# Install a fully encrypted ArchLinux on NVMe with detached LUKS # headers and LUKS encrypted UEFI boot partition on a USB dongle. # # Full tutorial can be found here: # https://headcrash.industries/reference/fully-encrypted-archlinux-with-secure-boot-on-yoga-920/ # # Written by Gerke Max Preussner # Overview ############################################################ # Fully encrypted system drive with Btrfs file system # Encrypted kernel, ramdisk images and bootloader configuration # Two-factor authentication via detached LUKS header on USB dongle # Encrypted swap space # Secure boot enabled # Prerequisites ####################################################### # Two USB sticks: one for the installer, one that will become the boot dongle # Download and install the ArchLinux ISO on a USB stick (https://wiki.archlinux.org/index.php/Category:Getting_and_installing_Arch) # If you have only one stick available, consider Archboot (https://wiki.archlinux.org/index.php/archboot) # On Windows you can use Rufus to install the ISO (https://rufus.akeo.ie/) # You can also boot from external CD/DVD or via Netboot # Booting the Installer from USB ###################################### # 1. Power off laptop # 2. Push a pin into the small hole next to power button # 3. Select "BIOS Setup" # 4. Navigate to "Security" page # 5. Toggle "Secure Boot" option to "Disabled" # 6. Save changes and exit BIOS Setup # 7. Hold power button for 5 sec to turn off laptop # 8. Insert ArchLinux USB installer # 9. Push a pin into the small hole next to power button # 10. Select "Boot Menu" # 11. Select USB device to boot from # 12. Wait for ArchLinux installer to boot up # 13. Insert second USB stick # set a bigger font setfont sun12x22 # verify that installer is /dev/sda and dongle is /dev/sdb lsblk # Wireless Network Setup ############################################## # make sure wireless adapter is detected (i.e. wlp107s0) iw dev # unblock and enable wireless interface rfkill unblock all ip link set wlp107s0 up # optional: scan for wireless networks if needed iw dev wlp107s0 scan | less # connect to wireless network YourSSID with password YourKey wpa_supplicant -i wlp107s0 -c <(wpa_passphrase "YourSSID" "YourKey") -B # start DHCP client daemon to receive IP address dhcpcd wlp107s0 # Verify Network Connectivity ######################################### # ping internet (Ctrl+C to exit) ping archlinux.org # synchronize clock timedatectl set-ntp true # Preparing the USB Dongle ############################################ # create three partitions on USB dongle cgdisk /dev/sdb # Size: 100M, Hex Code: ef00, Name: ESP # Size: 512M, Hex Code: default (8300), Name: Boot # Size: default (remaining space), Hex Code: default (8300), Name: Storage # # Select "Write" and "Quit" when done # format ESP mkfs.fat -F32 /dev/sdb1 # create encrypted container for /boot cryptsetup luksFormat /dev/sdb2 cryptsetup open /dev/sdb2 cryptboot # create and mount boot filesystem mkfs.ext2 /dev/mapper/cryptboot mount /dev/mapper/cryptboot /mnt # optional: format storage partition mkfs.fat -F32 /dev/sdb3 # Preparing the System Drive ########################################## # Backup existing files or partitions if needed # WARNING: the following command will discard all data on the SSD! blkdiscard /dev/nvme0n1 # Encrypting the System Drive ######################################### # create and open encrypted container with detached LUKS header truncate -s 2M /mnt/luksheader cryptsetup luksFormat /dev/nvme0n1 --align-payload 4096 --header /mnt/luksheader cryptsetup open --type luks --header /mnt/luksheader /dev/nvme0n1 cryptroot # verify container was opened and mapped (/dev/mapper/cryptboot, /dev/mapper/cryptroot) fdisk -l # unmount boot partition umount /mnt # create Btrfs volume group pvcreate /dev/mapper/cryptroot