Quick notes on a fully encrypted ArchLinux installation on a MacBook Air.

6 Mars 2016

Cet article est un brouillon.

This article is a draft.

Disclaimer: The following document is a set of notes on how I installed ArchLinux on some of my computers. It’s basically a summary of selected bits of various resources. The usual warning goes with this as with anything related in any way to security: DO NOT USE IT.

These are notes, not a tutorial. If I’m to do this again, I’ll follow these notes. You probably shouldn’t.

The aim is:

  • To have a fully encrypted disk, except /boot, but including swap partition to enable hibernation.

Start installation as usual.

Initial installation

Wiping existing data

If necessary, wipe the disks/partitions you’re about to encrypt.

cryptsetup open --type plain /dev/sdXY container --key-file /dev/random
dd if=/dev/zero of=/dev/mapper/container status=progress

/dev/zero is a perfectly good value: you’re writing on an encrypted container, randomness comes from using /dev/random as the key.

Repeat for each partition you need to wipe, changing the container’s name. I won’t wipe /boot, since an encrypted boot is possible only with Grub, and I use Refind as the primary boot loader1.

Partition the drive

You need two partitions.

  • A boot partition, of about 200M, type ef00 (EFI System)
  • A crypto container, of type 8E00 (Linux LVM), using all the remaining space.

As has been mentioned, we’re not to crypt /boot, because Apple’s (at least) EFI systems cannot boot from encrypted containers.

Encrypt all the things

Now we’re going to crypt the container (our second partition), make it a LVM container, and initialize lvm physical volume, volume groups, and logical volumes.

# Create encrypted container
cryptsetup luksFormat /dev/sdXY
# Open it and mount it on /dev/mapper
cryptsetup open --type luks /dev/sdXY lvm
# Create LVM Physical Volume
pvcreate /dev/mapper/lvm
# Create initial LVM Volume Group
vgcreate VolGroup00 /dev/mapper/lvm
# Create logical volumes as needed
lvcreate -L 200G VolGroup00 -n lvolroot
lvcreate -l 100%FREE VolGroup00 -n lvswap
# Format aforesaid logical volumes
mkfs.ext4 /dev/mapper/lvolroot
mkswap /dev/mapper/lvolswap

shell

Continue with standard installation

Mount your volumes and activate swap. Don’t forget to mount your unencrypted boot

mount /dev/VolGroup00/lvolroot /mnt
mkdir /mnt/boot
mount /dev/sdX1 /lnt/boot
swapon /dev/VolGroup00/lvolswap

shell

Then proceed with standard installation until the mkinitcpio step. That is, generate mirrorlist (preferably using rankmirrors) then pacstrap.

Configure mkinitcpio

lvm2 must be installed inside the arch-chroot jail before proceeding.

mkinitcpio.conf will require the lvm2, encrypt and keymap hooks, the first two seem to require to appear after filesystems.

keymap is only needed if a passphrase is needed (hint: it really should) and the keyboard uses a non US-Qwerty mapping. It will get its mapping from /etc/vconsole.conf. It must appear before encrypt in HOOKS.

Configure kernel boot options

Modify kernel boot options (with refind, on /boot/refind_linux.conf and add cryptdevice=UUID=…:lvm before root=/dev/VolGroup00…

Before you reboot

If you want to use wifi-menu on your fresh system, don’t forget to install dialog and wpa_supplicant before you reboot. Trying to run it in the arch-chroot jail will help find missing deps (the script itself is part of base, but not its dependencies)

Post-install

For Apple laptops

A few extra settings are required to have a decent mapping on Apple keyboards.

Create /etc/modprobe.d/hid_apple.conf with the following line:

options hid_apple fnmode=2

and add the path of this file to the FILES entry of mkinitcpio.conf

A basic working system

That is, my basic working system.

sdsd

shell

Also install the xf86-video-x driver you need.

Footnotes


  1. Yet it is possible to a) boot from external media to a fully encrypted root; or b) boot from a plaintext EFI /boot to an encrypted grub. Since encrypting /boot is meant to protect against physical attacks on the boot program, b) does not really protect against anything.