today, i finally got around to try arch linux with xfce4 on my laptop. and considering how it looks, i will also install it on my desktop computer on the next reinstall. (currently, it still has ubuntu with xfce4 installed. and in case you wonder why i decided to try out a new system on my laptop: i’ve been using linux mint 14 the last couple of months, and was pretty unhappy both during install – setting up full disk encryption was somewhat annoying – and finally when trying to install wine recently, which simply didn’t work.)
i followed the beginner’s guide, which essentially told me what to enter on the console to set up arch linux. (note that arch linux does not come with a graphical install, you have to type a lot of commands in yourself. but apart from that, it actually works like a charm. so if you’re not scared by using the command line, it’s worth a try.)
there’s also a arch wiki entry about encrypting a lvm setup, which is what i was doing and wanted to continue doing – for example, to not again restart by copying all my data to the machine, but by simply re-using the encrypted partitions layout set up before. for the way i (and ubuntu) was doing it, that wiki entry pointed to a blog post by simon dittlmann, which explains how to set up a huge encrypted partition, which will contain a lvm (logical volume manager) group with
swap partition. unfortunately, the blog post is somewhat older, and apparently the whole installation procedure of arch linux changed somewhat, so i had to improvise.
in order to create an up to date documentation on how to install arch linux with full disk encryption, both discussing how to create such a setup and how to install arch linux in an already existing such setup.
beginning installation: creating the encrypted partition.
(in case you already have a working set-up, skip the next steps until the mark.)
follow the steps described in the beginner’s guide, create a small boot partition – this one will not be encrypted. i assume that it will be
/dev/sda1. it should be a simple ext3/ext4 partition. (i usually give it 256 or 512 megabytes.)
then, create another partition (i assume it will be
/dev/sda2), which consumes the whole left-over space on the hard disk. first, you should clear everything on that partition, preferably with random bits. you can for example do:
dd if=/dev/urandom of=/dev/sda2
this will take quite some time, though. alternatively, you can skip this step, and later, after encrypting the partition, overwrite the encrypted partition with zeros. (look down below for that.) afterwards, set up encryption on
1 modprobe dm-crypt 2 cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --verify-passphrase luksFormat /dev/sda2
you will have to enter a passphrase (twice), which you will need later on every boot to unlock the disk. (note that you can later on change the passphrase as you like; look at the section passphrase management in an older blog-post by me.)
(mark: skip until here if you already have a working set-up.)
now you can unlock the encrypted disk:
cryptsetup luksOpen /dev/sda2 lvm
setting up the logical volumes.
(skip almost everything of this section if you already have a working set-up. the only thing you should not skip is the mounting below and enabling swap with
after unlocking the encrypted volume, you have to create a volume group and logical volumes inside it. first, begin by creating a physical volume, which will contain the logical volumes. for that, we use the encrypted partition
/dev/sda2, whose contents can be accessed by
/dev/mapper/lvm. do the following:
1 lvm pvcreate /dev/mapper/lvm 2 lvm vgcreate vgroup /dev/mapper/lvm
you can replace
vgroupwith any name you want. i replaced it with the (future) hostname of my laptop. now you can use the following commands to create logical volumes. there should be at least one volume for root (
/) and swap. i recommend to also create a volume for
/home, so that your personal files are separated from the operating system and you can simply wipe out the operating system when you want to install a new one by formatting root, but not home. for such a setting, the commands are as follows:
1 lvm lvcreate -L 16GB -n root vgroup 2 lvm lvcreate -L 16GB -n swap vgroup 3 lvm lvcreate -l 100%FREE -n home vgroup
(my machine has 16 gigabyte ram, whence i created a 16 gigabyte swap partition.)
don’t forget to replace
vgroupif you used a different name above. you can also choose different names after
-n. the next step is to format the data partitions as in the beginner’s guide:
1 mkfs.ext4 /dev/mapper/vgroup-root 2 mkfs.ext4 /dev/mapper/vgroup-home
to set up the swap, proceed as follows:
1 mkswap /dev/mapper/vgroup-swap 2 swapon /dev/mapper/vgroup-swap
finally, let us mount the partitions to install arch linux on them:
1 mount /dev/mapper/vgroup-root /mnt 2 mkdir -p /mnt/home /mnt/boot 3 mount /dev/mapper/vgroup-home /mnt/home 4 mount /dev/sda1 /mnt/boot
(you only need the
mkdir if you created a new set-up. also, in case you created more logical volumes, you have to adjust the commands above.)
continue arch linux installation.
from this point on, you can follow the beginner’s guide to install arch linux from this point on. continue until the point of creating an initial ramdisk environment. there, you must edit
/etc/mkinitcpio.conf and modify the
HOOKS statement from
HOOKS="base udev autodetect modconf block filesystems keyboard fsck"
(or something similar) to
HOOKS="base udev autodetect modconf block encrypt lvm2 filesystems keyboard fsck"
note that you must insert
encrypt lvm2 in precisely this order somewhere before
filesystems. afterwards, continue with running
mkinitcpio -p linux (or continue editing the config file if necessary).
now you can continue with setting the root password.
the next step where you have to pay attention is the step where you set up the boot loader. i chose grub here. set it (or
syslinux) up as described in the beginner’s guide. in the case of syslinux, you have to modify
/boot/syslinux/syslinux.cfg, and in the case of grub, you have to modify
/boot/grub/grub.cfg. in the case of syslinux, you should have two entries (regular system and fallback)
APPEND root=/dev/mapper/vgroup-root ro
for syslinux and
linux /vmlinuz-linux root=/dev/mapper/vgroup-root ro quiet
for grub, or something similar. for all such entries, insert
ro; that is, the entries should look like
APPEND root=/dev/mapper/vgroup-root cryptdevice=/dev/sda2:vgroup ro
for syslinux and
linux /vmlinuz-linux root=/dev/mapper/vgroup-root cryptdevice=/dev/sda2:vgroup ro quiet
change (2014/04/13): in case you want to use grub, it is better to proceed as follows. edit the line
/etc/default/grub and add
cryptdevice=/dev/sda2:vgroup there. then, run
grub-mkconfig -o /boot/grub/grub.cfg as described in the beginner’s guide. this automatically adds this to all entries in
grub.cfg. end of change.
afterwards, continue with the beginner’s guide. after the next reboot, you should be asked for a password to unlock the volumes. after entering it correctly, the system should boot up as normal.