Installing Arch Linux: LVM on top of an encrypted partition [[UPDATED]]

Years back, I was using Arch Linux on my notebook but gave up at some point after upgrading Arch Linux made my notebook unbootable. After some distro hoppings, I settled down with Debian Linux and it has been my friend since then. But now, out of a whim, I decided to give another try on Arch.

I'll be installing Arch Linux on the same notebook and I wanted the encryption on a disk/partition like before. I looked around some options from the Arch Linux Wiki. I read up on LVM on LUKS, LUKS on LVM, and Plain dm-crypt and decided to go with LVM on LUKS again. One of benefits for LUKS on LVM is that it can have encrypted volumes span multiple disks. It's nice but I don't need it since there is only one disk for the notebook. Plain dm-crypt can encrypt an entire disk and this is nice and ideal but having a USB flash memory around is a bit overkill for me. So, I'll stick with LVM on LUKS again.

I then followed my old post, Installing Arch Linux: LVM on top of an encrypted partition. What do you know? The information on that page was not wrong but was a bit confusing or hard to follow (not to mention about the number of typos. Sheesh!). So, I decided to re-do the whole steps, including the base installation of Arch Linux on LVM. Most of the information here will be duplicates from old one but please bare with me.

Information below is gathered mostly from the Arch Linux Wiki page and changed here and there for my liking. This information below is solely used for my purpose and may not be suitable for others.

Erasure of the Hard Disk:

Information (data) on a Hard Drive is written in chunk here and there. Re-partitioning or reformatting a disk does not really removes (erase) the data. It merely remove the system structure that used to identify where the original data was located. This leaves the actual data on a disk.

To securely erase a disk, you could either:

  • Fill with zeros
  • Fill with random bits

Both methods overwrite data on a disk but the first one fill with zero's leaving easily (to some extent) identify where the encrypted data ends. So, I follow the second method. # dd if=/dev/urandom of=/dev/<drive> bs=1M Just to be warned, this takes a long, long time.

Partitioning a Disk:

There is a way to encrypt the /boot partition with GRUB (for details, see Pavel Kogan's blog), but for simplicity, I'll stick with having the /boot partition separated from the encryption and LVM. # fdisk /dev/sda

Partition Layout:
/dev/sda1 -> /boot (bootable) - 300MB should be enough.
/dev/sda2 -> LVM (8e) - the rest of the disk

Configuring LUKS:

cryptsetup is used to interface with LUKS for formatting, mounting and unmounting encrypted partition.

First make sure the device mapper kernel module is installed: # modprobe dm-mod

Then format it as an encrypted LUKS partition: # cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 luksFormat /dev/sda2

  • --cipher: defines the cipher type
  • --key-size: defines the key size
  • --hash sha512: hash algorithm used for key derivation.

It looks like AES cipher in XTS mode (XTS-AES) is most popular these days.

Unlocking/Mapping LUKS partition with the Device Mapper:

To access the encrypted volume, It needs to be unlocked. # cryptsetup open --type luks /dev/sda2 lvm


Create a physical volume (encrypted volume) and a group volume. # lvm pvcreate /dev/mapper/lvm # lvm vgcreate lvmvg /dev/mapper/lvm

Create logical volumes on this new volume group. # lvm lvcreate -L 10G -n root lvmvg # lvm lvcreate -L 500M -n swap lvmvg # lvm lvcreate -l 100%FREE -n home lvmvg

Format the filesystems on each logical volume. # mkfs.ext4 /dev/mapper/lvmvg-root # mkfs.ext4 /dev/mapper/lvmvg-home # mkswap /dev/mapper/lvmvg-swap

Mount the filesystems. # mount /dev/mapper/lvmvg-root /mnt # mkdir /mnt/home # mount /dev/mapper/lvmvg-home /mnt/home # swapon /dev/mapper/lvmvg-swap

Prepare the boot partition. # mkfs.ext2 /dev/sda1 # mkdir /mnt/boot # mount /dev/sda1 /mnt/boot

Configure Wireless Network:

Network connection needs to be configured before the installation can take a place. Since my notebook uses WiFi, I need to configure wireless network.

