Arch linux system install with encryption and external key files

Arch Linux -- with Encryptions.md

Encrypted Arch Linux that might still be useable: A Guide

gpt format, with UEFI boot system and encrypted root

Goal:

• install arch linux as a single partition with lvm partition for boot, root, home, swap, and hibernation virtual partitions.
• encrypt the entire system
• unlock encryption with usb key
• setup a light weight i3 desktop environment

Other Resources

• Arch Linux Install Guide
• Cryptab
• Encrypt Boot Partition
• LVM on LUKS

Download arch to usb & boot

• use rufus for writing iso to usb with windows
• use balenaEtcher for writing iso to usb with mac

Connect to wifi

• wifi-menu

SSH to machine for the instalation

will refer to the machine having linux installed as instalation machine and a the computer not having linux installed on it as the primary machine.

Echo terminal sequences to current terminal

• setterm -blength 0

Set root password

• passwd

Allow root login

• make sure that this line is uncomented in /etc/ssh/sshd_config
• PermitRootLogin yes

Get IP address

• ifconfig

SSH to machine

• from primary machine
• ssh root@IP_ADDRESS

Create the usb key

clear usb drive

• shred --verbose --random-source=/dev/urandom --iterations=3 /dev/sdX
• this takes forever and you might prefer doing 1 itteration if it's a large disk

partition usb for key file

• cfdisk /dev/sdY

Partition	Size	Type	Use
/dev/sdY1	256MB	EFI System Partition	/boot/efi
/dev/sdY2	512MB	Linux filesystem	/boot
/dev/sdY3	256MB	EFI System Partition	key file partition
/dev/sdX4	-	Linux filesystem	the rest of the drive free to use for other stuff

Prepare Disk

clear hard disk

• shred --verbose --random-source=/dev/urandom --iterations=3 /dev/sdX

Partition Disk

• List all disk partitions fdisk -l
• make sure to check disk file type for gpt
• Edit disk partition of choice cfdisk /dev/sdX

Partition	Size	Type	Use
/dev/sdX1	+32GB	Linux filesystem	lvm partition (root/home/swap)

Configuring LUKS Encryption

• load dm-crypt modprobe dm-crypt
• load dm-mod modprobe dm-mod

Encrypt partitions

setup partitions:

setup vault

• mkfs.ext4 /dev/mmcblk0p1
• mkdir /mnt/vault
• mount /dev/mmcblk0p1 /mnt/vault
• mkdir /mnt/vault/syskeys
• give ownership to root.
• make read only after keys are created.

Create encrypted root

• add keyfile to vault
  • dd bs=512 count=4 if=/dev/urandom of=/mnt/vault/syskeys/rootKeyfile
• cryptsetup luksFormat -v -s 512 -h sha512 /dev/sda1
• ... enter password x2
• cryptsetup luksAddKey /dev/sda1 /mnt/vault/syskeys/rootKeyfile
• ... enter password x1

Create encrypted home

• add keyfile to vault
  • dd bs=512 count=4 if=/dev/urandom of=/mnt/vault/syskeys/homeKeyfile
• cryptsetup luksFormat -v -s 512 -h sha512 /dev/sda2
• ... enter password x2
• cryptsetup luksAddKey /dev/sda2 /mnt/vault/syskeys/homeKeyfile
• ... enter password x1

set permissions of key dir to root

• chmod 600 /mnt/vault/syskeys

Unlock encrypted sections

• open root as alias luks_root
  • cryptsetup open /dev/sda1 luks_root --key-file /mnt/vault/syskeys/rootKeyfile
  • root now at /dev/mapper/luks_root
• open root as alias luks_home
  • cryptsetup open /dev/sda2 luks_home --key-file /mnt/vault/syskeys/homeKeyfile
  • home now at /dev/mapper/luks_home

Unmount & clear /mnt

• umount -R /mnt
• cd /mnt/ && rm -rf /vault

Format partitions

• format /boot/efi mkfs.vfat -n "EFI System Partition" /dev/sda3
• format /boot mkfs.ext4 -L boot /dev/sda4
• format / mkfs.ext4 -L root /dev/mapper/luks_root
• format /home mkfs.ext4 /dev/mapper/luks_home
• format /home/share mkfs.exfat /dev/mmcblk0p2

