{"id":1341,"date":"2019-05-28T08:58:23","date_gmt":"2019-05-28T13:58:23","guid":{"rendered":"http:\/\/russellstinnett.com\/?p=1341"},"modified":"2019-05-28T08:58:23","modified_gmt":"2019-05-28T13:58:23","slug":"installing-archlinux-with-encrypted-lvm-uefi-and-gpt","status":"publish","type":"post","link":"https:\/\/russellstinnett.com\/?p=1341","title":{"rendered":"Installing ArchLinux with Encrypted LVM, UEFI and GPT"},"content":{"rendered":"\n

This is not a definitive guide. This is just what I learned installing and booting to a command prompt with \/boot, \/home and root defined as logical volumes inside of an encrypted partition. As I’ve said, this is by no means an exhaustive guide. It’s more like a list of specific steps and resources for more information.<\/p>\n\n\n\n

I got a new laptop from System76 and wanted to install Debian. The Debian installer, for whatever reason, wouldn’t load the graphics, making it unusable. Bummer. So I decided to take this opportunity to finally wrap my head around ArchLinux. I see it mentioned everywhere, they have incredible documentation that I often use for help even with other distros, and I like the level of control it allows. However, I don’t know enough about it to just go formatting my new laptop and installing it willy nilly. So I decided to muddle through a test install on a virtual machine using VirtualBox. This presented a couple of unique challenges since it’s not a perfect emulator (but it’s still the best one around).<\/p>\n\n\n\n

I wanted to emulate the setup that came on the laptop as far as the encrypted disk and Logical Volume Management, so that’s where I started. It took several tries for me to get it right since these things are new to me, but I eventually got it. Start by following the instructions from the Archlinux Installation Guide<\/a> up to partitioning.<\/p>\n\n\n\n

