Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
projects:howtos:archlinux-full-disk-encryption [2017/02/05 23:53] – [Repairing boot partition] prometheus | projects:howtos:archlinux-full-disk-encryption [2021/07/19 23:58] (current) – fix formatting xbr | ||
---|---|---|---|
Line 3: | Line 3: | ||
Full Disk Encryption is probable one of the most important things to do first, when setting up a new system in a world in which #BigBrother is always watching you. The issue we had was, having a keyfile which is needed to decrypt your system is nice, but if its [the keyfile] unencrypted on a USB device it doesn' | Full Disk Encryption is probable one of the most important things to do first, when setting up a new system in a world in which #BigBrother is always watching you. The issue we had was, having a keyfile which is needed to decrypt your system is nice, but if its [the keyfile] unencrypted on a USB device it doesn' | ||
- | < | + | < |
===== Requirements ===== | ===== Requirements ===== | ||
Line 14: | Line 14: | ||
Write the ISO to a removable flash drive. You can also use the traditional way and simply burn the ISO on a CD/DVD. | Write the ISO to a removable flash drive. You can also use the traditional way and simply burn the ISO on a CD/DVD. | ||
- | <sxh bash;> | + | <code> |
~$: shasum archlinux-$VERSION-dual.iso | ~$: shasum archlinux-$VERSION-dual.iso | ||
~$: dd if=archlinux-$VERSION-dual.iso of=/ | ~$: dd if=archlinux-$VERSION-dual.iso of=/ | ||
- | </sxh> | + | </code> |
===== Booting ===== | ===== Booting ===== | ||
- | <sxh bash;> | + | <code> |
# if necessary reconfigure your keyboard layout | # if necessary reconfigure your keyboard layout | ||
- | root@archiso | + | ~$ loadkeys fr |
# check for network connectivity | # check for network connectivity | ||
- | root@archiso | + | ~$ ping 8.8.8.8 |
# request IP address | # request IP address | ||
- | root@archiso | + | ~$ ifconfig -a |
- | root@archiso | + | ~$ dhclient $NIC |
- | </sxh> | + | </code> |
===== tmpfs (Paranoia) ===== | ===== tmpfs (Paranoia) ===== | ||
- | <sxh> | + | <code> |
- | root@archiso | + | ~$ fdisk -l | grep Disk |
- | root@archiso | + | ~$ mkdir ./mytmpfs |
- | root@archiso | + | ~$ mount tmpfs ./mytmpfs -t tmpfs -o size=32m |
- | root@archiso | + | ~$ cd ./mytmpfs |
- | root@archiso | + | ~$ dd if=/ |
- | root@archiso | + | ~$ mkdir /mnt/boot && mkdir /mnt/home |
- | </sxh> | + | </code> |
===== Partitioning ===== | ===== Partitioning ===== | ||
Line 52: | Line 52: | ||
Basically there exist two " | Basically there exist two " | ||
- | <sxh> | + | <code> |
# gdisk disk-device | # gdisk disk-device | ||
- | </sxh> | + | </code> |
You will be thrown in a own commandline of the gdisk program, so proceed as follows: | You will be thrown in a own commandline of the gdisk program, so proceed as follows: | ||
Line 66: | Line 66: | ||
===== Encryption ===== | ===== Encryption ===== | ||
- | <sxh bash; title: | + | === with keyfile |
- | root@archiso | + | <code> |
- | root@archiso | + | ~$ cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom luksFormat < |
- | root@archiso | + | ~$ cryptsetup luksOpen -d keyfile / |
- | root@archiso | + | ~$ cryptsetup luksOpen -d keyfile / |
- | root@archiso | + | ~$ cfdisk / |
