Szwendacz/Arch-install-encrypted-btrfs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Small rework

Browse source
This commit is contained in:
Maciej Lebiest 2022-02-16 21:10:29 +01:00 committed by GitHub
parent 97455800f4
commit f32097bc53
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 336 additions and 173 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

509
README.md
View file

@ -1,186 +1,257 @@
# Install Arch Linux with encrypted filesystem(optional) and on btrfs partition (UEFI) # ArchLinux install encrypted btrfs
Official guide for basic install: [https://wiki.archlinux.org/index.php/Installation_Guide](https://wiki.archlinux.org/index.php/Installation_Guide)
# Install Arch Linux on EFI system with full filesystem (including /boot) encrypted and on btrfs partition
Official guide for basic install: [https://wiki.archlinux.org/index.php/Installation\_Guide](https://wiki.archlinux.org/index.php/Installation_Guide)
it is always good to consult with official guide, cause arch config might change in time it is always good to consult with official guide, cause arch config might change in time
For setting up different locale, check official guide For setting up different locale, or better explanations check out Arch Wiki
# 1. Boot ISO ## 1. Boot ISO
### Download the ISO file from [https://www.archlinux.org](https://www.archlinux.org/)
### Put on pedrive #### Download the ISO file from [https://www.archlinux.org](https://www.archlinux.org/)
#### Put on pendrive
```bash ```bash
dd if=archlinux.img of=/dev/sdX bs=16M && sync dd if=archlinux.img of=/dev/sdX bs=16M && sync
``` ```
### Boot from the usb.
#### Boot from the USB.
### Set keymap
#### Optional (**experimental** approach to have desktop environment during install):
##### Extend writable space so you can install basic desktop in live environment and for example use gparted for partitioning or open this tutorial in web browser or whatever you want.
<p class="callout warning">Remember this area is saved in your RAM, so make sure you have enough of it</p>
```
mount -o remount,size=5G /run/archiso/cowspace
pacman -Syy plasma-desktop glibc konsole xorg
pacman -Scc
startplasma-wayland
```
#### Set key map
```bash ```bash
loadkeys pl loadkeys pl
``` ```
### Update clock
#### Update clock
```bash ```bash
timedatectl set-ntp true timedatectl set-ntp true
``` ```
### Optionally (recommended) update mirrorlist
#### Optionally (recommended) update mirrorlist
```bash ```bash
reflector --country 'Poland' --age 24 --verbose --sort rate --save /etc/pacman.d/mirrorlist reflector --country 'Poland' --age 24 --verbose --sort rate --save /etc/pacman.d/mirrorlist
``` ```
# 2. Prepare Disk
### Update btrfs-progs ## 2. Prepare Disk
#### Update btrfs-progs
```bash ```bash
pacman -Syy btrfs-progs pacman -Syy btrfs-progs
``` ```
### Display disks setup
#### Display disks and partitions
```bash ```bash
fdisk -l lsblk
``` ```
### Create partitions (if you have not already)
#### Create partitions (if you have not already)
```bash ```bash
fdisk /dev/sdX fdisk /dev/sdX
``` ```
1. 100MB EFI partition
2. 100% size partiton # ( encrypted optionally) for BTRFS, this partition will require formatting AFTER encryption if you do encryption 1. 100MB EFI partition
### Swap will be as file in its own subvolume 2. 100% size partiton # ( encrypted optionally) for BTRFS partition, this partition will require formatting AFTER encryption if you do encryption
```bash
mkfs.vfat -F32 /dev/sdX1 ##### Swap will bin in file with CoW disabled, which will be prepared later
#### Format EFI partition
```Bash
mkfs.vfat -F32 /dev/sdX1
``` ```