On a 20G virtual drive, using gdisk, my partitioning goes like this: <\/p>\n

\/dev\/sda1    Sectors 34-2047    BIOS Partition (EF02)\n\/dev\/sda2    512M  EFI Partition (EF00)\n\/dev\/sda3    512M  EXT4 Partition (8300)\n\/dev\/sda4    4G    Swap (8200)\n\/dev\/sda5    whatever is left for LVM (8E00)\n<\/pre>
\nSetup the \/dev\/sda5 as the encrypted volume with:
\n# cryptsetup -v --type luks1 luksFormat \/dev\/sda5<\/code>
\nI use luks1 because luks2 doesn’t seem to be fully supported yet and is definitely not supported by GRUB. The above command will encrypt \/dev\/sda5 and ask you for the password you’d like to use.
\nOpen the encrypted volume with :
\n# cryptsetup open \/dev\/sda5 cryptdata<\/code>
\nThis will open the encrypted volume and map it to \/dev\/mapper\/cryptdata. Now create the logical volumes for \/var \/home and root.\n
# pvcreate \/dev\/mapper\/cryptdata\n# vgcreate data \/dev\/mapper\/cryptdata\n# lvcreate -L 2G data -n var\n# lvcreate -L 5G data -n home\n# lvcreate -l 100%FREE data -n root\n<\/pre>\nNow the disk is partitioned. Time to format.\n
# mkfs.fat -F32 \/dev\/sda2\n# mkfs.ext4 \/dev\/sda3\n# mkswap \/dev\/sda4\n# swapon \/dev\/sda4\n# mkfs.ext4 \/dev\/data\/var\n# mkfs.ext4 \/dev\/data\/home\n# mkfs.ext4 \/dev\/data\/root\n<\/pre>\nNow that we’re all partitioned and formatting, let’s get everything mounted.\n
# mount \/dev\/data\/root \/mnt\n# cd \/mnt\n# mkdir efi boot home var\n# mount \/dev\/sda2 efi\n# mount \/dev\/sda3 boot\n# mount \/dev\/data\/var var\n# mount \/dev\/data\/home home\n<\/pre>\nSo now my target filesystem should be all set and it’s time to pick our mirrors. You can go through the steps to sort the list by the fastest mirrors, but I just selected all of the servers in the US. Go to \/etc\/pacman.d to find the mirrorlist and copy it to mirrorlist.orig.\n
# cp mirrorlist mirrorlist.orig\n# grep -A 1 'United States' mirrorlist|sed -e 's\/--\/\/g'|sed 's\/#Server\/Server\/g' >> mirrorlist.us\n# cp mirrorlist.us mirrorlist\n<\/pre>\nInstall the base system with :
\n
# pacstrap \/mnt base<\/pre>\nWrap it up with :
\n
# genfstab -U \/mnt >> \/mnt\/etc\/fstab\n# arch-root \/mnt\n# pacman -S --noconfirm vim\n# ln -sf \/usr\/share\/zoneinfo\/Americas\/Chicago \/etc\/localtime\n# hwclock --systohc\n<\/pre>\nUncomment your locale in \/etc\/locale.gen (en_US.UTF-8 UTF-8) and run # locale-gen<\/code>
\n
# echo 'LANG=en_US.UTF-8' >> \/etc\/locale.conf\n# echo 'workstation' >> \/etc\/hostname\n# echo '127.0.0.1 localhost' >> \/etc\/hosts\n# echo '::1 localhost' >> \/etc\/hosts\n<\/pre>\nWith both dm_crypt (luks1) and lvm, you’ll need to make \/etc\/mkinitcpio.conf HOOKS= look like:\n
HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems fsck)<\/pre>\nAnd run : mkinitcpio -P<\/code>\nSet the root password with passwd<\/code>\nInstall grub and efibootmgr :\n
# pacman -S --noconfirm grub efibootmgr\n# grub-install --target=x86_64-efi --efi-directory=\/efi --bootloader-id=GRUB\n<\/pre>\nUse the command lsblk -f<\/code> to get the UUID for the encrypted partition. In my case this was \/dev\/sda5. Edit \/etc\/default\/grub so that GRUB_CMDLINE_LINUX looks like:
\n
GRU_CMDLINE_LINUX=\"cryptdevice=UUID=2f8fdc54-e985-4f8e-8b0a-b256a5c0332f:cryptdata\"<\/pre>
\nNow generate grub.cfg with :
\n
# grub-mkconfig -o \/boot\/grub\/grub.cfg<\/pre>\nExit from chroot, unmount with umount -R \/mnt<\/code> and reboot. That should get you to a prompt.\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
This is not a definitive guide. This is just what I learned installing and booting to a command prompt with \/boot, \/home and root defined as logical volumes inside of an encrypted partition. As I’ve said, this is by no means an exhaustive guide. It’s more like a list of specific steps and resources for…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6],"tags":[30,36,51,54],"class_list":["post-1341","post","type-post","status-publish","format-standard","hentry","category-linux","tag-arch","tag-crypt","tag-install","tag-lvm"],"yoast_head":"\nInstalling ArchLinux with Encrypted LVM, UEFI and GPT - A Commonplace Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/russellstinnett.com\/?p=1341\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Installing ArchLinux with Encrypted LVM, UEFI and GPT - A Commonplace Blog\" \/>\n<meta property=\"og:description\" content=\"This is not a definitive guide. This is just what I learned installing and booting to a command prompt with \/boot, \/home and root defined as logical volumes inside of an encrypted partition. As I’ve said, this is by no means an exhaustive guide. It’s more like a list of specific steps and resources for...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/russellstinnett.com\/?p=1341\" \/>\n<meta property=\"og:site_name\" content=\"A Commonplace Blog\" \/>\n<meta property=\"article:published_time\" content=\"2019-05-28T13:58:23+00:00\" \/>\n<meta name=\"author\" content=\"russell\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"russell\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/?p=1341#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/?p=1341\"},\"author\":{\"name\":\"russell\",\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/#\\\/schema\\\/person\\\/056f15a8cb83837a561f105dc1475ce8\"},\"headline\":\"Installing ArchLinux with Encrypted LVM, UEFI and GPT\",\"datePublished\":\"2019-05-28T13:58:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/?p=1341\"},\"wordCount\":519,\"keywords\":[\"arch\",\"crypt\",\"install\",\"lvm\"],\"articleSection\":[\"Linux\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/?p=1341\",\"url\":\"https:\\\/\\\/russellstinnett.com\\\/?p=1341\",\"name\":\"Installing ArchLinux with Encrypted LVM, UEFI and GPT - A Commonplace Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/#website\"},\"datePublished\":\"2019-05-28T13:58:23+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/#\\\/schema\\\/person\\\/056f15a8cb83837a561f105dc1475ce8\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/?p=1341#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/russellstinnett.com\\\/?p=1341\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/?p=1341#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/russellstinnett.