Check for the network interface and whether udev has loaded the driver. # iwconfig -------------------- eth0 no wireless extensions. lo no wireless extensions. wlan0 IEE 802.11bgn ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=14 dBm Retry long limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:on

It looks like wlan0 is available.

Interface activation:

Not required for mine but here is how to activate # ip link set wlan0 up

Access point discovery:

I know my network information like ESSID, Encryption key, etc..., but here is how to list available access points # iwlist wlan0 scan | less

Or, for the new netlink interface # iw dev wlan0 scan | less

Association to the access point

Now a configuration file, /etc/wpa_supplicant.conf, needs to be created for my access point. # vi /etc/wpa_supplicant.conf -------------------- ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel eapol_version=1 ap_scan=1 fast_reauth=1

These options are explained in /etc/wpa_supplicant/wpa_supplicant.conf

Append the passphrase and PSK to the file # wpa_passphrase SSID_NAME "PASSPHRASE" >> /etc/wpa_supplicant.conf

Manual connection:

The WiFi interface should be up by the earlier command ip link set wlan0 up, so now tell wpa_supplicant the driver (wext - Linux Wireless EXTensions), the SSID specified in /etc/wpa_supplicant.conf and the wireless interface. # wpa_supplicant -B -Dwext -i wlan0 -c /etc/wpa_supplicant.conf

  • -B : Run in the background
  • -D : Driver information. Default is WEXT
  • -i : Wireless interface
  • -c : Configuration file

Request an IP address to DHCP server. # dhcpcd wlan0

Check assigned IP address. # ip addr show wlan0 wlan0: mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:00:00:00:00:00: brb ff:ff:ff:ff:ff:ff inet brb scope global wlan0 inet6 fe80::ffff:ffff:ffff:ffff/64 scope link valid_lft forever preferred_lft forever

Select installation mirror:

Before installing, you may want to edit /etc/pacman.d/mirrorlist such that your preferred mirror is first. This copy of the mirrorlist will be installed on your new system by pacstrap as well, so it's worth getting it right.

Install the base system and other package groups:

The base system is installed using the pacstrap script. pacstrap is a script that installs packages to the specified new root directory. If no packages are given, pacstrap defaults to the "base" group.

Required X Window Systems packages for openbox will be installed in post-installation configuration.

The system uses wireless network, so install the required wireless network packages. # pacstrap /mnt base base-devel wireless_tools wpa_supplicant wpa_actiond


Let's configure the primary configuration files.

Generate an fstab file:

The fstab file contains static filesystem information. It defines how storage devices and partitions are to be mounted and integrated into the overall system. It is read by the mount command to determine which options to use when mounting a specific device or partition.

Check the resulting file afterwards, especially watch for the swap entry. # genfstab -p /mnt >> /mnt/etc/fstab # vi /mnt/etc/fstab -------------------- ... /dev/mapper/lvm-swap none swap defaults 0 0

Chroot into the system (Change root into the new system):

# arch-chroot /mnt

Editing /etc/rc.conf:

/etc/rc.conf is the configuration file for Arch's initscripts. Some of options in this file has been obsolete and they now have own configuration files (ex: hostname, etc...). /etc/rc.conf still configures daemons to start during boot-up and some networking and storage information.

Since LVM is used on this system, I need to enable it so that the kernel knows about it.

# vi /etc/rc.conf -------------------- USELVM="yes"


Configuring hostname requires updating two files, /etc/hostname and /etc/hosts

Add hostname in /etc/hostname # cat > /etc/hostname archy64 ^D

Add hostname in /etc/hosts # vi /etc/hosts -------------------- localhost.localdomain localhost archy64 ::1 localhost.localdomain localhost archy64

Console fonts and keymap:

The console, meaning a terminal running with no X Window System, uses the ASCII character set as the default.

