Create a new Oracle Linux VM. You can disable in-transit encryption, as encryption will be implemented at the OS level with dm-crypt. Connect to the VM with SSH (you can't connect from the Cloud Shell as the opc
user has no password). Then, run the following to reboot the VM into Alpine Linux:
sudo su
wget https://dl-cdn.alpinelinux.org/alpine/v3.15/releases/aarch64/alpine-virt-3.15.0-aarch64.iso
dd if=alpine-virt-3.15.0-aarch64.iso of=/dev/sda; sync
reboot
(We need to use Alpine Linux because Arch Linux ARM is not distributed as a bootable disk image.)
Now, launch a Cloud Shell connection to the VM console. Login to Alpine as root
with no password, and run:
echo auto eth0 > /etc/network/interfaces
echo iface eth0 inet dhcp >> /etc/network/interfaces
ifup eth0
Install the tools you need from the Alpine community repo:
setup-apkrepos
vi /etc/apk/repositories # uncomment community repo
apk update
apk add dosfstools e2fsprogs libarchive-tools pacman arch-install-scripts btrfs-progs cryptsetup
modprobe btrfs
Run fdisk /dev/sda
, then the following commands:
g # create a new empty GPT partition table
n 1 2048 +512M # create EFI partition
t 1 1 # set partition 1 to EFI System type
n 2 # create root partition (to be encrypted)
p # check partition table
w # write partition table and exit
Then run the following to get the boot volume ready for encryption (see Replacing non-Alpine Linux with Alpine remotely):
partprobe /dev/sda # detect new partitions
/etc/init.d/modloop stop
umount /dev/sda
Follow the instructions on the Arch wiki for encrypting an entire system with LUKS on a partition:
cryptsetup -y -v luksFormat /dev/sda2 # create LUKS partition
cryptsetup open /dev/sda2 root # open LUKS partition
mkfs.btrfs -L root /dev/mapper/root # create rootfs
mount /dev/mapper/root /mnt # mount rootfs
mkfs.vfat /dev/sda1 # create bootfs
mkdir /mnt/boot; mount /dev/sda1 /mnt/boot # mount bootfs
Download and unpack Arch Linux ARM:
cd /mnt
wget http://os.archlinuxarm.org/os/ArchLinuxARM-aarch64-latest.tar.gz
bsdtar -xpf /mnt/ArchLinuxARM-aarch64-latest.tar.gz -C /mnt
genfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mnt/
pacman-key --init
pacman-key --populate archlinuxarm
Configure mkinitcpio with the following hooks:
HOOKS=(base udev autodetect keyboard consolefont modconf block encrypt filesystems fsck)
Then configure the EFISTUB and initramfs:
pacman -S linux-aarch64 efibootmgr # should run mkinitcpio -P
for i in {0..5}; do efibootmgr -B -b $i; done
efibootmgr --create --disk /dev/sda --part 1 \
--label arch-oracle --loader Image \
--unicode "cryptdevice=/dev/sda2:root root=/dev/mapper/root initrd=initramfs-linux.img console=ttyS0"
Since port 22 is exposed by default, and ARM Arch enables the sshd with password authentication on the default alarm
account, you should disable the sshd before rebooting:
systemctl disable sshd
The machine should now boot into the serial console. Access it using the Cloud Shell to input the LUKS passphrase when the machine is rebooted.
You can now log in to Arch from the serial console using username root
and password root
. Set a passwd
on the root account to secure the serial console.
The ARM Arch sshd allows password authentication by default, so add the following to /etc/ssh/sshd_config
:
PasswordAuthentication no
PermitRootLogin no
Then enable and start the sshd:
systemctl enable sshd
systemctl start sshd
Finally, create ~/.ssh/authorized_keys
for the default alarm
user or a new user of your choice, and log in remotely via SSH. You don't need to use the serial console again until the machine reboots.
Continue following the Arch Wiki installation guide from the heading Configure the system.
Create the block device in the Oracle console and attach it using paravirtualisation, and it will appear as /dev/sdb
. Then:
openssl genrsa -out /root/block.key 4096
cryptsetup luksFormat /dev/sdb
cryptsetup luksAddKey /dev/sdb /root/block.key
echo "block /dev/sdb /root/block.key luks" >> /etc/crypttab
cryptsetup luksOpen /dev/sdb block --key-file /root/block.key
mkfs.btrfs /dev/mapper/block
mkdir /mnt/block
echo "/dev/mapper/block /mnt/ btrfs defaults" >> /etc/fstab
mount -a