vgcreate System /dev/mapper/cryptroot # create logical volumes lvcreate -L 8G System -n swap lvcreate -l 100%FREE System -n root # format logical volumes mkswap /dev/mapper/System-swap swapon -d /dev/mapper/System-swap mkfs.btrfs /dev/mapper/System-root mount /dev/mapper/System-root /mnt # Root File System Setup ############################################## # create Btrfs subvolumes btrfs subvolume create /mnt/@ btrfs subvolume create /mnt/@home btrfs subvolume create /mnt/@snapshots # unmount system partition umount /mnt # mount Btrfs subvolumes mount -o compress=lzo,discard,noatime,nodiratime,subvol=@ /dev/mapper/System-root /mnt mkdir /mnt/home mkdir /mnt/.snapshots mount -o compress=lzo,discard,noatime,nodiratime,subvol=@home /dev/mapper/System-root /mnt/home mount -o compress=lzo,discard,noatime,nodiratime,subvol=@snapshots /dev/mapper/System-root /mnt/.snapshots # create nested subvolumes for special folders mkdir -p /mnt/var/cache/pacman btrfs subvolume create /mnt/var/cache/pacman/pkg btrfs subvolume create /mnt/var/log btrfs subvolume create /mnt/var/tmp # mount /boot and ESP into root mkdir /mnt/boot mount /dev/mapper/cryptboot /mnt/boot mkdir /mnt/boot/efi mount /dev/sdb1 /mnt/boot/efi # ArchLinux Installation ############################################## # optional: select your preferred package server nano /etc/pacman.d/mirrorlist # install base packages pacstrap /mnt base btrfs-progs efibootmgr grub-efi-x86_64 intel-ucode # generate fstab genfstab -Up /mnt >> /mnt/etc/fstab # optional: add ramdisk tmp # # add the line: # tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0 # # Ctrl+X and 'y' and 'Enter' to save and exit nano nano /mnt/etc/fstab # verify fstab cat /mnt/etc/fstab UUID=... / btrfs rw,noatime,nodiratime,compress=lzo,ssd,discard,space_cache,subvolid=257,subvol=/@,subvol=@ 0 0 UUID=... /home btrfs rw,noatime,nodiratime,compress=lzo,ssd,discard,space_cache,subvolid=258,subvol=/@home,subvol=@home 0 0 UUID=... /.snapshots btrfs rw,noatime,nodiratime,compress=lzo,ssd,discard,space_cache,subvolid=259,subvo=/@snapshots,subvol=@snapshots 0 0 UUID=... /none swap defaults 0 0 UUID=... /boot ext2 noauto,rw,relatime,block_validity,barrier,user_xattr,acl 0 2 UUID=... /boot/efi vfat noauto,rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro 0 2 tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0 # add boot partition to crypttab (replace with UUID from 'blkid /dev/sda2') nano /mnt/etc/crypttab cryptboot UUID= none noauto,luks # change into installation root arch-chroot /mnt # Initial Ramdisk Configuration ####################################### # make copies of 'encrypt' hook files cp /lib/initcpio/hooks/encrypt{,2} cp /usr/lib/initcpio/install/encrypt{,2} # add detached LUKS header support to 'encrypt2' hook nano /lib/initcpio/hooks/encrypt2 # make the following modifications: # ... # warn_deprecated() { # echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated" # echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead." # } # #>>> local headerFlag=false # for cryptopt in ${cryptoptions//,/ }; do # case ${cryptopt} in # allow-discards) # cryptargs="${cryptargs} --allow-discards" # ;; #>>> header) #>>> cryptargs="${cryptargs} --header /boot/luksheader" #>>> headerFlag=true #>>> ;; # *) # echo "Encryption option '${cryptopt}' not known, ignoring." >&2 # ;; # esac # done # # if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then #>>> if $headerFlag || cryptsetup isLuks ${resolved} >/dev/null 2>&1; then # [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated # dopassphrase=1 # add modules, binaries, files and hooks to mkinitcpio.conf nano /etc/mkinitcpio.conf ... MODULES=(btrfs i915 loop) ... BINARIES=(/usr/bin/btrfs) ... FILES=(/boot/luksheader) ... HOOKS=(base ... keyboard keymap ... block ... encrypt2 lvm2 ... filesystems ...) # generate initial ramdisk image mkinitcpio -p linux # Bootloader Installation ############################################# # get NVMe device identifier (remember as YourDiskId) ls -l /dev/disk/by-id | grep nvme0n1 # change Grub defaults (replace YourDiskId) nano /etc/default/grub GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-id/YourDiskId:cryptroot:allow-discards,header" GRUB_PRELOAD_MODULES="part_gpt part_msdos lvm" GRUB_ENABLE_CRYPTODISK=y GRUB_GFXMODE=1024x768x32 # configure and install Grub grub-mkconfig -o /boot/grub/grub.cfg grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id="grub" # System Configuration ################################################ # set time zone and configure hardware clock ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime hwclock --systohc --utc # uncomment desired localizations nano /etc/locale.gen # generate localization settings locale-gen echo LANGUAGE=en_US >> /etc/locale.conf echo LANG=en_US.UTF-8 >> /etc/locale.conf # set host name echo myyoga920 > /etc/hostname nano /etc/hosts (add the following line) ... 127.0.0.1 myyoga920.localdomain myyoga920 # End of file # update packages, install wireless & bash completion pacman -Suy iw wpa_supplicant bash-completion # add new user account useradd -m -g users -G wheel,storage,power -s /bin/bash your_new_user_name passwd your_new_user_name # install and enable sudo pacman -S sudo EDITOR=nano visudo uncomment the following line %wheel ALL=(ALL) ALL # disable root account passwd -l root # reboot exit umount -R /mnt swapoff -a reboot # Secure Boot ######################################################### # 1. Enter a strong Administrator Password in BIOS Setup # 2. Perform 'Reset to Setup Mode' in BIOS Setup # install git client sudo pacman -S base-devel git # clone, build and install cryptboot git clone https://github.com/xmikos/cryptboot cd cryptboot makepkg -si --skipchecksums # mount boot partition, and create & enroll UEFI keys sudo cryptboot mount sudo cryptboot-efikeys create sudo cryptboot-efikeys enroll sudo cryptboot update-grub sudo cryptboot umount sudo shutdown -P now # 3. Enable Secure Boot in BIOS Setup # Post-install steps ################################################## # install, configure and enable Snapper sudo pacman -S snapper sudo umount /.snapshots sudo rm -r /.snapshots sudo snapper -c root create-config / sudo mount -o compression=lzo,discard,noatime,nodiratime,subvol=@snapshots /dev/mapper/System-root /.snapshots sudo systemctl start snapper-timeline.timer # install & configure Gnome sudo pacman -S gnome sudo localectl set-locale LANG=en_US.UTF-8 sudo echo LC_ALL= >> /etc/locale.conf # install & enable NetworkManager sudo pacman -S networkmanager sudo systemctl enable --now NetworkManager.service sudo nano /etc/NetworkManager/NetworkManager.conf [ifupdown] managed=true # install & enable power management sudo pacman -S tlp x86_energy_perf_policy sudo systemctl enable tlp.service sudo systemctl enable tlp-sleep.service sudo pacman -S tlp-rdw sudo systemctl enable NetworkManager-dispatcher.service sudo systemctl mask systemd-rfkill.service sudo systemctl mask systemd-rfkill.socket # fire up Gnome Desktop Manager sudo systemctl enable --now gdm.service # Yoga Specifics ###################################################### # blacklist ideapad_laptop module sudo nano /etc/modprobe.d/blacklist.conf install ideapad_laptop /bin/false # enable bluetooth sudo systemctl enable --now bluetooth.service # End ################################################################# For instructions on how to resume a previous installation, disable TRIM, auto-mount boot and auto-unlock root partitions, please see the full article at: https://headcrash.industries/reference/fully-encrypted-archlinux-with-secure-boot-on-yoga-920/