Mount partitions

• create and mount root
  • mount /dev/mapper/luks_root /mnt/
• create /boot and mount
  • mkdir /mnt/boot
  • mount /dev/sda4 /mnt/boot
• create and mount efi partition in /boot
  • mkdir /mnt/boot/efi
  • mount /dev/sda3 /mnt/boot/efi
• create and mount home
  • mkdir /mnt/home
  • mount /dev/mapper/luks_home /mnt/home
• create and mount share
  • mkdir /mnt/home/share
  • mount /dev/mmcblk0p2 /mnt/home/share
• create and mount vault
  • mkdir /mnt/boot/vault
  • mount /dev/mmcblk0p1 /mnt/boot/vault

Install Arch Linux

• install to /mnt pacstrap -i /mnt/ base base-devel efibootmgr grub

Generate fstab file

• genfstab -U /mnt/ > /mnt/etc/fstab

Configure Arch Linux

System info

• chroot in arch-chroot /mnt/
• set password passwd
• add real user
  • useradd -m -g users -G wheel MYUSERNAME
  • passwd MYUSERNAME
• add sudo privaleges group wheel
  • nano /etc/sudoers
  • uncomment %wheel ALL=(ALL) ALL
• edit local nano /etc/locale.gen
• remove # from language (en_US.UTF-8)
  • ...save
• set locale, run:
  • locale-gen
  • echo LANG=YOUR_LOCALE > /etc/locale.conf --> echo LANG=en_US.UTF-8 > /etc/locale.conf
  • export LANG=YOUR_LOCALE --> export LANG=en_US.UTF-8
• set timezone ln -sf /usr/share/zoneinfo/YOUR_REGION/YOUR_CIT /etc/localtime --> ln -sf /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime
• set clock hwclock --systohc --utc
• set hostname echo YOUR_HOSTNAME > /etc/hostname
• edit hosts nano /etc/hosts
• add to file:

127.0.0.1   localhost your_hostname
::1         localhost your_hostname

• ...save

System Configuration

• update Pacman pacman -Syu
• install dialog so you can access wifi-menu after booting into OS pacman -S dialog
• install os-prober and ntfs-3g so grub will automatically identify other OS's on your system wen generating a boot menu
  • pacman -S os-prober ntfs-3g

Configure GRUB

• edit grub nano /etc/default/grub
  • set GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:luks_root cryptkey=/dev/mmcblk0p3:luks_vault:ext4:/vault/syskeys/rootKeyfile
  • uncomment (#) GRUB_ENABLE_CRYPTODISK=y
  • ..save

Configure mkinitcpio

• Now edit /etc/mkinitcpio.conf nano /etc/mkinitcpio.conf
  • add ext4 vfat mmc_core mmc_block sdhci sdhci-pci ata_generic ata_piix nls_cp437 to MODULES
  • In the HOOKS section, add encrypt and [lvm2] after block
  • ...save
• generate initramfs mkinitcpio -p linux

Configure crypttab:

• edit /etc/crypttab to mount /home dir

  • nano /etc/crypttab

  # <name>       <device>                                     <password>                    <options>
  home           /dev/sda2                                    /boot/vault/syskeys/homeKeyfile     luks,timeout=15
  

• install GRUB grub-install --target=x86_64-efi --boot-directory=/boot --efi-directory=/boot/efi --bootloader-id=ArchLinux

• check for other os's : os-prober

• generate GRUB configuration

  • grub-mkconfig -o /boot/grub/grub.cfg
  • grub-mkconfig -o /boot/efi/EFI/ArchLinux/grub.cfg

Close and reboot

• and then exit exit
• unmount all umount -R /mnt
• and reboot reboot

Setup basic OS features

• log back in as root user
• connect to internet with wifi-menu
  • For VM: systemctl enable [email protected]
• Install GUI
  • I like GNOME, so: pacman -S gnome

---

Optional

• update repo database & install Pakku
  • get git pacman -S git
  • open to Downloads (or anywere really)
  • run git clone https://aur.archlinux.org/pakku.git
  • open pakku foled cd pakku
  • install pakku makepkg -si
  • you can delete the pakku repo now cd .. and then rm -rf pakku
• Optional gnome install
  • gnome-extra has a buch of packages I don't like
  • these are individual packages from gnome-extra I do like
  • pacman -S gnome-nettool gnome-tweaks gnome-usage gnome-weather nautilus-sendto pacman-contrib
• Applications I like to have
  • pacman -S atom gimp vlc libreoffice-fresh firefox thunderbird pidgin

---

• Start/enable system applications
  • systemctl enable NetworkManager.service
  • systemctl enable paccache.timer
  • systemctl enable gdm.service
• restart system with reboot