Forked from HardenedArray/Efficient Encrypted UEFI-Booting Arch Installation
Created
March 21, 2017 16:49
-
-
Save marceloperini/cab0b7f96e749c24f4ba7f9c79df5629 to your computer and use it in GitHub Desktop.
Revisions
-
HardenedArray revised this gist
Feb 3, 2017 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -117,7 +117,7 @@ echo MyHostName > /etc/hostname # If English is your native language, you need to edit exactly two lines to correctly configure your locale language settings: a. In /etc/locale.gen **uncomment only**: en_US.UTF-8 UTF-8 b. In /etc/locale.conf, you should **only** have this line: LANG=en_US.UTF-8 # Now run: -
Feb 3, 2017 . 1 changed file with 9 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -221,11 +221,19 @@ mount /dev/sda17 /mnt/boot mkdir /mnt/boot/efi mount /dev/sda2 /mnt/boot/efi In this example, the user is likely to be using /dev/sda18 as the physical drive partition where their encrpyted Arch root and swap filesystems will reside. Note the user's re-use of their existing EFI partition which resides at /dev/sda2. Adapt, as necessary, for your drive's partition structure. Following successful Arch system installation, the path to your Arch-EFI boot file should be: /boot/efi/EFI/ArchLinux/grubx64.efi When you are multi-OS booting correctly, you should have one directory per operating system, each residing at: /boot/efi/EFI/ __________________________ BitLocker Users on Windows Notes: -
Feb 2, 2017 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -212,7 +212,7 @@ If you installed Windows 10 first, your EFI partition is likely to be /dev/sda2. In all cases, /boot, /boot/efi, and '/' partitions, at a minimum, are required to be mounted during Arch installation. As an example, an EFI-addicted, multi-OS booter might be doing something like: mount /dev/mapper/Arch-root /mnt swapon /dev/mapper/Arch-swap -
Feb 1, 2017 . 1 changed file with 5 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -88,6 +88,7 @@ mkdir /mnt/boot/efi mount /dev/sdXX /mnt/boot/efi # Install your Arch system # This command provides a decent set of basic system programs which will also support WiFi when initially booting # into your Arch system. @@ -221,6 +222,10 @@ mkdir /mnt/boot/efi mount /dev/sda2 /mnt/boot/efi Adapt, as necessary, for your drive's partition layout. Following successful Arch system installation, the path to your Arch-EFI boot file should be: /boot/efi/EFI/ArchLinux/grubx64.efi __________________________ BitLocker Users on Windows Notes: -
Feb 1, 2017 . 1 changed file with 20 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -23,6 +23,7 @@ Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC dd if=archlinux-*.iso of=/dev/sdX bs=16M && sync # If running Windows, use Rufus to burn the archlinux-*.iso to your USB stick in DD mode. # Also, if you are running BitLocker to encrypt your Windows system, read my BitLocker notes below, before proceeding. # UEFI-Boot from your USB stick. If your USB stick fails to boot, ensure that Secure Boot is disabled in your UEFI configuration. @@ -174,8 +175,9 @@ swapoff -a # Reboot and Enjoy Your Encrypted Arch Linux System! reboot __________________________ One Post-Install Recommendation To Optimize the Speed of All Your Future Installs - Rank Your Mirrors, First! It's a very simple procedure, and will save you a lot of downloading time over your Arch lifetime, particulary if you are planning on doing any mass-installs, like gnome, gnome-extra, or similar. @@ -188,9 +190,9 @@ rankmirrors -n 6 /etc/pacman.d/mirrorlist.bak > /etc/pacman.d/mirrorlist That will test all the mirrors and grab the six fastest from your location. It takes a while to complete, so go grab a cup of java. Upon your return, you'll be ready to put pacman to serious work, as it was intended: Crazy Fast! Cheers, and now it's time to Go Rock Your Arch! HardenedArray @@ -207,7 +209,19 @@ My Arch Linux install is just another encrypted Linux OS installation that happe If you multi-boot, ensure you mount Arch's /boot/efi at your existing ESP partition. If you installed Windows 10 first, your EFI partition is likely to be /dev/sda2. In all cases, /boot, /boot/efi, and '/' partitions, at a minimum, are required to be mounted during Arch installation. As an example, an EFI-addicted, multi-OS booter might be doing somthing like: mount /dev/mapper/Arch-root /mnt swapon /dev/mapper/Arch-swap mkdir /mnt/boot mount /dev/sda17 /mnt/boot mkdir /mnt/boot/efi mount /dev/sda2 /mnt/boot/efi Adapt, as necessary, for your drive's partition layout. __________________________ BitLocker Users on Windows Notes: @@ -224,3 +238,5 @@ Encryption Method: Hardware Encryption - 1.3.111.2.1619.0.1.2 Also note that hardware-based BitLocker can either encrypt, or decrypt, a multi-hundred GiB drive in less than 3 seconds. You can re-enable BitLocker after your new encrypted Arch system is UEFI booting correctly and running smoothly. __________________________ -