A console font is limited to either 256 or 512 characters. The fonts are found in /usr/share/kbd/consolefonts/.

Keymaps, the connection between the key pressed and the character used by the computer, are found in the subdirectories of /usr/share/kbd/keymaps/ # cat > /etc/vconsole.conf KEYMAP=us FONT= FONT_MAP= ^D

  • KEYMAP - the default (us) is ok
  • FONT - the default (blank) is ok
  • FONT_MAP - the default (blank) is ok


Available time zones and subzones can be found in the /usr/share/zoneinfo/<Zone>/<SubZone> directories.

Create a symlink /etc/localtime to zone file. # ln -s /usr/share/zoneinfo/US/Eastern /etc/localtime


Choose the locale(s) from /etc/locale.gen and uncomment them. # vi /etc/locale.gen -------------------- en_US.UTF-8 UTF-8 -------------------- # locale-gen

Setting up system-wide locale:

# cat > /etc/locale.conf LANG=en_US.UTF-8 LC_TIME=en_US.UTF-8 ^D

Set the LANG variable for the ramdisk creation # export LANG=en_US.UTF-8

Hardware clock time:

It's recommended to use UTC. # hwclock --systohc --utc

Create an initial ramdisk environment:

Configure /etc/mkinitcpio.conf for encryption and LVM by adding encrypt lvm2 (in this order) in the HOOKS section before filesystems so that the kernel will find LVM volumes at boot time. # vi /etc/mkinitcpio.conf -------------------- HOOKS="...encrypt lvm2 filesystems..."

Now generate the kernel image. # cd /boot # mkinitcpio -p linux

Install and configure a bootloader:

# pacman -S grub-bios os-prober # grub-install --recheck /dev/sda

Create a grub configuration file. # grub-mkconfig --output /boot/grub/grub.cfg


Add cryptdevice=/dev/sda2:lvmvg between root=... and ro in the line starts with linx. This needs to be done for "Arch Linux" and "Arch Linux Fallback". # vi /boot/grub/grub.cfg -------------------- linux /boot/vmlinuz-linux root=/dev/mapper/lvmvg-root cryptdevice=/dev/sda2:lvmvg ro quiet

Root password:

Set the root password now. # passwd


Exit from chroot, unmount the partitions, close the device and reboot. # exit # umount -R /mnt/boot # umount -R /mnt # cryptsetup close lvm # reboot

After rebooting, it should ask you for a passphrase like below:


Updating the system:

Sync, refresh, and upgrade the entire new system. # pacman -Syu (or pacman --sync --refresh --sysupgrade)

Pacman will now download a fresh copy of the master package list from the server(s) defined in /etc/pacman.conf and perform all available upgrades.

Note: If you get following errors after executing above statement, it most likely you don't have dhcpcd is not running or your network setting is not correct.

error: failed retrieving file '...' from ... : Could not resolve host: ...

Pacman output is saved in /var/log/pacman.log

Adding a user:

Now add a normal user account for daily tasks # useradd -m -g users -G audio,games,log,lp,optical,power,scanner,storage,video,wheel -s /bin/bash ubyt3m3

Set a password for ubyt3m3 # passwd ubyt3m3

X Window System:

The X Window System (commonly X11, or X) is a networking and display protocol which provides windowing on bitmap displays. It provides the standard toolkit and protocol to build graphical user interfaces (GUIs).

Before installing the X11, try to see what kind of video card you have # lspci | grep -e VGA -e 3D

Then install the base Xorg packages using pacman. # pacman -S xorg-server xorg-xinit xorg-server-utils

During the installation, it'll ask you for the type of libgl. Use below information based on the type of video card you have (returned value from the lspci command above), choose a proper driver.

xf86-video-amdgpu ... mesa-libgl
xf86-video-ati ... mesa-libgl
catalyst ... catalyst-libgl

xf86-video-intel ... mesa-libgl

xf86-video-nouveau ... mesa-libgl
nvidia ... nvidia-libgl
nvidia-340xx ... nvidia-340xx-libgl
nvidia-304xx ... nvidia-304xx-libgl

Install video driver:

My system came with ATI Graphics Card, so install the open source raden driver. # pacman -S xf86-video-ati

Install input driver:

Since this install is for notebook, following package is needed for touchpad. # pacman -S xf86-input-synaptics

Are you installing Arch Linux as VirtualBox Guest?

If you are like me, you'd test the installation of OS or software on a virtual system before actually installing on main systems. I use VirtualBox for that. In order for Arch Linux to run X11 within the VirtualBox guest environment, VirtualBox Guest Additions need to be installed. # pacman -S virtualbox-guest-utils

After executing above command, it'll ask you for guest modules. Choose virtualbox-guest-modules-arch if you used linux kernel when you ran mkinitcpio -p linux during the configuration period. For other modules, use virtualbox-guest-dkms

Loading the VirtualBox kernel modules:

Before getting X11 work on the guest environment, VirtualBox kernel modules must be loaded. To do this automatically, enable the vboxservice service. # systemctl enable vboxservice

Load the modules # modprobe -a vboxguest vboxsf vboxvideo

Testing X:

Install the default environment. # pacman -S xorg-twm xorg-xclock xterm


Install a set of TrueType fonts, as only unscalable bitmap fonts are included by default. DejaVu is a set of high quality. # pacman -S ttf-dejavu

Now, that's a very base system. If you are interested in installing Openbox, you can follow steps in my post, Openbox (w/ Arch Linux).

That's all!

/usr/lib/ could not read symbols: File in wrong format collect2: error: ld returned 1 exist status

I was in need of installing software on my Slackware64 14.1 on the other day and got a following error message: ... /bin/sh ../libtool --tag=CC --mode=link gcc -Wall -Wstrict-prototypes -Wmissing-prototypes -O2 -fPIC -module -avoid-version -o -rpath /usr/lib64/transcode export_jpg_la-export_jpg.lo -L/usr/lib -ljpeg -lm -lm -lz -ldl libtool: link: gcc -shared -fPIC -DPIC .libs/export_jpg_la-export_jpg.o -L/usr/lib /usr/lib/ -lm -lz -ldl -O2 -Wl,-soname -Wl, -o .libs/ /usr/lib/ could not read symbols: File in wrong format collect2: error: ld returned 1 exit status make[2]: *** [] Error 1 make[2]: Leaving directory `/tmp/SBo/transcode-1.1.7/export' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/tmp/SBo/transcode-1.1.7' make: *** [all] Error 2

From the error message, I can tell that it has something to do with linker and libraries, perhaps using 32-bit library on my 64-bit Slackware. I checked the LDFLAGS variable in its MakeFile and it was empty.

Ok, is there a way to force the compiler to use 64-bit libraries with SlackBuild scripts?

YES! A variable can be passed to SlackBuild script. To force the SlackBuild script to use 64-bit library, simply add variable with its value before executing a SlackBuild script.

$ LDFLAGS="-L/usr/lib64" ./[SlackBuildScript_name]

VoilĂ . The compilation went through without any more errors!

Disclaimer: The information in this site is the result of my researches in the Internet and of my experiences. It is solely used for my purpose and may not be suitable for others. I will NOT take any responsibility of end result after following these steps (although I will try to help if you send me your questions/problems).

That's all!

A Happy New Year, 2016!

This is the first blog entry in 2016.

Year 2015 was eventful year for me in many ways. They kept me busy (too busy time to time) but they also kept me going forward and got me through another year. Can't complain.

One regret that I have would be there were only a few posts I made last year despite the fact that I said I would keep up with posting entries at the beginning of the year. Hmm... I hope I'll do better job this year.

Well, thank you for those who visited my blog and those who took your precious time to leave me comments! You are the best!

