Linux Full Disk Encryption

Submitted by jabrown on Thu, 03/15/2018 - 01:09

Once booted into the Arch Linux installation environment, we will start by preparing the disk for encryption.

We prepare the disk by filling it with random data.

This can be accomplished by using dcfldd, dd, or d3dd. I will use dcfldd.


dcfldd if=/dev/urandom of=/dev/sda bs=4096;


Next we will create the boot and lvm partitions.


fdisk /dev/sda; n,p,1,default,+1G,n,p,2,default,default,a,1,w


Now create the boot filesystem and encrypt the lvm partition


mkfs.ext2 /dev/sda1;

cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom --verify-passphrase luksFormat /dev/sda2;


Next we setup the lvm.


cryptsetup open --type luks /dev/sda2 cryptlvm;

pvcreate /dev/mapper/cryptlvm;

vgcreate volgrp /dev/mapper/cryptlvm;

lvcreate -L 1G -n lv_swap volgrp;

lvcreate -l 100%FREE -n lv_root volgrp;



mkfs.ext4 /dev/mapper/volgrp-lv_root;

mkswap /dev/mapper/volgrp-lv_swap;




Now we mount the filesystems for package installtion.

mount /dev/mapper/volgp-lv_root /mnt;

mkdir /mnt/boot;

mount /dev/sda1 /mnt/boot;

swapon /dev/mapper/volgrp-lv_swap;





We use pacstrap to create the file structure and install necessary packages on the mounted filesystem.

pacstrap /mnt base base-devel openssh grub;





Before we start configuring the new installation we need to get the UUID of the encrypted partition.

We can do this by using lsblk.

lsblk -o name,uuid;

Take note of the uuid for sda2.

If you don't want to write it down for memorize it you could use this one liner.

lsblk -o name,uuid | grep sda2 | tr -s ' ' | cut -d ' ' -f 2 > /mnt/root/uuid.txt;





We will need to generate a fstab for the installation.

genfstab /mnt >> /mnt/etc/fstab;





Now we will access the installation's filesystem and make configuration changes to mkinitcpio.conf and grub and set the root password.

You may want to set the locale, localtime, and keymap.

arch-chroot /mnt bash;





We will edit the hooks mkinitcpio.conf so that the keyboard is loaded before the encrypted disk blocks and the encrypt and lvm hooks are loaded before the filesystem.

vi /etc/mkinitcpio.conf; keyboard block encrypt lvm2 filesystem





mkinitcpio -p linux;





Next, we will need to update grub to decrypt the lvm to access the root filesystem. This is where we will need the UUID of sda2.

vi /etc/default/grub; append "cryptdevice=UUID={sda2 UUID}:volgrp root=/dev/mapper/volgrp-lv_root" before quiet.





grub-install --target=i386-pc /dev/sda;

grub install



grub-mkconfig -o /boot/grub/grub.cfg;

grub cfg



We run passwd to set the root password.



We can reboot once we exit and unmount /mnt/boot and /mnt.