Arch Linux with full Disk Encryption

glitchlist Uncategorized Leave a Comment

Full Disk Encryption using LVM on Luks with separate Home, Root and swap

Encrypted boot with Grub/Efi

First step : Preparing partition

Ensure live has booted with UEFI verifying the followings directory –> ls /sys/firmware/efi/efivars

/efi - EFI System Partition 512Mb
/boot - Encrypted boot partiton 
/Encrypted system partition

Verify disk schema : fdisk -l /dev/nvme01

Create the 3 partion with fdisk. ef type for EFI, 83 for /boot and 8e for LVM

Second step : Prepare the Disk

cryptsetup luksFormat --type luks1 /dev/nvme0n1p1 (typ 2 not supported on GRUB)
crypt setup open /dev/nvme0n1p1 --> /dev/mapper/cryptlvm

Prepare the Logical Volume :


1.pvcreate /dev/mapper/cryptlvm
2.vgcreate VG /dev/mapper/cryptlvm
3. lvcreate -L 16G VG -n swap
4. lvcreate -L 40G VF -n root
5. lvcreate -l 100%FREE VG -n home

Third Step : Format the FileSytems


mkfs.ext4 /dev/VG/...
mkswap /dev/VG/swap

Mount fileSystems :


mount /dev/VG/root /mnt
mount /dev/VG/home /mnt/home
swapon /dev/VG/swap

Prepare the boot partition :


mkfs.vfat -F32 /dev/nvme0n1p2
mkdir /mnt/efi
mount /dev/nvme0n1p2 /mnt/efi

Configuring mkinitcpio

Add keyboard, encrypt and lvm2 to HOOKS int /etc/mkinitcpio.conf–> HOOKS=(…keyboard … encrypt lvm2 …)

Configure Boot Loader

in /etc/default/grub

————————-

GRUB_CMDLINE_LINUX=”cryptdevice=/dev/nvme0n1p2:VG:allow-discards”

GRUB_PRELOAD_MODULES=”… lvm”

GRUB_ENABLE_CRYPTODISK=y

grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=ArchLinux
grub-mkconfig -o /boot/grub/grub.cfg<br>

Final Step

Exit form arch-chroot, umount all partition and reboot

That’s all, enjoy!

Leave a Reply

Your email address will not be published. Required fields are marked *