Feb 1, 2017 . 1 changed file with 10 additions and 6 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -43,8 +43,10 @@ gdisk /dev/sdX Partition X = 100 MiB EFI partition # Hex code EF00 Partition Y = 250 MiB Boot partition # Hex code 8300 Partition Z = Choose a reasonable size for your encrypted root and swap system partition, or just size it to the last sector of your drive. # Hex code 8300. # Review your partitions with 'p'. # Write your gdisk changes with 'w'. # Reboot, if necessary, so the kernel reads your new partition structure. @@ -85,7 +87,8 @@ mkdir /mnt/boot/efi mount /dev/sdXX /mnt/boot/efi # Install your Arch system # This command provides a decent set of basic system programs which will also support WiFi when initially booting # into your Arch system. pacstrap /mnt base base-devel grub-efi-x86_64 efibootmgr dialog wpa_supplicant @@ -142,7 +145,8 @@ mkinitcpio -p linux # Install and configure Grub-EFI # The correct way to install grub on an UEFI computer, irrespective of your use of a HDD or SSD, and whether you are # installing dedicated Arch, or multi-OS booting, is: grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchLinux @@ -173,8 +177,8 @@ reboot One Post-Install Recommendation To Speed Up All Your Future Installs - Rank Your Mirrors, First! It's a very simple procedure, and will save you a lot of downloading time over your Arch lifetime, particulary if you are planning on doing any mass-installs, like gnome, gnome-extra, or similar. As root, run: @@ -184,7 +188,7 @@ rankmirrors -n 6 /etc/pacman.d/mirrorlist.bak > /etc/pacman.d/mirrorlist That will test all the mirrors and grab the six fastest from your location. It takes a while to complete, so go grab a cup of java. Upon your return, you'll be ready to put pacman to work as it was intended: Crazy Fast! Cheers, -
Feb 1, 2017 . No changes.There are no files selected for viewing
-
Feb 1, 2017 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,222 @@ # OBJECTIVE: Install Arch Linux with encrypted root and swap filesystems and boot from UEFI. # Note: This method supports both dedicated Arch installs and those who wish to install Arch on a multi-OS-UEFI booting system. # The official Arch installation guide contains details that you should refer to during this installation process. # That guide resides at: https://wiki.archlinux.org/index.php/Installation_Guide # Download the archlinux-*.iso image from https://www.archlinux.org/download/ and its GnuPG signature. # Use gpg --verify to ensure your archlinux-*.iso is exactly what the Arch developers intended. For example: $ gpg --verify archlinux-2017.01.01-dual.iso.sig gpg: assuming signed data in 'archlinux-2017.01.01-dual.iso' gpg: Signature made Sun 01 Jan 2017 04:06:24 PM UTC gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC gpg: Good signature from "Pierre Schmitz <[email protected]>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC # Burn the archlinux-*.iso to a 1+ Gb USB stick. On linux, do something like: dd if=archlinux-*.iso of=/dev/sdX bs=16M && sync # If running Windows, use Rufus to burn the archlinux-*.iso to your USB stick in DD mode. # UEFI-Boot from your USB stick. If your USB stick fails to boot, ensure that Secure Boot is disabled in your UEFI configuration. # Set your keymap only if not you are not using the default English language. # It is typically wiser to be hard wired to the Net during installation. However, Arch supports WiFi-only installs. # Connect to WiFi using: wifi-menu # Create and size partitions appropriate to your goals using gdisk # Carefully Note: Multi-OS booters who have an existing EFI partition on their drive should NOT create a new EFI partition. # Instead, we will append Arch as another OS to your existing EFI partition. See my Multi-OS-Booting Notes, below. gdisk /dev/sdX # Create the partitions you need: Partition X = 100 MiB EFI partition # Hex code EF00 Partition Y = 250 MiB Boot partition # Hex code 8300 Partition Z = Choose a reasonable size for your encrypted root and swap system partition, or just size it to the last sector of your drive. # Hex code 8300. # Write your gdisk changes with 'w'. # Reboot, if necessary, so the kernel reads your new partition structure. # Create filesystems for /boot/efi and /boot mkfs.vfat -F 32 /dev/sdXX mkfs.ext2 /dev/sdXY # Encrypt and open your system partition cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/sdXZ cryptsetup luksOpen /dev/sdXZ 2016-Global-OpSec-Champion-LyingHillary # (or use any word or phrase you're fond of) # Create encrypted LVM partitions # These steps create a required root partition and an optional partition for swap. # Modify this structure only if you need additional, separate partitions. The sizes used below are only suggestions. # The VG and LV labels 'Arch, root and swap' can be changed to anything memorable to you. Use your labels consistently, below! pvcreate /dev/mapper/2016-Global-OpSec-Champion-LyingHillary vgcreate Arch /dev/mapper/2016-Global-OpSec-Champion-LyingHillary