Differences

This shows you the differences between two versions of the page.

--- install_archlinux_with_lvm_on_luks_bios:gpt [2023/11/21 22:30] – created dougy147
+++ install_archlinux_with_lvm_on_luks_bios:gpt [2024/08/18 13:04] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 <!DOCTYPE markdown>
-Installing ArchLinux with LVM on LUKS on a BIOS/GPT system.
+Installing ArchLinux with LVM on LUKS on a BIOS/GPT system with boot encryption.
 # Keyboard
@@ Line 7: / Line 7: @@
 loadkeys fr
 ```
-Available layouts are located in `/usr/share/kbd/keymaps/`.
-List them all with `ls /usr/share/kbd/keymaps/**/*.map.gz`.
+List available fonts with `ls /usr/share/kbd/keymaps/**/*.map.gz`.
 # Fonts
-Do yourself a favour: increase the terminal font during install for visual comfort ;-)
+Do yourself a favour: increase the terminal font for visual comfort ;-)
 ```
@@ Line 19: / Line 18: @@
 ```
-Available fonts are located here `/usr/share/kbd/consolefonts/`.
+List available fonts with `ls /usr/share/kbd/consolefonts/`.
-List them all with `ls /usr/share/kbd/consolefonts/`.
 # Boot mode
-Remember this tutorial is for BIOS boot firmware.
+Remember this guide is for BIOS boot firmware.
-Be sure to be in that mode as there are minor divergences with UEFI during partitioning and bootloader configuration.
+As there are minor divergences with UEFI during partitioning and bootloader configuration.
+Check whether this guide is suited for you:
 ```
 cat /sys/firmware/efi/fw_platform_size
-# No such file or directory => system booted with BIOS
+# BIOS => "No such file or directory"
-# 32 or 64 => system booted with UEFI
+# UEFI => "32" or "64"
 ```
-If the command returns nothing (No such file or directory): your system booted in BIOS (or CSM; Compatibility Support Mode).
+If the command returns an error ("No such file or directory"): your system booted in BIOS (or CSM; Compatibility Support Mode).
-Otherwise, if the command returns `64` (or `32`): your system booted in UEFI 64-bit x64 (or 32-bit IA32).
+Otherwise, if it returns `64` (or `32`): your system booted in UEFI 64-bit x64 (or 32-bit IA32), and you should not use that guide.
 # Connect to the network
-If your computer is not ethernet-plugged, connect using Wi-Fi:
+If the machine is not plugged to ethernet, connect using Wi-Fi:
 ```
+ip a # identify your wireless card (usually wlan0)
 iwctl
     station wlan0 scan
@@ Line 57: / Line 57: @@
 # Partitioning
-We want LVM on LUKS. That means a layer of encryption is going to reside between LVM and our physical hard drive.
+We want LVM on LUKS. That means a layer of encryption (LUKS) will reside between LVM and the physical drive.
-It is better to have LVM **inside** the LUKS encryption. (But it is more common to say LVM **on** LUKS.)
+It is better to have LVM **inside** the LUKS encryption<sup>[source](blank)</sup>. (But it is more common to say LVM **on** LUKS.)
 {{ :install_archlinux_with_lvm_on_luks_bios:layers.png?nolink&600 |}}
@@ Line 69: / Line 69: @@
     - LVM partitioning
-Identify the drive you want to install the OS on (usually `/dev/sda` if you have only one drive connected to the motherboard).
+Identify the drive you want to install the OS on. (Usually `/dev/sda` if you have only one drive connected to the motherboard.)
 ```
@@ Line 75: / Line 75: @@
 ```
-To avoid copy-pasting mistakes, we will assume the drive to be `/dev/sdXXX`. Change it accordingly.
+We will assume the drive to be `/dev/sdz`. Change it accordingly.
@@ Line 85: / Line 85: @@
 cryptsetup benchmark # if you want to chose the fastest algorithm (aes-xts for now)
 ALGO="aes-xts-plain64"
-cryptsetup open --type plain --cipher "$ALGO" -d /dev/urandom /dev/sdXXX to_be_wiped # hard drive points to 'to_be_wiped'
+cryptsetup open --type plain --cipher "$ALGO" -d /dev/urandom /dev/sdz to_be_wiped # hard drive points to 'to_be_wiped'
 lsblk # you should see the drive 'to_be_wiped'
 dd if=/dev/zero of=/dev/mapper/to_be_wiped status=progress # no need for /dev/urandom here, cryptsetup acts as a layer of randomness (see above command)
@@ Line 106: / Line 106: @@
 ```
-cfdisk /dev/sdXXX
+cfdisk /dev/sdz
 ```
@@ Line 115: / Line 115: @@
 It is going to be unencrypted (BIOS boot) and will be used to store the second stage of BIOS bootloader.
-## (almost) full disk encryption
-You should still be in `cfdisk` (else `cfdisk /dev/sdXXX` again).
 Use remaining `<Free Space>` as a `<New>` primary partition.
@@ Line 125: / Line 121: @@
 Then `<Quit>` to exit `cfdisk`.