I wish everyone a happy, peaceful, prosperous and productive new year!

That's all!

Termux is the ONE for Android!

Ever since I learned Terminal IDE was not supported for Android 5.0 Lollipop, I was heartbroken because there weren't any git client programs as good as git on Terminal IDE. I was using SGit but wasn't really happy because of lack of flexibility, features, and ease of use.

However, I finally found the one that works today! It's called Termux. Termux is a terminal emulator, just like Terminal IDE, but it comes with an extensive Linux package collections you can install and manage packages you want. Of course, it has git in its collection. So, I can say "bye, bye" to SGit now.

IMHO, Termux is for Android 5.0 Lollipop and above, and Terminal IDE is for Android 4.4 Kitkat and below.

The information in this site is the result of my researches in the Internet and of my experiences. It is solely used for my purpose and may not be suitable for others. I will NOT take any responsibility of end result after following these steps (although I will try to help if you send me your questions/problems).

Ok, the installation and configuration of Termux and git were easier than those of Terminal IDE in my opinion. Termux comes with a minimum base system. At this point, it doesn't do much so you'd need to install some packages. After getting Termux installed on my Galaxy Note 4, I opened it and typed below to update packages: $ apt update

With a bunch of messages, packages are updated. Then ran the following command to install git: $ apt install git

No problem here. I then installed ssh. As you may know, offers two ways to access a git repository, https and ssh. I could go either way, but ssh is such a useful utility. So, I installed it at this time: $ apt install openssh

Now, the fun part starts - configuration. I've set up my web server Bit Web Server to look into /sdcard/www/ for source codes, so I tried to clone codes from my git repo, but it failed with "Permission Denied" error. Hmm... is this because Termux doesn't have write permissions for security? Well, no problem. I can seem to clone into /data/data/com.termux/home/ and copy the source codes into /sdcard/www/: $ git clone https://[user_name][repo_name]/[repo_name].git $ cp -r [repo_name] /sdcard/www/

After copying into the www directory, I learned that I can still run git commands like git push, git pull, etc... without any errors. Fantastic!! This means I don't need to copy back and forth between /data/data/com.termux/home/ and /sdcard/www/ every time I make updates.

Now, it's time to finish up by configuring git and Termux's user home environments.

For git, ran the following commands to set up user information: $ git config "[username]" $ git config "[username]@[server]"

Then edited the .bashrc file for some aliases. I created ~/.bashrc with some start up configurations for the shell, but it didn't seem to be taking it after restarting Termux. After poking around, I found a bashrc file that seems to be globally used for Termux in /data/data/com.termux/files/usr/etc/: $ cd /data/data/com.termux/files/usr/etc/ $ vim bash.bashrc --------------------------------- export GIT_AUTHOR_NAME="[username]" export GIT_AUTHOR_EMAIL="[username]@[server]" export GIT_COMMITTER_NAME=$GIT_AUTHOR_NAME export GIT_COMMITTER_EMAIL=$GIT_AUTHOR_EMAIL PS1='\[\e[00;32m\]\A \[\e[00;91m\]\u\[\e[01;93m\]@\h\[\e[00;37m\][\[\e[01;34m\]\w\[\e[00;37m\]]\n\[\e[47m\]\[\e[1;30m\]$\[\e[00m\] ' set -o vi

With all of these, git is ready for Android 5.0 Lollipop!

That's all!

Happy New Year to You!

Happy New Year, 2015!

I can't believe yet another year passed by and my blog is still up and running ;P Put some jokes aside, I didn't expect myself posting new articles consistently (well almost consistently). This is all because encouraging comments some visitors leave for me. Honestly, if no one reads my blog, even though I said at the beginning this blog was only meant as some notes for myself, I wouldn't have been able to continue this long. So let me say this again... Thank you!

For my New Year's resolutions, I'd like to keep my blog up and running for another year with more notes to myself that would be informative/helpful to others.

That's all!