Quick notes on a fully encrypted ArchLinux installation on a MacBook Air.
Cet article est un brouillon.
This article is a draft.
Disclaimer: The following document is a set of notes on how I installed ArchLinux on some of my computers. It’s basically a summary of selected bits of various resources. The usual warning goes with this as with anything related in any way to security: DO NOT USE IT.
These are notes, not a tutorial. If I’m to do this again, I’ll follow these notes. You probably shouldn’t.
The aim is:
- To have a fully encrypted disk, except
/boot, but including swap partition to enable hibernation.
Start installation as usual.
Wiping existing data
If necessary, wipe the disks/partitions you’re about to encrypt.
cryptsetup open --type plain /dev/sdXY container --key-file /dev/random dd if=/dev/zero of=/dev/mapper/container status=progress
/dev/zero is a perfectly good value: you’re writing on an encrypted container, randomness comes from using
/dev/random as the key.
Repeat for each partition you need to wipe, changing the container’s name. I won’t wipe
/boot, since an encrypted boot is possible only with Grub, and I use Refind as the primary boot loader1.
Partition the drive
You need two partitions.
- A boot partition, of about 200M, type ef00 (EFI System)
- A crypto container, of type 8E00 (Linux LVM), using all the remaining space.
As has been mentioned, we’re not to crypt
/boot, because Apple’s (at least) EFI systems cannot boot from encrypted containers.
Encrypt all the things
Now we’re going to crypt the container (our second partition), make it a LVM container, and initialize lvm physical volume, volume groups, and logical volumes.
# Create encrypted container cryptsetup luksFormat /dev/sdXY # Open it and mount it on /dev/mapper cryptsetup open --type luks /dev/sdXY lvm # Create LVM Physical Volume pvcreate /dev/mapper/lvm # Create initial LVM Volume Group vgcreate VolGroup00 /dev/mapper/lvm # Create logical volumes as needed lvcreate -L 200G VolGroup00 -n lvolroot lvcreate -l 100%FREE VolGroup00 -n lvswap # Format aforesaid logical volumes mkfs.ext4 /dev/mapper/lvolroot mkswap /dev/mapper/lvolswap
Continue with standard installation
Mount your volumes and activate swap. Don’t forget to mount your unencrypted boot
mount /dev/VolGroup00/lvolroot /mnt mkdir /mnt/boot mount /dev/sdX1 /lnt/boot swapon /dev/VolGroup00/lvolswap
Then proceed with standard installation until the mkinitcpio step. That is, generate mirrorlist (preferably using
lvm2 must be installed inside the
arch-chroot jail before proceeding.
mkinitcpio.conf will require the
keymap hooks, the first two seem to require to appear after filesystems.
keymap is only needed if a passphrase is needed (hint: it really should) and the keyboard uses a non US-Qwerty mapping. It will get its mapping from
/etc/vconsole.conf. It must appear before encrypt in
Configure kernel boot options
Modify kernel boot options (with refind, on
/boot/refind_linux.conf and add
Before you reboot
If you want to use
wifi-menu on your fresh system, don’t forget to install
wpa_supplicant before you reboot. Trying to run it in the
arch-chroot jail will help find missing deps (the script itself is part of
base, but not its dependencies)
For Apple laptops
A few extra settings are required to have a decent mapping on Apple keyboards.
/etc/modprobe.d/hid_apple.conf with the following line:
options hid_apple fnmode=2
and add the path of this file to the FILES entry of
A basic working system
That is, my basic working system.
Also install the
xf86-video-x driver you need.
Yet it is possible to a) boot from external media to a fully encrypted root; or b) boot from a plaintext EFI /boot to an encrypted grub. Since encrypting
/bootis meant to protect against physical attacks on the boot program, b) does not really protect against anything.↩