### ----------------- encryption (optional) ------------------ ##### ----------------- encryption (optional) ------------------
### Setup the encryption of the system, don't use letters outside en-us keyboard like ąęć etc. for password
### Grub have some kind of support for luks2 now but still cannot decrypt luks2, so specify luks1 for now #### Setup the encryption of the system,
<p class="callout info">Don't use regional letters (not in en-us keyboard) like ąęć etc. for password. This requires additional steps, which are not covered by this tutorial.</p>
#### Grub have some kind of support for luks2, but not entirely, so for more fail-safe setup use luks1
```bash ```bash
cryptsetup -c=aes-xts-plain64 --key-size=512 --hash=sha512 --iter-time=3000 --pbkdf=pbkdf2 --use-random luksFormat --type=luks1 /dev/sdX2 cryptsetup -c=aes-xts-plain64 --key-size=512 --hash=sha512 --iter-time=3000 --pbkdf=pbkdf2 --use-random luksFormat --type=luks1 /dev/sdX2
cryptsetup luksOpen /dev/sdX2 MainPart cryptsetup luksOpen /dev/sdX2 MainPart
``` ```
### Formatting as btrfs now when it is already encrypted
### Formatting as btrfs now when it is already encrypted
```bash ```bash
mkfs.btrfs -L "Arch Linux" /dev/mapper/MainPart mkfs.btrfs -L "Arch Linux" /dev/mapper/MainPart
``` ```
### ---------------- end of encryption ------------------------ ##### ---------------- end of encryption ------------------------
### Format the partition if not yet formatted: #### Format the partition if not yet formatted:
```bash ```bash
pacman -Syy btrfs-progs pacman -Syy btrfs-progs
mkfs.btrfs -L "Arch Linux" /dev/sdX2 mkfs.btrfs -L "Arch Linux" /dev/sdX2
``` ```
### Mount partition to be able to create btrfs subvolumes
### If using encryption, change /dev/sdX2 to /dev/mapper/MainPart: #### Mount partition to be able to create btrfs subvolumes
##### If using encryption, change **/dev/sdX2** to **/dev/mapper/MainPart**:
```bash ```bash
mount /dev/sdX2 /mnt mount /dev/sdX2 /mnt
``` ```
## Create subvolumes
### Using more complicated sheme, (but there actually is only need for separate @swap subvolume , other files can be on default top subvolume) #### Create subvolumes
##### This scheme can be adjusted to your needs, I'd suggest at least one subvolume for root (@) and one for snapshots (@snapshots). varlog and tmp are created to easily disable Copy on Write on` /var/log` and `/tmp`.
```bash ```bash
btrfs su cr /mnt/@ btrfs su cr /mnt/@
btrfs su cr /mnt/@swap
btrfs su cr /mnt/@home btrfs su cr /mnt/@home
btrfs su cr /mnt/@var btrfs su cr /mnt/@varlog
btrfs su cr /mnt/@tmp btrfs su cr /mnt/@tmp
btrfs su cr /mnt/@snapshots btrfs su cr /mnt/@snapshots
```
#### disable copy on write on var, tmp and swap
```bash
chattr +C /mnt/@var
chattr +C /mnt/@tmp
chattr +C /mnt/@swap
umount /mnt
``` ```
### If using encryption, change /dev/sdX2 to /dev/mapper/MainPart:
##### Disable copy on write on `/var/log` and `/tmp`
```bash
chattr +C /mnt/@varlog
chattr +C /mnt/@tmp
umount /mnt
```
#### If using encryption, change **/dev/sdX2** to **/dev/mapper/MainPart**:
```bash ```bash
mount -o defaults,noatime,discard,ssd,subvol=@ /dev/sdX2 /mnt mount -o defaults,noatime,discard,ssd,subvol=@ /dev/sdX2 /mnt
mkdir /mnt/swap
mkdir /mnt/home mkdir /mnt/home
mkdir /mnt/var mkdir -p /mnt/var/log
mkdir /mnt/tmp mkdir /mnt/tmp
mkdir /mnt/snapshots mkdir /mnt/snapshots
mkdir /mnt/efi # for EFI partition /dev/sdX1 mkdir /mnt/efi # for EFI partition /dev/sdX1
```
### If using encryption, change /dev/sdX2 to /dev/mapper/MainPart
### for swap subvolume add nodatacow option to disable CoW (works only if its separate partition)
### Discard ssd and noatime are for ssd disks only
```bash
mount -o defaults,noatime,nodatacow,discard,ssd,subvol=@swap /dev/sdX2 /mnt/swap
mount -o defaults,noatime,discard,ssd,subvol=@home /dev/sdX2 /mnt/home
mount -o defaults,noatime,discard,ssd,subvol=@var /dev/sdX2 /mnt/var
mount -o defaults,noatime,discard,ssd,subvol=@tmp /dev/sdX2 /mnt/tmp
mount -o defaults,noatime,discard,ssd,subvol=@snapshots /dev/sdX2 /mnt/snapshots