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Installing ArchLinux with Encrypted LVM, UEFI and GPT\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/#website\",\"url\":\"https:\\\/\\\/russellstinnett.com\\\/\",\"name\":\"A Commonplace Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/russellstinnett.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/russellstinnett.com\\\/#\\\/schema\\\/person\\\/056f15a8cb83837a561f105dc1475ce8\",\"name\":\"russell\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/b1fb12238c00e45c4820005d8619303e4635df76f75ef14a958d79ef08e2ce00?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/b1fb12238c00e45c4820005d8619303e4635df76f75ef14a958d79ef08e2ce00?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/b1fb12238c00e45c4820005d8619303e4635df76f75ef14a958d79ef08e2ce00?s=96&d=mm&r=g\",\"caption\":\"russell\"},\"sameAs\":[\"https:\\\/\\\/russellstinnett.com\"],\"url\":\"https:\\\/\\\/russellstinnett.com\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Installing ArchLinux with Encrypted LVM, UEFI and GPT - A Commonplace Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/russellstinnett.com\/?p=1341","og_locale":"en_US","og_type":"article","og_title":"Installing ArchLinux with Encrypted LVM, UEFI and GPT - A Commonplace Blog","og_description":"This is not a definitive guide. This is just what I learned installing and booting to a command prompt with \/boot, \/home and root defined as logical volumes inside of an encrypted partition. As I’ve said, this is by no means an exhaustive guide. It’s more like a list of specific steps and resources for...","og_url":"https:\/\/russellstinnett.com\/?p=1341","og_site_name":"A Commonplace Blog","article_published_time":"2019-05-28T13:58:23+00:00","author":"russell","twitter_card":"summary_large_image","twitter_misc":{"Written by":"russell","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/russellstinnett.com\/?p=1341#article","isPartOf":{"@id":"https:\/\/russellstinnett.com\/?p=1341"},"author":{"name":"russell","@id":"https:\/\/russellstinnett.com\/#\/schema\/person\/056f15a8cb83837a561f105dc1475ce8"},"headline":"Installing ArchLinux with Encrypted LVM, UEFI and GPT","datePublished":"2019-05-28T13:58:23+00:00","mainEntityOfPage":{"@id":"https:\/\/russellstinnett.com\/?p=1341"},"wordCount":519,"keywords":["arch","crypt","install","lvm"],"articleSection":["Linux"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/russellstinnett.com\/?p=1341","url":"https:\/\/russellstinnett.com\/?p=1341","name":"Installing ArchLinux with Encrypted LVM, UEFI and GPT - A Commonplace Blog","isPartOf":{"@id":"https:\/\/russellstinnett.com\/#website"},"datePublished":"2019-05-28T13:58:23+00:00","author":{"@id":"https:\/\/russellstinnett.com\/#\/schema\/person\/056f15a8cb83837a561f105dc1475ce8"},"breadcrumb":{"@id":"https:\/\/russellstinnett.com\/?p=1341#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/russellstinnett.com\/?p=1341"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/russellstinnett.com\/?p=1341#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/russellstinnett.com\/"},{"@type":"ListItem","position":2,"name":"Installing ArchLinux with Encrypted LVM, UEFI and GPT"}]},{"@type":"WebSite","@id":"https:\/\/russellstinnett.com\/#website","url":"https:\/\/russellstinnett.com\/","name":"A Commonplace Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/russellstinnett.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/russellstinnett.com\/#\/schema\/person\/056f15a8cb83837a561f105dc1475ce8","name":"russell","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/b1fb12238c00e45c4820005d8619303e4635df76f75ef14a958d79ef08e2ce00?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/b1fb12238c00e45c4820005d8619303e4635df76f75ef14a958d79ef08e2ce00?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/b1fb12238c00e45c4820005d8619303e4635df76f75ef14a958d79ef08e2ce00?s=96&d=mm&r=g","caption":"russell"},"sameAs":["https:\/\/russellstinnett.com"],"url":"https:\/\/russellstinnett.com\/?author=1"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/russellstinnett.com\/index.php?rest_route=\/wp\/v2\/posts\/1341","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/russellstinnett.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/russellstinnett.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/russellstinnett.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/russellstinnett.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1341"}],"version-history":[{"count":0,"href":"https:\/\/russellstinnett.com\/index.php?rest_route=\/wp\/v2\/posts\/1341\/revisions"}],"wp:attachment":[{"href":"https:\/\/russellstinnett.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1341"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/russellstinnett.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1341"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/russellstinnett.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1341"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}