9.4 KiB
9.4 KiB
ArchLinux install encrypted btrfs
Install Arch Linux on EFI system with full filesystem (including /boot) encrypted and on btrfs partition
Official guide for basic install: https://wiki.archlinux.org/index.php/Installation_Guide
it is always good to consult with official guide, cause arch config might change in time
For setting up different locale, or better explanations check out Arch Wiki
1. Boot ISO
Download the ISO file from https://www.archlinux.org
Put on pendrive
dd if=archlinux.img of=/dev/sdX bs=16M && sync
Boot from the USB.
Optional (experimental approach to have desktop environment during install):
Extend writable space so you can install basic desktop in live environment and for example use gparted for partitioning or open this tutorial in web browser or whatever you want.
Remember this area is saved in your RAM, so make sure you have enough of it
mount -o remount,size=5G /run/archiso/cowspace
pacman -Syy plasma-desktop glibc konsole xorg
pacman -Scc
startplasma-wayland
Set key map
loadkeys pl
Update clock
timedatectl set-ntp true
Optionally (recommended) update mirrorlist
reflector --country 'Poland' --age 24 --verbose --sort rate --save /etc/pacman.d/mirrorlist
2. Prepare Disk
Update btrfs-progs
pacman -Syy btrfs-progs
Display disks and partitions
lsblk
Create partitions (if you have not already)
fdisk /dev/sdX
- 100MB EFI partition
- 100% size partiton # ( encrypted optionally) for BTRFS partition, this partition will require formatting AFTER encryption if you do encryption
Swap will bin in file with CoW disabled, which will be prepared later
Format EFI partition
mkfs.vfat -F32 /dev/sdX1
----------------- encryption (optional) ------------------
Setup the encryption of the system,
Don't use regional letters (not in en-us keyboard) like ąęć etc. for password. This requires additional steps, which are not covered by this tutorial.
Grub have some kind of support for luks2, but not entirely, so for more fail-safe setup use luks1
cryptsetup -c=aes-xts-plain64 --key-size=512 --hash=sha512 --iter-time=3000 --pbkdf=pbkdf2 --use-random luksFormat --type=luks1 /dev/sdX2
cryptsetup luksOpen /dev/sdX2 MainPart
Formatting as btrfs now when it is already encrypted
mkfs.btrfs -L "Arch Linux" /dev/mapper/MainPart
---------------- end of encryption ------------------------
Format the partition if not yet formatted:
pacman -Syy btrfs-progs
mkfs.btrfs -L "Arch Linux" /dev/sdX2
Mount partition to be able to create btrfs subvolumes
If using encryption, change /dev/sdX2 to /dev/mapper/MainPart:
mount /dev/sdX2 /mnt
Create subvolumes
This scheme can be adjusted to your needs, I'd suggest at least one subvolume for root (@) and one for snapshots (@snapshots). varlog and tmp are created to easily disable Copy on Write on /var/log and /tmp.
btrfs su cr /mnt/@
btrfs su cr /mnt/@home
btrfs su cr /mnt/@varlog
btrfs su cr /mnt/@tmp
btrfs su cr /mnt/@snapshots
Disable copy on write on /var/log and /tmp
chattr +C /mnt/@varlog
chattr +C /mnt/@tmp
umount /mnt
If using encryption, change /dev/sdX2 to /dev/mapper/MainPart:
mount -o defaults,noatime,discard,ssd,subvol=@ /dev/sdX2 /mnt
mkdir /mnt/home
mkdir -p /mnt/var/log
mkdir /mnt/tmp
mkdir /mnt/snapshots
mkdir /mnt/efi # for EFI partition /dev/sdX1
Discard and ssd options and are for ssd disks only
If using encryption, change /dev/sdX2 to /dev/mapper/MainPart
mount -o defaults,noatime,discard,ssd,subvol=@home /dev/sdX2 /mnt/home
mount -o defaults,noatime,discard,ssd,subvol=@varlog /dev/sdX2 /mnt/var/log
mount -o defaults,noatime,discard,ssd,subvol=@tmp /dev/sdX2 /mnt/tmp
mount -o defaults,noatime,discard,ssd,subvol=@snapshots /dev/sdX2 /mnt/snapshots
mount /dev/sdX1 /mnt/efi
3. Install Arch Linux
Select the mirror to be used if not updated with reflector on start
vim /etc/pacman.d/mirrorlist
Install base system:
This command can be customized with additional packages (btrfs-progs is necessary to let the system boot up from btrfs partition !)