mount /dev/sdX1 /mnt/efi
``` ```
# 3. Install Arch Linux
### Select the mirror to be used if not updated with reflector on start
```bash
nano /etc/pacman.d/mirrorlist
```
### This command can be customized with additional packages
```bash
pacstrap /mnt/ base base-devel git btrfs-progs efibootmgr linux linux-headers linux-firmware mkinitcpio dhcpcd bash-completion sudo
```
### Use genfstab with -U parameter if no encryption
```bash
genfstab /mnt >> /mnt/etc/fstab
```
### If using swapfile check if nodatacow is added for @swap
```bash
vim /mnt/etc/fstab
```
#### Discard and ssd options and are for ssd disks only
# 4. Configure the system
#### If using encryption, change **/dev/sdX2** to **/dev/mapper/MainPart**
### Switch to installed system root user
```bash ```bash
arch-chroot /mnt /bin/bash mount -o defaults,noatime,discard,ssd,subvol=@home /dev/sdX2 /mnt/home
mount -o defaults,noatime,discard,ssd,subvol=@varlog /dev/sdX2 /mnt/var/log
mount -o defaults,noatime,discard,ssd,subvol=@tmp /dev/sdX2 /mnt/tmp
mount -o defaults,noatime,discard,ssd,subvol=@snapshots /dev/sdX2 /mnt/snapshots
mount /dev/sdX1 /mnt/efi
``` ```
### Nano can be usefull when editing config files # 3. Install Arch Linux
#### Select the mirror to be used if not updated with reflector on start
```bash ```bash
pacman -Syy nano vim /etc/pacman.d/mirrorlist
``` ```
### Setup system clock
#### Install base system:
##### This command can be customized with additional packages (**btrfs-progs is necessary to let the system boot up from btrfs partition !**)
```bash
pacstrap /mnt/ base base-devel git btrfs-progs efibootmgr linux linux-headers linux-firmware mkinitcpio dhcpcd bash-completion sudo
```
#### Generate fstab:
##### Use genfstab with -U parameter if no encryption
```bash
genfstab /mnt >> /mnt/etc/fstab
```
####
# 4. Configure the system
#### Switch to installed system root user
```bash
arch-chroot /mnt /bin/bash
```
#### Nano can be usefull when editing config files
```bash
pacman -Syy nano
```
#### Setup system clock
```bash ```bash
ln -s /usr/share/zoneinfo/Europe/Warsaw /etc/localtime ln -s /usr/share/zoneinfo/Europe/Warsaw /etc/localtime
hwclock --systohc --utc hwclock --systohc --utc
``` ```
### Set the hostname in `/etc/hostname` #### Set the hostname in `/etc/hostname`
```test ```test
myhostname myhostname
``` ```
### Edit vconsole in `/etc/vconsole.conf`
#### Edit vconsole in `/etc/vconsole.conf`
```text ```text
KEYMAP=pl KEYMAP=pl
FONT=Lat2-Terminus16.psfu.gz FONT=Lat2-Terminus16.psfu.gz
FONT_MAP=8859-2 FONT_MAP=8859-2
``` ```
### Setup locale
### Uncomment pl_PL.UTF-8 in /etc/locale.gen and then run: #### Setup locale
##### Uncomment pl\_PL.UTF-8 in /etc/locale.gen and then run:
```bash ```bash
locale-gen locale-gen
``` ```
### Update locale in `etc/locale.conf`
#### Update locale in `etc/locale.conf`
```text ```text
LANG=en_US.UTF-8 LANG=en_US.UTF-8
LC_COLLATE=pl_PL.UTF-8 LC_COLLATE=pl_PL.UTF-8
@ -188,136 +259,228 @@ LC_MEASUREMENT=pl_PL.UTF-8
LC_MONETARY=pl_PL.UTF-8 LC_MONETARY=pl_PL.UTF-8
LC_NUMERIC=pl_PL.UTF-8 LC_NUMERIC=pl_PL.UTF-8
LC_TIME=pl_PL.UTF-8 LC_TIME=pl_PL.UTF-8
```
### Hosts in `/etc/hosts` ```
#### Hosts in `/etc/hosts`
```text ```text
127.0.0.1 localhost 127.0.0.1 localhost
::1 localhost ::1 localhost
127.0.1.1 myhostname.localdomain myhostname 127.0.1.1 myhostname.localdomain myhostname
```
### Now create 4GiB swap file. nodatacow is already on @swap but if you follow exactly then @swap is on same partition as other subvolumes and nodatacow will not work for whole subvolume so you need to disavle CoW manualy : ```
#### Now create empty (with 0 size) swap file:
#### Create separate folder for swapfile. This folder is needed to let you make snapshot of `/`, which would not be possible with any file in it with CoW disabled!
