Linux Full Disk Encryption

Submitted by jabrown on Thu, 03/15/2018 - 01:09

Once booted into the Arch Linux installation environment, we will start by preparing the disk for encryption.

We prepare the disk by filling it with random data.

This can be accomplished by using dcfldd, dd, or d3dd. I will use dcfldd.

 

dcfldd if=/dev/urandom of=/dev/sda bs=4096;

prep

Next we will create the boot and lvm partitions.

 

fdisk /dev/sda; n,p,1,default,+1G,n,p,2,default,default,a,1,w

fdisk

Now create the boot filesystem and encrypt the lvm partition

 

mkfs.ext2 /dev/sda1;

cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom --verify-passphrase luksFormat /dev/sda2;

crypt

Next we setup the lvm.

 

cryptsetup open --type luks /dev/sda2 cryptlvm;

pvcreate /dev/mapper/cryptlvm;

vgcreate volgrp /dev/mapper/cryptlvm;

lvcreate -L 1G -n lv_swap volgrp;

lvcreate -l 100%FREE -n lv_root volgrp;

lvm

 

mkfs.ext4 /dev/mapper/volgrp-lv_root;

mkswap /dev/mapper/volgrp-lv_swap;

mkfs

 

 

Now we mount the filesystems for package installtion.

mount /dev/mapper/volgp-lv_root /mnt;

mkdir /mnt/boot;

mount /dev/sda1 /mnt/boot;

swapon /dev/mapper/volgrp-lv_swap;

mount

 

 

 

We use pacstrap to create the file structure and install necessary packages on the mounted filesystem.

pacstrap /mnt base base-devel openssh grub;

pacstrap

 

 

 

Before we start configuring the new installation we need to get the UUID of the encrypted partition.

We can do this by using lsblk.

lsblk -o name,uuid;

Take note of the uuid for sda2.

If you don't want to write it down for memorize it you could use this one liner.

lsblk -o name,uuid | grep sda2 | tr -s ' ' | cut -d ' ' -f 2 > /mnt/root/uuid.txt;

uuid

 

 

 

We will need to generate a fstab for the installation.

genfstab /mnt >> /mnt/etc/fstab;

fstab

 

 

 

Now we will access the installation's filesystem and make configuration changes to mkinitcpio.conf and grub and set the root password.

You may want to set the locale, localtime, and keymap.

arch-chroot /mnt bash;

chroot

 

 

 

We will edit the hooks mkinitcpio.conf so that the keyboard is loaded before the encrypted disk blocks and the encrypt and lvm hooks are loaded before the filesystem.

vi /etc/mkinitcpio.conf; keyboard block encrypt lvm2 filesystem

mkinitcpio

 

 

 

mkinitcpio -p linux;

mkinit

 

 

 

Next, we will need to update grub to decrypt the lvm to access the root filesystem. This is where we will need the UUID of sda2.

vi /etc/default/grub; append "cryptdevice=UUID={sda2 UUID}:volgrp root=/dev/mapper/volgrp-lv_root" before quiet.

grub

 

 

 

grub-install --target=i386-pc /dev/sda;

grub install

 

 

grub-mkconfig -o /boot/grub/grub.cfg;

grub cfg

 

 

We run passwd to set the root password.

passwd;

 

We can reboot once we exit and unmount /mnt/boot and /mnt.

 

Add new comment