pacstrap /mnt/ base base-devel git btrfs-progs efibootmgr linux linux-headers linux-firmware mkinitcpio dhcpcd bash-completion sudo
Generate fstab:
Use genfstab with -U parameter if no encryption
genfstab /mnt >> /mnt/etc/fstab
4. Configure the system
Switch to installed system root user
arch-chroot /mnt /bin/bash
Setup system clock
ln -s /usr/share/zoneinfo/Europe/Warsaw /etc/localtime
hwclock --systohc --utc
Set the hostname in /etc/hostname
myhostname
Edit vconsole in /etc/vconsole.conf
KEYMAP=pl
FONT=Lat2-Terminus16.psfu.gz
FONT_MAP=8859-2
Setup locale
Uncomment pl_PL.UTF-8 in /etc/locale.gen and then run:
locale-gen
Update locale in etc/locale.conf
LANG=en_US.UTF-8
LC_COLLATE=pl_PL.UTF-8
LC_MEASUREMENT=pl_PL.UTF-8
LC_MONETARY=pl_PL.UTF-8
LC_NUMERIC=pl_PL.UTF-8
LC_TIME=pl_PL.UTF-8
Hosts in /etc/hosts
127.0.0.1 localhost
::1 localhost
127.0.1.1 myhostname.localdomain myhostname
Now create empty (with 0 size) swap file:
Create separate subvolume for swapfile. This subvolume is needed to let you make snapshot of /, which would not be possible with any file in it with CoW disabled!
btrfs su create /swap
chattr +C /swap
Copy on Write should always be disabled on swap file, so it will be done in the next step
touch /swap/swapfile
Check if C attribute is enabled (should be already if created in folder with disabled CoW attribute)
lsattr /swap/swapfile'
If not then disable CoW for swapfile manually:
chattr +C /swap/swapfile
Expanding empty file to 4GiB swap file
dd if=/dev/zero of=/swap/swapfile bs=1024K count=4096
chmod 600 /swap/swapfile
Format the swap file.
mkswap /swap/swapfile
Turn swap file on.
swapon /swap/swapfile
You also need to update /etc/fstab to mount swapfile on boot:
/swap/swapfile none swap sw 0 0
Set password for root
passwd
Add real user an set password for him
useradd -m MYUSERNAME
passwd MYUSERNAME
Configure mkinitcpio with modules needed for the initrd image
vim /etc/mkinitcpio.conf
Add 'keyboard', 'keymap', 'encrypt' and 'btrfs' to HOOKS before filesystems:
HOOKS=(base udev autodetect keyboard keymap modconf block btrfs filesystems keyboard fsck)
Add btrfsck to binaries:
BINARIES=(btrfsck)
With encryption: also add encrypt before btrfs:
HOOKS=(... keyboard keymap block encrypt btrfs ... filesystems ...)
Regenerate initrd images
mkinitcpio -P
5. Install bootloader
Setup grub (UEFI)
pacman -S grub efibootmgr os-prober dosfstools mtools
-------------encryption only---------------------
edit /etc/default/grub
GRUB_ENABLE_CRYPTODISK=y
Find UUID (UUID for /dev/sdX2) of crypto partition so we can add it to grub config
blkid
Now set this line including proper UUID in place of "<device-UUID>":
(temporarly you can use /dev/sdX2 in place of "UUID=<device-UUID>" and change it later easy in gui mode)
edit /etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=UUID=<device-UUID>:MainPart:allow-discards"
allow-discards is only for ssd to let trim work with encryption enabled
Generate key so grub don't ask twice for password on boot
dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock
chmod 600 /crypto_keyfile.bin
chmod 600 /boot/initramfs-linux*
cryptsetup luksAddKey /dev/sdX2 /crypto_keyfile.bin
If you change name of key file there is need to add kernel parameter like cryptkey=rootfs:path
Crypto_keyfile.bin is the default name that kernel will guess anyway
Now add this file to /etc/mkinitcpio.conf
FILES=(/crypto_keyfile.bin)
then run:
mkinitcpio -P
-------------encryption end---------------------
Install grub for
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg
Exit new system
exit
Unmount all partitions
swapoff -a
umount -R /mnt
Reboot into the new system, don't forget to remove the pendrive
reboot
or
shutdown now
6. Addtitional tips:
Install AUR helper (git and base-devel packages needed to do so):
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si
To get proper locale and keymap, check:
localectl status