Installing Arch Linux on LUKS

From ArchWiki
Revision as of 09:04, 3 November 2012 by Alexfikl (talk | contribs)
Jump to: navigation, search

Merge-arrows-2.pngThis article or section is a candidate for merging with dm-crypt with LUKS.Merge-arrows-2.png

Notes: the two articles cover the same subject; this one also overlaps LVM to some extent. (Discuss in Talk:Installing Arch Linux on LUKS#)
Template:Article summary start

Template:Article summary text Template:Article summary heading Template:Article summary wiki Template:Article summary wiki Template:Article summary end

This tutorial will show you how to install your root partition (/) of Arch Linux on an LUKS encrypted drive, so you get full disk encryption.

To do this, follow the regular installation guide, until the partitioning step.


The first step that differs is the partitioning.

For an encrypted system, you want to store minimum amount of data on unencrypted partitions. In this tutorial, we will set up the following layout:

Partition layout
Device Size Mountpoint Description
/dev/sda1 128M /boot Kernel and GRUB go here
/dev/sda2 Rest - Extended partition
/dev/sda5 Whole /dev/sda2 (LUKS) Encrypted data partition for everything else, containing the following:
/dev/mapper/crypt Whole /dev/sda5 (LVM PV) Physical volume for LVM use
/dev/mapper/cryptvg-root 20G / Root file system
/dev/mapper/cryptvg-swap 4G (swap) Swap space
/dev/mapper/cryptvg-home Rest /home Home file system (for user data)

Creating the MBR partitions

We first need to create the required MBR partitions /dev/sda1, /dev/sda2 and /dev/sda5. This goes as follows:

# fdisk /dev/sda
Welcome to fdisk (util-linux 2.21.2).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0xe6258b8f

Command (m for help): n
Partition type:
   p   primary (0 primary, 0 extended, 4 free)
   e   extended
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-83886079, default 2048): 2048
Last sector, +sectors or +size{K,M,G} (2048-83886079, default 83886079): +128M
Partition 1 of type Linux and of size 128 MiB is set

Command (m for help): n
   p   primary (1 primary, 0 extended, 3 free)
   e   extended
Select (default p): e
Partition number (2-4, default 2): 2
First sector (264192-83886079, default 264192): 264192
Last sector, +sectors or +size{K,M,G} (264192-83886079, default 83886079): 83886079
Partition 2 of type Extended and of size 39.9 GiB is set

Command (m for help): n
   p   primary (2 primary, 1 extended, 2 free)
   l   logical (numbered from 5)
Select (default p): l
Adding logical partition 5
First sector (266240-83886079, default 264192): 264192
Last sector, +sectors or +size{K,M,G} (266240-83886079, default 83886079): 83886079
Partition 5 of type Linux and of size 39.9 GiB is set

Command (m for help): a
Partition number (1-5): 1

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table
Syncing disks.

Creating the LUKS volume

You should first read the manual page of cryptsetup to learn about the options LUKS provides:

# man cryptsetup

In this case, we will use a simple passphrase and no key files.

Generally, the first thing you should do before creating an encrypted volume, is to initialize it to random data. It will take a while, but it will make it harder to draw conclusions about the use of the encrypted partition without knowing the key:

# dd if=/dev/urandom of=/dev/sda5

We will now set the passphrase and open the LUKS volume:

# cryptsetup luksFormat /dev/sda5
This will overwrite data on /dev/sda5 irrecovably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 
# cryptsetup luksOpen /dev/sda5 crypt
Enter passphrase for /dev/sda5:

Done! You now have an encrypted volume (device path: /dev/mapper/crypt)

Creating the LVM volumes

We want to use LVM on the encrypted volume, so we can have more than one partition encrypted by the same key.

The partition layout above is created as follows:

# pvcreate /dev/mapper/crypt
  Physical volume "/dev/mapper/crypt" successfully created.
# vgcreate cryptvg /dev/mapper/crypt
  Volume group "cryptvg" successfully created
# lvcreate -n root -L 20G cryptvg
  Logical volume "root" created
# lvcreate -n swap -L 4G cryptvg
  Logical volume "swap" created
# lvcreate -n home -l 100%FREE cryptvg
  Logical volume "home" created

The device paths of the encrypted logical volumes are now /dev/mapper/cryptvg-root, /dev/mapper/cryptvg-swap and /dev/mapper/cryptvg-home.

Continuing the installation

You can now continue the installation as usual. In particular, you may create and file systems by the following commands (output not included):

# mkswap /dev/mapper/cryptvg-swap
# swapon /dev/mapper/cryptvg-swap
# mkfs.ext4 /dev/sda1
# mkfs.ext4 /dev/mapper/cryptvg-root
# mkfs.ext4 /dev/mapper/cryptvg-home
# mount /dev/mapper/cryptvg-root /mnt
# mkdir /mnt/boot
# mount /dev/mapper/cryptvg-boot /mnt/boot
# mkdir /mnt/home
# mount /dev/mapper/cryptvg-home /mnt/home

Continue until the genfstab step.

Creating /etc/fstab

The standard genfstab command fails, it will pick a numbered /dev/dm-*-device instead of the proper /dev/mapper/cryptvg-swap for the swap partition. There are two workarounds:

1. use UUID mode

# genfstab -pU /mnt >> /mnt/etc/fstab

2. fix /etc/fstab manually, putting in the proper device name

Continue until you are at the step to edit mkinitcpio.conf.

Setting up mkinitcpio

While editing /etc/mkinitcpio.conf, make sure you add the keymap, encrypt and lvm2 hooks! The hooks must be placed right before the "filesystems" hooks, i.e. you change "filesystems" into "keymap encrypt lvm2 filesystems" in the HOOKS= line. Of course, if needed for something else, the keymap hook can also be placed earlier.

After that, you can do

# mkinitcpio -p linux

to finish the initrd for your system.

You also need to edit /etc/default/grub (or a configuration file of another boot loader, if you picked another) to pass the required parameters to the initcpio image at bootup.

In this case, you would add


to the contents of the GRUB_CMDLINE_LINUX variable. This tells the "encrypt" hook which partition contains the encrypted data.

After this, run

# grub-mkconfig -o /boot/grub/grub.cfg

and finish the installation!

Once finished, your system will greet you with:

A password is required to access the crypt volume:
Enter passphrase for /dev/sda5: 

at bootup.