk encryption to protect themselves from thieves and nosy governments . Arch may turn you off because its complicated but dont let it. It has a great community. I advise you to read about the AUR (Arch User Repository). If you do not like XFCE you can stop at the part where I say you should be able to reboot your computer. I chose XFCE because it is simple, lightweight and runs great on older laptops like my Thinkpad. Last but not least…I wrote this at 1:00 AM so please give me suggestions and recommendations on how I can make this article easier to understand and better.

#Other things you may need (special thanks to @kowalski )

Graphic Drivers pacman -Ss xf86-video and then pick the one for your card.
Input Devices search with pacman -Ss xf86-input. evdev and synaptics/libinput should be enough.

Including additional LUKS encryption options is a good idea, even better if you have decent hardware. Here is a link to the wiki article with good explanation about what each option means: https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode3

If you don’t want lxdm or any display manager, add startxfce4 to your .xinitrc in the home directory and just startx. You can also set startx to be executed automatically when you log into tty1 by putting this in /etc/profile.

autostart systemd default session on tty1

if [[ “$(tty)” == ‘/dev/tty1’ ]]; then
exec startx
fi
Install pulseaudio-alsa so that when you play youtube and mpd together, youtube doesn’t stop. -_-

For nice composting in XFCE, use compiz or compton. ( I used compiz with mate and xfce before.)

[[email protected] /] # visudo
Navigate to where it says # %wheel ALL=(ALL) ALL and uncomment it.
(its like vi so navigate so that the cursor is over the #, hit del, and type ":wq"
EDITOR=nano visudo, no need to use vi.

And as always,
Stay Frosty :snowman2:

Elliot Approved :thumbsup:


#2

Great article, I have a similar cheatsheet for myself! Few things I’d like to point out:

  1. You haven’t listed out the step where graphics drivers are installed. It’s easy to do that, pacman -Ss xf86-video and then pick the one for your card. Also, xorg-twm, xorg-xclock and xterm aren’t needed.
    For your input devices, search with pacman -Ss xf86-input. evdev and synaptics/libinput should be enough. keyboard and mouse are for old devices that don’t really play well with udev iirc.

  2. Including additional LUKS encryption options is a good idea, even better if you have decent hardware. Here is a link to the wiki article with good explanation about what each option means: https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode

  3. If you don’t want lxdm or any display manager, add startxfce4 to your .xinitrc in the home directory and just startx. You can also set startx to be executed automatically when you log into tty1 by putting this in /etc/profile.

     # autostart systemd default session on tty1
     if [[ "$(tty)" == '/dev/tty1' ]]; then
         exec startx
     fi
    
  4. Install pulseaudio-alsa so that when you play youtube and mpd together, youtube doesn’t stop. -_-

  5. For nice composting in XFCE, use compiz or compton. ( I used compiz with mate and xfce before.)

[[email protected] /] # visudo
Navigate to where it says # %wheel ALL=(ALL) ALL and uncomment it.
(its like vi so navigate so that the cursor is over the #, hit del, and type “:wq”

EDITOR=nano visudo, no need to use vi.

Good Job though! :wink:


#3

Thank you, I will add your suggestions. I never had a problem with the keyboard thing and I was using integrated graphics so that’s why I didn’t install any drivers.


(system) #4

This topic was automatically closed after 30 days. New replies are no longer allowed.