Created
October 22, 2015 19:26
-
-
Save jeffsharpe/74f052105a06a361416c to your computer and use it in GitHub Desktop.
Arch Linux Installation Notes - GPT LUKS on LVM (multiple drives)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# # boot to arch linux boot prompt | |
# installation | |
# setup networking | |
ping -c 3 www.google.ca | |
# eth connections just work or me, so… | |
wifi-menu # select and log in | |
ping -c 3 www.google.ca | |
# now to set up LUKS on LVM (for multiple HD) | |
modprobe dm-mod | |
# partition the disk | |
lsblk | |
# I created the following partitions on 2 devices, modify as required | |
# /dev/sda1 1007KB BIOS boot partition | |
# /dev/sda2 500MB linux filesystem (boot) | |
# /dev/sda3 Linux LVM (root) | |
# /dev/sdb1 Linux LVM (swap home var) | |
# partition the disk, set partition table to GUID | |
gdisk /dev/sda | |
gdisk /dev/sdb | |
# idea is to create the root encrypted system, then use a password file to mount the others | |
# so for the initial install ONLY create root | |
lvm pvcreate /dev/sda3 | |
lvm vgcreate lvm /dev/sda3 | |
lvm lvcreate -L 25G -n lvroot lvm | |
#encrypt | |
cryptsetup luksFormat -c aes-xts-plain64 -s 512 /dev/lvm/lvroot | |
cryptsetup open --type luks /dev/lvm/lvroot root | |
mkfs.ext4 /dev/mapper/root | |
mkfs.ext4 /dev/sda2 | |
mount /dev/mapper/root /mnt | |
mkdir /mnt/boot | |
mount /dev/sda2 /mnt/boot | |
lsblk -f /dev/sda | |
# now pacstrap the system | |
# select a close mirror and move to the top of the file, save and close | |
vim /etc/pacman.d/mirrorlist | |
pacstrap -i /mnt base base-devel | |
# generate fstab | |
genfstab -U -p /mnt/ >> /mnt/etc/fstab | |
# confirm content | |
vim /mnt/etc/fstab | |
# chroot to the new filesystem | |
arch-chroot /mnt /bin/bash | |
export PS1="(CHROOT) $PS1" | |
# setup locales | |
# uncomment your locale and save | |
vi /etc/locale.gen | |
locale-gen | |
echo LANG=en_CA.UTF-8 > /etc/locale.conf | |
export LANG=en_CA.UTF-8 | |
# set the tz and clock | |
ln -fs /usr/share/zoneinfo/Canada/Pacific /etc/localtime | |
hwclock —systohc —utc | |
# hostname | |
echo arod > /etc/hostname | |
# add ‘arod’ to the beginning of both localhost row aliases | |
vi /etc/hosts | |
# setup networking for next boot | |
pacman -S networkmanager | |
systemctl enable NetworkManager.service | |
# disable network services not needed | |
systemctl disable netctl.service | |
# create ramdisk | |
# on the HOOKS=“” line, add ‘lvm2 encrypt’ between ‘block’ and ‘filesystems’ | |
# on the MODULES=“” line, add ‘dm-mod’ | |
vi /etc/mkinitcpio.conf | |
mkinitcpio -p linux | |
# set root password | |
passwd | |
# make sure vim is installed | |
pacman -S vim | |
# set up the boot loader | |
pacman -S grub | |
grub-install —target=i386-pc —recheck /dev/sda | |
# edit /etc/default/grub | |
# add to GRUB_CMDLINE_LINUX=“cryptdevice=/dev/lvm/lvroot:root root=/dev/mapper/root” | |
# add to GRUB_PRELOAD_MODULES=“” at the end, add ‘lvm’ | |
vim /etc/default/grub | |
# ignore any connection warnings | |
grub-mkconfig -o /boot/grub/grub.cfg | |
# exit and unmount and reboot | |
exit | |
umount -R /mnt | |
reboot | |
# remove your USB or CD | |
# fingers crossed | |
# once you log in to the newly installed machine, you have more work to do! | |
# | |
# post installation | |
# | |
# once you reboot, lets create a new encrypted /home and swap partitions | |
# lets make the home password file | |
mkdir -m 700 /etc/luks-keys | |
dd if=/dev/random of=/etc/luks-keys/home bs=1 count=256 | |
dd if=/dev/random of=/etc/luks-keys/var bs=1 count=256 | |
# | |
# now create the remaining partitions | |
lvm pvcreate /dev/sdb1 | |
lvm vgextend lvm /dev/sdb1 | |
lvm lvcreate -L 16G -n swap lvm | |
lvm lvcreate -L 25G -n var lvm | |
lvm lvcreate -l 100%FREE -n home lvm | |
# | |
# now encrypt it | |
cryptsetup luksFormat -v -s 512 /dev/lvm/home /etc/luks-keys/home | |
cryptsetup luksFormat -v -s 512 /dev/lvm/var /etc/luks-keys/var | |
# | |
# open the new encrypted partitions | |
cryptsetup -d /etc/luks-keys/home open —type luks /dev/lvm/home home | |
cryptsetup -d /etc/luks-keys/var open —type luks /dev/lvm/var var | |
# | |
mkfs.ext4 /dev/mapper/home | |
mkfs.ext4 /dev/mapper/var | |
mount /dev/mapper/home /home | |
# we have to mount /var later | |
# | |
# now add “home /dev/lvm/home /etc/luks-keys/home” | |
# and “swap /dev/lvm/swap /dev/urandom swap,cipher=aes-xts-plain64,size=256” to | |
vim /etc/crypttab | |
# finally, add it to fstab | |
# add the home and swap mapped partitions to | |
# “/dev/mapper/home /home ext4 defaults 0 2" | |
# “/dev/mapper/swap none swap sw 0 0" | |
vim /etc/fstab | |
# | |
reboot | |
# | |
# seperate /var partition? you'll need to do this | |
# | |
# boot to your installation USB or CDROM | |
# so we can copy /var to the new encrypted LVM | |
# | |
# first mount / | |
cryptsetup open --type luks /dev/lvm/lvroot root | |
mount /dev/mapper/root /mnt | |
# now mount the new var | |
cryptsetup -d /mnt/etc/luks-keys/var open —type luks /dev/lvm/var var | |
mkdir /tmp/tmpvar | |
mount /dev/mapper/var /tmp/tmpvar | |
# finally copy the old folder to the new | |
cp -av /mnt/var/* /tmp/tmpvar/ | |
# create the new empty folder to mount too | |
mv /mnt/var /mnt/var.old | |
mkdir -m 755 /mnt/var | |
# now add “var /dev/lvm/var /etc/luks-keys/var” to | |
vim /mnt/etc/crypttab | |
# finally add “/dev/mapper/var /var ext4 defaults 0 2" to | |
vim /mnt/etc/fstab | |
# thats it, now reboot and remove your USB or CDROM | |
umount -R /tmp/tmpvar | |
umount -R /mnt | |
reboot | |
# /whew - done! (wasn't that hard, come on!) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment