Installing Arch Linux with an encrypted home

This post is a summary of how I installed my Arch Linux with an encrypted home.

Table of contents

Background

I recently received my new work computer, and the guys from the IT department asked me to perform encryption, at least of my home partition. This was the first time I tried to encrypt partitions during the Arch Linux install. I remember some of my friends trying to encrypt their home without encrypting their whole partition, and I remembered that they had had some problems, so I though I might as well encrypt the whole partition.

Another thing I remember from a long time ago is that it was considered a good practice to have your / and your /home on two separate partitions in case of crashes. I did that a couple of time, and when crashes occurred, I had never managed to fix them without wiping the whole disk, so eventually I stopped doing that.

This install caused me some problems, and this is why I write this post: if anyone else than myself reads it and finds help in it, I'm glad, but I mostly write it in case I need to do this once again.

So here I am, with my brand new machine, with an Ubuntu distribution that I obviously won't keep. I have my Arch Linux iso on my USB stick, and I'm ready to install.

The mistakes

When encrypting, if you have your / and /home on the same partition, and you want to encrypt your home, well, you'll be encrypting your /, and since /boot is in /, it will also be encrypted. Maybe your want to encrypt your /boot for security reasons, but it wasn't specially my case. The thing is encrypting your /boot leads to extra complexity, since you'll need to decrypt before booting.

This is why I decided to finally go back to putting / and /home on two separate partitions. That way, I encrypt my home, and that's all.

Another thing that a lot of people that encrypt disks use is LVM. Honestly, I don't know much about LVM, I just know that is adds a layer of complexity to the setup, and if I can avoid that, I might as well.

The process

Booting the USB drive

As it always begin, I plug my USB drive into my computer, boot it and rapidly press F12, and make my computer boot on the USB drive. From there, I get a prompt, and as a french guy, with an azerty keyboard, I start by running

loadkeys fr

(which I need to type as loqdkeys fr since the default keyboard layout is the qwerty one).

Partitioning the disk

Then comes the part when we format the disk. As said previously, I'll have my / and /home on two separate partitions, and since I don't believe in swap, I made three partitions :

  • /dev/nvme0n1p1 that corresponds to /boot/efi, 100MB;
  • /dev/nvme0n1p2 that corresponds to /, 15GB (I want to keep it small because my laptop only has 512GB of SSD);
  • /dev/nvme0n1p3 that corresponds to /home, that fills the rest of my disk and that will be encrypted.

Then, we need to format those partitions. So it starts as usual:

mkfs.vfat -F32 /dev/nvme0n1p1
mkfs.ext4 /dev/nvme0n1p2
mkfs.ext4 /dev/nvme0n1p3 # This may be useless but I'm not sure

Then we need to setup the encryption of our /dev/nvme0n1p3:

cryptsetup --type luks1 luksFormat /dev/nvme0n1p3

I'm not super sure the --type luks1 is required, but I use Grub as bootloader and I'm not sure it supports luks2.

Anyway, this will ask you for a passphrase. Finding a good passphrase is hard, but advice can be found online. I used diceware a source of inspiration.

When this is done, you need to mount your partitions to continue the install.

The following command remounts the encrypted disk to an unencrypted location:

cryptsetup luksOpen /dev/nvme0n1p3 luks

It creates a virtual disk in /dev/mapper/luks that you then need to format as well:

mkfs.ext4 /dev/mapper/luks

Then you can start mounting everything everywhere:

mount /dev/nvme0n1p1 /mnt
mkdir -p /mnt/boot/efi && mount /dev/nvme0n1p2 /mnt/boot/efi
mkdir /mnt/home && mount /dev/mapper/luks /mnt/home

Install all the things

Now is the moment to pacstrap all the things. Make sure you have an internet connection, edit your /etc/pacman.d/mirrorlist to put the servers close to you at the top of the file, and here we go:

pacstrap /mnt base base-devel netctl dhclient dhcpcd wireless_tools wpa_supplicant dialog

Those should let you connect to the internet once the install is finished. Make sure to also install your favorite text editor.

You should also generate your fstab file:

genfstab -Up >> /mnt/etc/fstab

This file describes which partitions should be mounted and where when the computer boots.

The chroot

Now comes the time to chroot.

arch-chroot /mnt

Welcome to your new computer. You can configure things such as the machine name, the timezone, the keyboard layout, etc... Don't hesitate to check the official guide for these parts, encryption doesn't change anything until the Initramfs (mkinitcpio).

Don't forget to set the root password with the passwd command.

Initramfs

To be honest, I have no idea what this does, but I know that it's very important. Start by running mkinitcpio -p linux. This should generate a file named /etc/mkinitcpio.conf. In this file you should add ext4 in the modules line, my line looks like this:

MODULES=(ext4)

and add encrypt just before filesystems in the hooks line, my line looks like this:

HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)

Then, run mkinitcpio -p linux once again, and you're done with that part.

Grub

Ok, there surely are alternatives to Grub, but Grub is the only thing I know so that's what I use. To install grub, you need to install two other packages:

pacman -S grub efibootmgr

Normally, you should still have your internet connection active from before the chroot.

Once grub is installed, you need to edit its default configuration to make it understand that some partitions are encrypted. Edit the /etc/default/grub file. The line GRUB_ENABLE_CRYPTODISK=y should be uncommented, and I also changed the GRUB_CMDLINE_LINUX line:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p3:luks"

Once those modifications are done, you need to install the grub:

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=arch_grub
grub-mkconfig -o /boot/grub/grub.cfg

and normally you should be all set.

Reboot

You can now exit the chroot (Ctrl+D or exit), umount the disks (umount -R /mnt) and reboot your computer.

When booting again, grub should start and run Arch Linux, and then, it will prompt you for you passphrase. When the passphrase is entered, it will prompt for your login and password and you can then continue your configuration.