I recently bought a new laptop for travels and security-minded like I am, I wanted to set it up with full disk encryption. I could remember that years ago this was straight forward to do. Just follow the steps in the arch wiki and you're pretty much done. But, I had the great misfortune to discover that the installation guide has turned into a jungle of loosely connected pages. Especially for more complex setups like this it is easy to forget a step or miss an important detail. So, this post provides a linear and coherent guide how to setup full disk encryption.
Our setup will be as follows:
/boot and data partitionsBefore you continue with the guide, make sure that you start with the normal installation instructions first [1]. When you get to step "1.9 Partition the disks", hop over to this page.
We will create a GPT partition table with two partitions, an EFI system partition and a "Linux LUKS" partition. For that, we use gdisk. Replace <device> with your hard disk, like /dev/sda.
$ gdisk <device>
Create a new partition table:
o
Create an EFI system partition:
n
1
(default)
+1G
ef00
Create a Linux LUKS partition:
n
2
(default)
(default)
8309
And save the table to disk:
w
Make the EFI system partition FAT32, where <device>1 stands for e.g. /dev/sda1 depending on your hard disk:
$ mkfs.fat -F32 <device>1
Make the second partition a LUKS container:
$ cryptsetup luksFormat --pbkdf pbkdf2 -i 10000 <device>2
Start by opening the encrypted partition as cryptlvm:
$ cryptsetup open <device>2 cryptlvm
Create the volume group MyVolGroup:
$ pvcreate /dev/mapper/cryptlvm
$ vgcreate MyVolGroup /dev/mapper/cryptlvm
Create your unencrypted partition layout. I decided to go with two partitions: swap and root.
$ lvcreate -L 16G -n swap MyVolGroup
$ lvcreate -l 100%FREE -n root MyVolGroup
$ lvreduce -L -256M MyVolGroup/root
Turn the partitions into your desired filesystems:
$ mkswap /dev/MyVolGroup/swap
$ mkfs.ext4 /dev/MyVolGroup/root
Then, mount everything and continue with the installation instructions [1] in chapter "2 Installation":
$ mount /dev/MyVolGroup/root /mnt
$ swapon /dev/MyVolGroup/swap
$ mount --mkdir <device>1 /mnt/efi
Once you have gotten to "3.6 Initramfs", change back again to this page.
Add the following hooks to /etc/mkinitcpio.conf:
HOOKS=(... encrypt lvm2 filesystems fsck)
and run
$ mkinitcpio -P
In /etc/default/grub uncomment
GRUB_ENABLE_CRYPTODISK=y
and add the kernel parameters
GRUB_CMDLINE_LINUX_DEFAULT="... cryptdevice=UUID=<device-uuid>:cryptlvm root=/dev/MyVolGroup/root"
<device-uuid> is the UUID of the LUKS container partition <device>2. You can get it via lsblk -f. Then, run
$ grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --recheck
$ grub-mkconfig -o /boot/grub/grub.cfg
In order to access your unencrypted volume group you need to install the software that can do this:
$ pacman -S lvm2
Then everything should be good to go. Don't forget to set your root password and reboot into the new environment.
| [1] | Installation guide - Arch Wiki |