```
mkdir /swap
chattr +C /swap
```
#### Copy on Write should always be disabled on swap file, so it will be done in the next step
```bash ```bash
touch /swap/swapfile touch /swap/swapfile
``` ```
### Check if C attribute is enabled with
#### Check if C attribute is enabled (should be already if created in folder with disabled CoW attribute)
```bash ```bash
lsattr /swap/swapfile' lsattr /swap/swapfile'
``` ```
### If not then disable COW for swapfile manually:
#### If not then disable CoW for swapfile manually:
```bash ```bash
chattr +C /swap/swapfile chattr +C /swap/swapfile
``` ```
### Expanding empty file to 4GiB swap file
#### Expanding empty file to 4GiB swap file
```bash ```bash
dd if=/dev/zero of=/swap/swapfile bs=1024K count=4096 dd if=/dev/zero of=/swap/swapfile bs=1024K count=4096
chmod 600 /swap/swapfile chmod 600 /swap/swapfile
```
### Format the swap file. ```
#### Format the swap file.
```bash ```bash
mkswap /swap/swapfile mkswap /swap/swapfile
``` ```
### Turn swap file on.
#### Turn swap file on.
```bash ```bash
swapon /swap/swapfile swapon /swap/swapfile
``` ```
### You also need to update `/etc/fstab` to mount swapfile on boot:
#### You also need to update `/etc/fstab` to mount swapfile on boot:
```text ```text
/swap/swapfile none swap sw 0 0 /swap/swapfile none swap sw 0 0
``` ```
### Set password for root
#### Set password for root
```bash ```bash
passwd passwd
``` ```
### Add real user
#### Add real user an set password for him
```bash ```bash
useradd -m MYUSERNAME useradd -m MYUSERNAME
passwd MYUSERNAME passwd MYUSERNAME
``` ```
### Configure mkinitcpio with modules needed for the initrd image
### Configure mkinitcpio with modules needed for the initrd image
```bash ```bash
vim /etc/mkinitcpio.conf vim /etc/mkinitcpio.conf
``` ```
### Remove 'fsck' and add 'keyboard', 'keymap', 'encrypt' and 'btrfs' to HOOKS before filesystems
### If no encryption then only remove fsck and add on that place btrfs #### Add 'keyboard', 'keymap', 'encrypt' and 'btrfs' to HOOKS before filesystems:
```
HOOKS=(base udev autodetect keyboard keymap modconf block btrfs filesystems keyboard fsck)
```
#### Add btrfsck to binaries:
```
BINARIES=(btrfsck)
```
#### **With encryption:** also add encrypt before btrfs:
```text ```text
HOOKS=(... keyboard keymap block encrypt btrfs ... filesystems ...) HOOKS=(... keyboard keymap block encrypt btrfs ... filesystems ...)
