User:Rdeckard/Sandbox

From ArchWiki
Jump to: navigation, search
Note: These are just some potential ideas. Not sure if and when they will go anywhere official.
Warning: If you follow this right now, you will probably mess up your computer! Work in progress.

Btrfs RAID with swap

The following example creates a full system encryption on multiple disks using btrfs' RAID 1 capabilities. /boot and / are encrypted with dm-crypt + LUKS, and btrfs subvolumes are used to simulate other partitions.

This is for a non-UEFI setup. It is possible to setup RAID with an ESP, but there are several considerations to take account of.

Warning: If you desire swap, you must use a partition for it and not a swapfile. Using a swapfile with btrfs may result in data loss.
+--------------------------+--------------------------+
|System partition          |Swap partition            |
|LUKS-encrypted            |plain-encrypted           |
|/                         |                          |
|/dev/sdaX                 |/dev/sdaZ                 |
+--------------------------+--------------------------+
+--------------------------+--------------------------+
|System partition          |Swap partition            |
|LUKS-encrypted            |plain-encrypted           |
|/                         |                          |
|/dev/sdbX                 |/dev/sdbZ                 |
+--------------------------+--------------------------+

The first steps can be performed directly after booting the Arch Linux install image.

Preparing the disk

Note: It is not possible to use btrfs partitioning as described in Btrfs#Partitioning when using LUKS. Traditional partitioning must be used, even if it is just to create one partition.

Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in Dm-crypt/Drive preparation. If you are going to create an encrypted swap partition, create the partition for it, but do not mark it as swap, since plain dm-crypt will be used with the partition.

Create the needed partitions, at least one for / on each device to be used in the btrfs RAID pool (e.g. /dev/sdaX, /dev/sdbX, /dev/sdcX). See Partitioning.

Preparing the system and boot partitions

The following commands create a pool of devices to be used for /. Each partition will use LUKS, and each decrypted device will be part of the btrfs pool. If you want to use particular non-default encryption options (e.g. cipher, key length), see the encryption options before executing the first command.

# cryptsetup -y -v luksFormat /dev/sdaX
# cryptsetup -y -v luksFormat /dev/sdbX
# cryptsetup open /dev/sdaX sda_cryptroot
# cryptsetup open /dev/sdbX sdb_cryptroot
# mkfs -t btrfs -d raid1 -m raid1 -L /dev/mapper/sd[ab]_cryptroot
Note: You can use the name of any device in a btrfs multi-device filesystem to mount the entire file system.
# mount -t btrfs -o compress=lzo /dev/sda_cryptroot /mnt

Check the mapping works as intended:

# umount /mnt
# cryptsetup close sda_cryptroot
# cryptsetup close sdb_cryptroot
# cryptsetup open /dev/sdaX sda_cryptroot
# cryptsetup open /dev/sdbX sdb_cryptroot
# mount -t btrfs -o compress=lzo /dev/sda_cryptroot /mnt

Creating btrfs subvolumes

Follow the directions in #Creating btrfs subvolumes.

Configuring mkinitcpio

Follow #Configuring mkinitcpio 6, with the exception that at the key generation step, you must add the generated keyfile to every LUKS-encrypted partition with cryptsetup luksAddkey.

Configuring the boot loader

Add the following lines to /etc/default/grub:

/etc/default/grub
GRUB_CMDLINE_LINUX="...cryptdevice=/dev/disk/by-uuid/UUID:sda_cryptboot..."
GRUB_ENABLE_CRYPTODISK=y

where UUID is one of the UUID's of the partition containing / (the UUID of /dev/sdaX, not the UUID of /dev/mapper/sda_cryptroot).

See Grub#Encryption for more details and options.

Do the following to install GRUB:

# grub-install --target=i386-pc --debug /dev/sda
# grub-install --target=i386-pc --debug /dev/sdb
# grub-mkconfig -o /boot/grub/grub.cfg

Configuring swap

If you created a partitions to be used for encrypted swap, now is the time to configure them. Follow the instructions at Dm-crypt/Swap encryption for each partition.

There is no need to set up RAID for the swap partitions, because the kernel knows how to stripe swapping on multiple devices. See Swap#RAID.

After completing this step, continue configuring your system as normal according to the installation guide.

Network managers

Connection manager Wired Automatically handles
wired connection
Wireless Profiles Roaming PPP Official
GUI
Archiso [1] Console tools Systemd units
Connman Yes Yes Yes Yes Yes Yes No No connmanctl connman.service
dhcpcd Yes Yes via WPA supplicant No No No No Yes (base)* dhcpcd dhcpcd.service, dhcpcd@interface.service
netctl Yes Yes Yes Yes Yes Yes No Yes (base) netctl, wifi-menu netctl-ifplugd@interface.service, netctl-auto@interface.service
NetworkManager Yes Yes Yes Yes Yes Yes Yes No nmcli,nmtui NetworkManager.service
systemd-networkd Yes No via WPA supplicant No No No No Yes (base) systemd-networkd.service, systemd-resolved.service
Wicd Yes Yes Yes Yes Yes No Yes No wicd-curses wicd.service
Wifi Radar No N/A Yes Yes Yes No Yes No wifi-radar