Table of contents
Background
I recently received my new work computer, and the guys from the IT department asked me to perform encryption, at least of my home partition. This was the first time I tried to encrypt partitions during the Arch Linux install. I remember some of my friends trying to encrypt their home without encrypting their whole partition, and I remembered that they had had some problems, so I though I might as well encrypt the whole partition.
Another thing I remember from a long time ago is that it was considered a good
practice to have your /
and your /home
on two separate partitions in case
of crashes. I did that a couple of time, and when crashes occurred, I had
never managed to fix them without wiping the whole disk, so eventually I
stopped doing that.
This install caused me some problems, and this is why I write this post: if anyone else than myself reads it and finds help in it, I'm glad, but I mostly write it in case I need to do this once again.
So here I am, with my brand new machine, with an Ubuntu distribution that I obviously won't keep. I have my Arch Linux iso on my USB stick, and I'm ready to install.
The mistakes
When encrypting, if you have your /
and /home
on the same partition, and
you want to encrypt your home, well, you'll be encrypting your /
, and since
/boot
is in /
, it will also be encrypted. Maybe your want to encrypt your
/boot
for security reasons, but it wasn't specially my case. The thing is
encrypting your /boot
leads to extra complexity, since you'll need to decrypt
before booting.
This is why I decided to finally go back to putting /
and /home
on two
separate partitions. That way, I encrypt my home, and that's all.
Another thing that a lot of people that encrypt disks use is LVM. Honestly, I don't know much about LVM, I just know that is adds a layer of complexity to the setup, and if I can avoid that, I might as well.
The process
Booting the USB drive
As it always begin, I plug my USB drive into my computer, boot it and rapidly press F12, and make my computer boot on the USB drive. From there, I get a prompt, and as a french guy, with an azerty keyboard, I start by running
loadkeys fr
(which I need to type as loqdkeys fr
since the default keyboard layout is the
qwerty one).
Partitioning the disk
Then comes the part when we format the disk. As said previously, I'll have my
/
and /home
on two separate partitions, and since I don't believe in swap,
I made three partitions :
/dev/nvme0n1p1
that corresponds to/boot/efi
, 100MB;/dev/nvme0n1p2
that corresponds to/
,15GB (I want to keep it small because my laptop only has 512GB of SSD)50GB, even if you have a small disk, be large on this one or you'll be f**ked later (happened to me on August 24th);/dev/nvme0n1p3
that corresponds to/home
, that fills the rest of my disk and that will be encrypted.
Then, we need to format those partitions. So it starts as usual:
mkfs.vfat -F32 /dev/nvme0n1p1
mkfs.ext4 /dev/nvme0n1p2
mkfs.ext4 /dev/nvme0n1p3 # This may be useless but I'm not sure
Then we need to setup the encryption of our /dev/nvme0n1p3
:
cryptsetup --type luks1 luksFormat /dev/nvme0n1p3
I'm not super sure the --type luks1
is required, but I use Grub as bootloader
and I'm not sure it supports luks2
.
Anyway, this will ask you for a passphrase. Finding a good passphrase is hard, but advice can be found online. I used diceware a source of inspiration.
When this is done, you need to mount your partitions to continue the install.
The following command remounts the encrypted disk to an unencrypted location:
cryptsetup luksOpen /dev/nvme0n1p3 luks
It creates a virtual disk in /dev/mapper/luks
that you then need to format as
well:
mkfs.ext4 /dev/mapper/luks
Then you can start mounting everything everywhere:
mount /dev/nvme0n1p2 /mnt
mkdir -p /mnt/boot/efi && mount /dev/nvme0n1p1 /mnt/boot/efi
mkdir /mnt/home && mount /dev/mapper/luks /mnt/home
Install all the things
Now is the moment to pacstrap all the things. Make sure you have an internet
connection, edit your /etc/pacman.d/mirrorlist
to put the servers close to
you at the top of the file, and here we go:
pacstrap /mnt base base-devel linux linux-firmware netctl dhclient dhcpcd wireless_tools wpa_supplicant dialog
Those should let you connect to the internet once the install is finished. Make sure to also install your favorite text editor.
You should also generate your fstab file:
genfstab -Up /mnt >> /mnt/etc/fstab
This file describes which partitions should be mounted and where when the computer boots.
The chroot
Now comes the time to chroot.
arch-chroot /mnt
Welcome to your new computer. You can configure things such as the machine name, the timezone, the keyboard layout, etc... Don't hesitate to check the official guide for these parts, encryption doesn't change anything until the Initramfs (mkinitcpio).
Don't forget to set the root password with the passwd
command.
Initramfs
To be honest, I have no idea what this does, but I know that it's very important.
Start by running mkinitcpio -p linux
. This should generate a file named
/etc/mkinitcpio.conf
. In this file you should add ext4
in the modules line,
my line looks like this:
MODULES=(ext4)
and add encrypt
just before filesystems
in the hooks line, my line looks
like this:
HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)
Then, run mkinitcpio -p linux
once again, and you're done with that part.
Grub
Ok, there surely are alternatives to Grub, but Grub is the only thing I know so that's what I use. To install grub, you need to install two other packages:
pacman -S grub efibootmgr
Normally, you should still have your internet connection active from before the chroot.
Once grub is installed, you need to edit its default configuration to make it
understand that some partitions are encrypted. Edit the /etc/default/grub
file. The line GRUB_ENABLE_CRYPTODISK=y
should be uncommented, and I also
changed the GRUB_CMDLINE_LINUX
line:
GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p3:luks"
Once those modifications are done, you need to install the grub:
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=arch_grub
grub-mkconfig -o /boot/grub/grub.cfg
and normally you should be all set.
Reboot
You can now exit the chroot (Ctrl+D or exit
), umount the disks (umount -R /mnt
) and reboot your computer.
When booting again, grub should start and run Arch Linux, and then, it will prompt you for you passphrase. When the passphrase is entered, it will prompt for your login and password and you can then continue your configuration.