Full Disk Encryption using LVM on Luks with separate Home, Root and swap
Encrypted boot with Grub/Efi
First step : Preparing partition
Ensure live has booted with UEFI verifying the followings directory –> ls /sys/firmware/efi/efivars
/efi - EFI System Partition 512Mb
/boot - Encrypted boot partiton
/Encrypted system partition
Verify disk schema : fdisk -l /dev/nvme01
Create the 3 partion with fdisk. ef type for EFI, 83 for /boot and 8e for LVM
Second step : Prepare the Disk
cryptsetup luksFormat --type luks1 /dev/nvme0n1p1 (typ 2 not supported on GRUB)
crypt setup open /dev/nvme0n1p1 --> /dev/mapper/cryptlvmPrepare the Logical Volume :
1.pvcreate /dev/mapper/cryptlvm
2.vgcreate VG /dev/mapper/cryptlvm
3. lvcreate -L 16G VG -n swap
4. lvcreate -L 40G VF -n root
5. lvcreate -l 100%FREE VG -n home
Third Step : Format the FileSytems
mkfs.ext4 /dev/VG/...
mkswap /dev/VG/swap
Mount fileSystems :
mount /dev/VG/root /mnt
mount /dev/VG/home /mnt/home
swapon /dev/VG/swap
Prepare the boot partition :
mkfs.vfat -F32 /dev/nvme0n1p2
mkdir /mnt/efi
mount /dev/nvme0n1p2 /mnt/efi
Configuring mkinitcpio
Add keyboard, encrypt and lvm2 to HOOKS int /etc/mkinitcpio.conf–> HOOKS=(…keyboard … encrypt lvm2 …)
Configure Boot Loader
in /etc/default/grub
————————-
GRUB_CMDLINE_LINUX=”cryptdevice=/dev/nvme0n1p2:VG:allow-discards”
GRUB_PRELOAD_MODULES=”… lvm”
GRUB_ENABLE_CRYPTODISK=y
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=ArchLinux
grub-mkconfig -o /boot/grub/grub.cfg<br>
Final Step
Exit form arch-chroot, umount all partition and reboot
That’s all, enjoy!