lvcreate -L +512M Arch -n swap lvcreate -l +100%FREE Arch -n root # Create filesystems on your encrypted partitions mkfs.ext4 /dev/mapper/Arch-root mkswap /dev/mapper/Arch-swap # Mount the new system mount /dev/mapper/Arch-root /mnt swapon /dev/mapper/Arch-swap mkdir /mnt/boot mount /dev/sdXY /mnt/boot mkdir /mnt/boot/efi mount /dev/sdXX /mnt/boot/efi # Install your Arch system # This command provides a decent set of basic system programs which will also support WiFi when initially booting into your Arch system. pacstrap /mnt base base-devel grub-efi-x86_64 efibootmgr dialog wpa_supplicant # Create and review FSTAB genfstab -U /mnt >> /mnt/etc/fstab # The -U option pulls in all the correct UUIDs for your mounted filesystems. nano /mnt/etc/fstab # Check your fstab carefully, and modify it, if required. # Enter the new system arch-chroot /mnt /bin/bash # Set the system clock ln -s /usr/share/zoneinfo/UTC /etc/localtime hwclock --systohc --utc # Assign your hostname echo MyHostName > /etc/hostname # Set or update your locale # If English is your native language, you need to edit exactly two lines to correctly configure your locale language settings: a. In /etc/locale.gen **uncomment only**: en_US.UTF-8 UTF-8 b. In /etc/locale.conf, you should **only** have this line: **LANG=en_US.UTF-8** # Now run: locale-gen # Set your root password passwd # Create a User, assign appropriate Group membership, and set a User password. 'Wheel' is just one important Group. useradd -m -G wheel -s /bin/bash MyUserName passwd MyUserName # Configure mkinitcpio with the correct HOOKS required for your initrd image nano /etc/mkinitcpio.conf # Use this HOOKS statement: HOOKS="base udev autodetect modconf block keymap encrypt lvm2 resume filesystems keyboard fsck" # Generate your initrd image mkinitcpio -p linux # Install and configure Grub-EFI # The correct way to install grub on an UEFI computer, irrespective of your use of a HDD or SSD, and whether you are installing dedicated # Arch, or multi-OS booting, is: grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchLinux # Edit /etc/default/grub so it includes a statement like this: # GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdYZ:MyDevMapperMountpoint resume=/dev/mapper/MyVolGroupName-MyLVSwapName" # Maintaining consistency with the examples provided above, you would use something like: GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdXZ:2016-Global-OpSec-Champion-LyingHillary resume=/dev/mapper/Arch-swap" # Generate Your Final Grub Configuration: grub-mkconfig -o /boot/grub/grub.cfg # Exit Your New Arch System exit # Unmount all partitions umount -R /mnt swapoff -a # Reboot and Enjoy Your Encrypted Arch Linux System! reboot One Post-Install Recommendation To Speed Up All Your Future Installs - Rank Your Mirrors, First! It's a simple procedure, and will save you a lot of downloading time, particulary if you are planning on doing any mass-installs, like gnome, gnome-extra, or similar. As root, run: cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.bak rankmirrors -n 6 /etc/pacman.d/mirrorlist.bak > /etc/pacman.d/mirrorlist That will test all the mirrors and grab the six fastest from your location. It takes a while to complete, so go grab a cup of java. Upon your return, you'll be ready to use pacman as it was intended, crazy-fast! Cheers, HardenedArray __________________________ Multi-OS-Booting Notes: I UEFI boot and run more than five operating systems from my SSD. All of my OSes UEFI boot from my single, 100 MiB, EFI partition. All of my OSes have encrypted root and swap, utilizing my SSD's native hardware-based AES-256-bit encryption support with BitLocker or Linux's software-based LUKS on LVM encryption to secure my data, when at rest. My Arch Linux install is just another encrypted Linux OS installation that happens to reside on my SSD. If you multi-boot, ensure you mount Arch's /boot/efi at your existing ESP partition. If you installed Windows 10 first, your EFI partition is likely to be /dev/sda2. In all cases, /boot, /boot/efi, and '/' partitions are required to be mounted during Arch installation. BitLocker Users on Windows Notes: If you are running hardware-based BitLocker encryption on Windows, I recommend you Turn Off BitLocker encryption prior to installing Arch, or any other operating system. As I don't use software-based BitLocker, I cannot say whether leaving it enabled during Arch installation will cause problems. Obviously, if you experience issues, you could turn BitLocker off temporarily. You can tell if you are using AES-256 bit hardware-based BitLocker encryption when you run: PS C:\WINDOWS\system32> manage-bde -status You see this line: Encryption Method: Hardware Encryption - 1.3.111.2.1619.0.1.2 Also note that hardware-based BitLocker can either encrypt, or decrypt, a multi-hundred GiB drive in less than 3 seconds. You can re-enable BitLocker after your new encrypted Arch system is UEFI booting correctly and running smoothly.