- | root@archiso | + | ~$ cryptsetup -c aes-xts-plain -y -s 512 luksFormat / |
- | root@archiso | + | ~$ mkfs.vfat -F 32 -I / |
- | </sxh> | + | ~$ cfdisk / |
+ | </code> | ||
- | <sxh bash; title: | + | === with password |
- | root@archiso | + | <code> |
- | root@archiso | + | ~$ cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom --verify-passphrase luksFormat < |
- | root@archiso | + | ~$ cryptsetup luksOpen / |
- | root@archiso | + | ~$ mkfs.btrfs / |
- | </sxh> | + | ~$ mount / |
+ | </code> | ||
===== /boot partition ===== | ===== /boot partition ===== | ||
- | <sxh bash; title: | + | === on disk boot device |
+ | <code> | ||
~$ mkfs.ext3 -L boot / | ~$ mkfs.ext3 -L boot / | ||
# DOS; primary partition + bootable | # DOS; primary partition + bootable | ||
~$ cfdisk / | ~$ cfdisk / | ||
~$ mount / | ~$ mount / | ||
- | </sxh> | + | </code> |
- | <sxh bash; title: | + | === external boot device |
+ | <code> | ||
~$ mkfs.ext3 -L boot / | ~$ mkfs.ext3 -L boot / | ||
~$ cfdisk / | ~$ cfdisk / | ||
~$ mkfs.ext3 -L boot / | ~$ mkfs.ext3 -L boot / | ||
~$ mount / | ~$ mount / | ||
- | </sxh> | + | </code> |
===== Mounting ===== | ===== Mounting ===== | ||
- | <sxh bash; title: mounting> | + | <code> |
~$ mkdir /mnt/boot | ~$ mkdir /mnt/boot | ||
~$ mount / | ~$ mount / | ||
~$ mount / | ~$ mount / | ||
- | </sxh> | + | </code> |
===== Bootstrapping ===== | ===== Bootstrapping ===== | ||
- | <sxh bash;> | + | <code> |
~$ pacstrap -i /mnt base base-devel | ~$ pacstrap -i /mnt base base-devel | ||
~$ genfstab -U /mnt > / | ~$ genfstab -U /mnt > / | ||
Line 124: | Line 128: | ||
~$ mkinitcpio -p linux | ~$ mkinitcpio -p linux | ||
~$ passwd root | ~$ passwd root | ||
- | </sxh> | + | </code> |
===== syslinux ===== | ===== syslinux ===== | ||
- | <sxh bash;> | + | <code> |
~$ pacman -S syslinux gptfdisk | ~$ pacman -S syslinux gptfdisk | ||
~$ syslinux-install_update -iam | ~$ syslinux-install_update -iam | ||
~$ nano / | ~$ nano / | ||
- | </sxh> | + | </code> |
- | <sxh bash;> | + | ===== Unmount & Reboot ===== |
+ | |||
+ | Good luck! | ||
+ | |||
+ | <code> | ||
~$ exit | ~$ exit | ||
~$ umount -R /mnt | ~$ umount -R /mnt | ||
- | </sxh> | + | </code> |
===== Troubleshooting ===== | ===== Troubleshooting ===== | ||
+ | |||
+ | Tiny troubles might pup up. The few below have a tendency to occur due to human interaction failure. ;) | ||
+ | ==== cryptsetup failed ==== | ||
+ | |||
+ | < | ||
+ | Command failed with code 22: Invalid argument | ||
+ | </ | ||
+ | | ||
+ | Enter the ' | ||
==== syslinux ==== | ==== syslinux ==== | ||
- | | + | < |
- | Is /boot mounted? | + | Error: / |
+ | Is /boot mounted? | ||
+ | </ | ||
| | ||
- | Reinstall syslinux package. | + | Reinstall syslinux package. |
==== Write-Protected ==== | ==== Write-Protected ==== | ||
- | If mount / | + | If '' |
==== Repairing boot partition ==== | ==== Repairing boot partition ==== | ||
- | <sxh bash;> | + | <code> |
~$ cryptsetup luksOpen / | ~$ cryptsetup luksOpen / | ||
~$ mount / | ~$ mount / | ||
Line 164: | Line 183: | ||
~$ syslinux-install_update -iam | ~$ syslinux-install_update -iam | ||
~$ nano / | ~$ nano / | ||
+ | ~$ pacman -S linux | ||
~$ exit | ~$ exit | ||
~$ umount -R /mnt | ~$ umount -R /mnt | ||
- | </sxh> | + | </code> |
===== References ===== | ===== References ===== |