-```
+Our drive is "physically" split in two:
-cryptsetup luksFormat --type luks1 /dev/sdXXX2 # this NON-boot partition we've just created
+  * `/dev/sdz1`: BIOS boot partition
-# BEFORE typing your secure passphrase READ BELOW
+  * `/dev/sdz2`: where LUKS, LVM and our system are going to stay
-```
+## (almost) full disk encryption
+Let's encrypt `/dev/sdz2`. As we want boot encryption, we will use LUKS1 instead of LUKS2. That is because GRUB knows how to proceed with decryption only with the former during bootload.
 | IMPORTANT NOTE             |
@@ Line 134: / Line 135: @@
 | You really should read this if you don't use a QWERTY layout. Indeed, the keyboard layout will by default be "us" (QWERTY) when GRUB will first ask us to decrypt our `/boot` partition at startup. There is little documentation on how to succeed and when it exists, it is either outdated or misleading. I really felt hit by a nerd snipper trying to solve that issue... A workaround is to type your passphrase as if it was typed on a QWERTY keyboard. If you have any info on how to solve this please tell me.|
+```
+cryptsetup luksFormat --type luks1 /dev/sdz2
+# BEFORE typing your secure passphrase READ ABOVE
+```
+After initializing the LUKS partition, let's open it and map it to a name (`cryptlvm` here):
 ```
-cryptsetup open /dev/sdXXX2 cryptlvm # open this partition at mountpoint "cryptlvm"
+cryptsetup open /dev/sdz2 cryptlvm # open LUKS partition and map it to "cryptlvm"
 # type secure passphrase to decrypt
 ```
@@ Line 166: / Line 173: @@
 ```
-## Install
+# Install
+Partitioning is finally done. Let's install basic programs and write the partition table to our future system `fstab`:
 ```
@@ Line 220: / Line 229: @@
 ```
-## Configure bootloader (GRUB)
+## Bootloader (GRUB)
 Configure GRUB to allow booting from `/boot` on a LUKS1 encrypted partition.
@@ Line 233: / Line 242: @@
 The first line sets the kernel parameters so the initramfs can unlock the encrypted root partition, using the `encrypt` hook.
-The `<device-UUID>` is the one of the LUKS superblock (the big partition) (in this example /dev/sdXXX2).
+The `<device-UUID>` is the one of the LUKS superblock (the big partition) (in this example /dev/sdz2).
 To find UUID : `blkid` for GPT (else `lsblk -f`).
-## Install bootloader (GRUB)
 ```
-grub-install --target=i386-pc --recheck /dev/sdXXXX # not a parition, it's the whole disk (e.g. /dev/sda)
+grub-install --target=i386-pc --recheck /dev/sdz
 ```
@@ Line 260: / Line 267: @@
 Everything should be fine.
-## Avoid having to enter your passphrase twice
+# Enter your passphrase once, not twice
-As boot and root are on the same partition you will be asked twice for your passphrase.
+As boot and root are on the same partition you will be asked twice for your passphrase at startup.
 The first time, GRUB asks for the passphrase to decrypt the boot partition.
 The second time, it is the encrypt hook which asks you for the root partition's passphrase.
-If you do not want to be asked for your root partition password again, you will have to embed the keyfile in the initramfs and configure it to be used on system boot to decrypt and mount the root partition.
+If you do not want to be asked for your root partition password again, you will have to embed a keyfile in the initramfs and configure it to be used on system boot to decrypt and mount the root partition <sup>[source](https://bbs.archlinux.org/viewtopic.php?id=243152)</sup>.
-[From this post](https://bbs.archlinux.org/viewtopic.php?id=243152).
+So, when booting your system, GRUB will ask you to decrypt your `/boot` partition (remember the keyboard will be in QWERTY layout), then, the encrypt hook will ask you to decrypt the `root` partition.
-So, when booting your system, GRUB will ask you to decrypt your `/boot` partition (remember the keyboard will be in QWERTY layout).
+We will indeed avoid that by creating a keyfile. It will be read after boot decryption and used to decrypt the `root` partition in the mean time.
-Once decrypted, it will ask you again to decrypt the `root` partition.
-We will avoid that by creating a keyfile that will be read after decrypting the boot, so GRUB knows how to decrypt the `root` partition in the mean time.
+Let's first create a keyfile and add it as LUKS key:
-First create a keyfile and add it as LUKS key:
 ```
 dd bs=512 count=4 if=/dev/random of=/root/cryptlvm.keyfile iflag=fullblock
 chmod 000 /root/cryptlvm.keyfile
-cryptsetup -v luksAddKey /dev/sdXXX2 /root/cryptlvm.keyfile
+cryptsetup -v luksAddKey /dev/sdz2 /root/cryptlvm.keyfile
 ```
@@ Line 289: / Line 293: @@
 Recreate the initramfs image and secure the embedded keyfile:
+```
+mkinitcpio -P
-`chmod 600 /boot/initramfs-linux*`
+chmod 600 /boot/initramfs-linux*
+```
 Set the following kernel parameters to unlock the LUKS partition with the keyfile. Using the encrypt hook:
-`GRUB_CMDLINE_LINUX="... cryptkey=rootfs:/root/cryptlvm.keyfile"`
+```
+GRUB_CMDLINE_LINUX="... cryptkey=rootfs:/root/cryptlvm.keyfile"
+```
+Recreate `grub.cfg`:
+```
+grub-mkconfig -o /boot/grub/grub.cfg
+```
 If for some reason the keyfile fails to unlock the boot partition, systemd will fallback to ask for a passphrase to unlock and, in case that is correct, continue booting.
+# Exit to your system
+Congratulations! You can leave the installation medium to dive into your new system:
+```
+exit
+umount -R /mnt
+cryptsetup close cryptlvm
+reboot
+# remove USB key
+```
+Enjoy