``` ```
###### optionally add BINARIES=(/usr/bin/btrfs) for rescue?
######
### Regenerate initrd images
#### Regenerate initrd images
```bash ```bash
mkinitcpio -P mkinitcpio -P
``` ```
# 5. Install bootloader
# 5. Install bootloader
### Setup grub (UEFI)
#### Setup grub (UEFI)
```bash ```bash
pacman -S grub efibootmgr os-prober dosfstools mtools pacman -S grub efibootmgr os-prober dosfstools mtools
```
### -------------encryption only---------------------
#### edit `/etc/default/grub`
```text
GRUB_ENABLE_CRYPTODISK=y
``` ```
### Find UUID (UUID for /dev/sdX2) of crypto partition so we can add it to grub config
#### -------------encryption only---------------------
#### edit `/etc/default/grub`
```text
GRUB_ENABLE_CRYPTODISK=y
```
#### Find UUID (UUID for /dev/sdX2) of crypto partition so we can add it to grub config
```bash ```bash
blkid blkid
``` ```
### Now set this line including proper UUID in place of "\<device-UUID>":
#### (temporarly you can use /dev/sdX2 in place of "UUID=\<device-UUID>" and change it later easy in gui mode) #### Now set this line including proper UUID in place of "&lt;device-UUID&gt;":
edit `/etc/default/grub`
#### (temporarly you can use /dev/sdX2 in place of "UUID=&lt;device-UUID&gt;" and change it later easy in gui mode)
##### edit `/etc/default/grub`
```text ```text
GRUB_CMDLINE_LINUX="cryptdevice=UUID=\<device-UUID>:MainPart:allow-discards" GRUB_CMDLINE_LINUX="cryptdevice=UUID=<device-UUID>:MainPart:allow-discards"
``` ```
### allow-discards is only for ssd
##### allow-discards is only for ssd to let trim work with encryption enabled
### Generate key so grub don't ask twice for password on boot
#### Generate key so grub don't ask twice for password on boot
```bash ```bash
dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock
chmod 600 /crypto_keyfile.bin chmod 600 /crypto_keyfile.bin
chmod 600 /boot/initramfs-linux* chmod 600 /boot/initramfs-linux*
cryptsetup luksAddKey /dev/sdX2 /crypto_keyfile.bin cryptsetup luksAddKey /dev/sdX2 /crypto_keyfile.bin
``` ```
### If you change name of key file there is need to add kernel parameter like cryptkey=rootfs:path
### Crypto_keyfile.bin is the default name that kernel will guess anyway #### If you change name of key file there is need to add kernel parameter like cryptkey=rootfs:path
### Now add this file to `/etc/mkinitcpio.conf`
#### Crypto\_keyfile.bin is the default name that kernel will guess anyway
#### Now add this file to `/etc/mkinitcpio.conf`
```text ```text
FILES=(/crypto_keyfile.bin) FILES=(/crypto_keyfile.bin)
``` ```
then run: then run:
```bash ```bash
mkinitcpio -P mkinitcpio -P
``` ```
### -------------encryption end---------------------
#### -------------encryption end---------------------
### Install
#### Install grub for
```bash ```bash
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg grub-mkconfig -o /boot/grub/grub.cfg
``` ```
### Exit new system
#### Exit new system
```bash ```bash
exit exit
``` ```
### Unmount all partitions
#### Unmount all partitions
```bash ```bash
swapoff -a swapoff -a
umount -R /mnt umount -R /mnt
``` ```
### Reboot into the new system, don't forget to remove the CD/pendrive #### Reboot into the new system, don't forget to remove the pendrive
```bash ```bash
reboot reboot
``` ```
### or
#### or
```bash ```bash
shutdown now shutdown now
```
## Addtitional tips
### To get proper locale and keymap, check:
```bash
localectl status
``` ```
### On KDE plasma , also set settings > ... > keyboard layout && regional settings
### 6. Addtitional tips:
#### Install AUR helper (git and base-devel packages needed to do so):
```
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si
```
#### To get proper locale and keymap, check:
```bash
localectl status
```
#### On KDE plasma , also set settings &gt; ... &gt; keyboard layout &amp;&amp; regional settings