Years back, I was using Arch Linux on my notebook but gave up at some point after upgrading Arch Linux made my notebook unbootable. After some distro hoppings, I settled down with Debian Linux and it has been my friend since then. But now, out of a whim, I decided to give another try on Arch.
I'll be installing Arch Linux on the same notebook and I wanted the encryption on a disk/partition like before. I looked around some options from the Arch Linux Wiki. I read up on LVM on LUKS, LUKS on LVM, and Plain dm-crypt and decided to go with LVM on LUKS again. One of benefits for LUKS on LVM is that it can have encrypted volumes span multiple disks. It's nice but I don't need it since there is only one disk for the notebook. Plain dm-crypt can encrypt an entire disk and this is nice and ideal but having a USB flash memory around is a bit overkill for me. So, I'll stick with LVM on LUKS again.
I then followed my old post, Installing Arch Linux: LVM on top of an encrypted partition. What do you know? The information on that page was not wrong but was a bit confusing or hard to follow (not to mention about the number of typos. Sheesh!). So, I decided to re-do the whole steps, including the base installation of Arch Linux on LVM. Most of the information here will be duplicates from old one but please bare with me.
Information below is gathered mostly from the Arch Linux Wiki page and changed here and there for my liking. This information below is solely used for my purpose and may not be suitable for others.
Erasure of the Hard Disk:
Information (data) on a Hard Drive is written in chunk here and there. Re-partitioning or reformatting a disk does not really removes (erase) the data. It merely remove the system structure that used to identify where the original data was located. This leaves the actual data on a disk.
To securely erase a disk, you could either:
- Fill with zeros
- Fill with random bits
Both methods overwrite data on a disk but the first one fill with zero's leaving easily (to some extent) identify where the encrypted data ends. So, I follow the second method.
# dd if=/dev/urandom of=/dev/<drive> bs=1M
Just to be warned, this takes a long, long time.
Partitioning a Disk:
There is a way to encrypt the /boot partition with GRUB (for details, see Pavel Kogan's blog), but for simplicity, I'll stick with having the /boot partition separated from the encryption and LVM.
# fdisk /dev/sda
/dev/sda1 -> /boot (bootable) - 300MB should be enough.
/dev/sda2 -> LVM (8e) - the rest of the disk
cryptsetup is used to interface with LUKS for formatting, mounting and unmounting encrypted partition.
First make sure the device mapper kernel module is installed:
# modprobe dm-mod
Then format it as an encrypted LUKS partition:
# cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 luksFormat /dev/sda2
- --cipher: defines the cipher type
- --key-size: defines the key size
- --hash sha512: hash algorithm used for key derivation.
It looks like AES cipher in XTS mode (XTS-AES) is most popular these days.
Unlocking/Mapping LUKS partition with the Device Mapper:
To access the encrypted volume, It needs to be unlocked.
# cryptsetup open --type luks /dev/sda2 lvm
Create a physical volume (encrypted volume) and a group volume.
# lvm pvcreate /dev/mapper/lvm
# lvm vgcreate lvmvg /dev/mapper/lvm
Create logical volumes on this new volume group.
# lvm lvcreate -L 10G -n root lvmvg
# lvm lvcreate -L 500M -n swap lvmvg
# lvm lvcreate -l 100%FREE -n home lvmvg
Format the filesystems on each logical volume.
# mkfs.ext4 /dev/mapper/lvmvg-root
# mkfs.ext4 /dev/mapper/lvmvg-home
# mkswap /dev/mapper/lvmvg-swap
Mount the filesystems.
# mount /dev/mapper/lvmvg-root /mnt
# mkdir /mnt/home
# mount /dev/mapper/lvmvg-home /mnt/home
# swapon /dev/mapper/lvmvg-swap
Prepare the boot partition.
# mkfs.ext2 /dev/sda1
# mkdir /mnt/boot
# mount /dev/sda1 /mnt/boot
Configure Wireless Network:
Network connection needs to be configured before the installation can take a place. Since my notebook uses WiFi, I need to configure wireless network.
Check for the network interface and whether udev has loaded the driver.
eth0 no wireless extensions.
lo no wireless extensions.
wlan0 IEE 802.11bgn ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=14 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
It looks like wlan0 is available.
Not required for mine but here is how to activate
# ip link set wlan0 up
Access point discovery:
I know my network information like ESSID, Encryption key, etc..., but here is how to list available access points
# iwlist wlan0 scan | less
Or, for the new netlink interface
# iw dev wlan0 scan | less
Association to the access point
Now a configuration file, /etc/wpa_supplicant.conf, needs to be created for my access point.
# vi /etc/wpa_supplicant.conf
These options are explained in /etc/wpa_supplicant/wpa_supplicant.conf
Append the passphrase and PSK to the file
# wpa_passphrase SSID_NAME "PASSPHRASE" >> /etc/wpa_supplicant.conf
The WiFi interface should be up by the earlier command ip link set wlan0 up, so now tell wpa_supplicant the driver (wext - Linux Wireless EXTensions), the SSID specified in /etc/wpa_supplicant.conf and the wireless interface.
# wpa_supplicant -B -Dwext -i wlan0 -c /etc/wpa_supplicant.conf
- -B : Run in the background
- -D : Driver information. Default is WEXT
- -i : Wireless interface
- -c : Configuration file
Request an IP address to DHCP server.
# dhcpcd wlan0
Check assigned IP address.
# ip addr show wlan0
Select installation mirror:
Before installing, you may want to edit /etc/pacman.d/mirrorlist such that your preferred mirror is first. This copy of the mirrorlist will be installed on your new system by pacstrap as well, so it's worth getting it right.
Install the base system and other package groups:
The base system is installed using the pacstrap script. pacstrap is a script that installs packages to the specified new root directory. If no packages are given, pacstrap defaults to the "base" group.
Required X Window Systems packages for openbox will be installed in post-installation configuration.
The system uses wireless network, so install the required wireless network packages.
# pacstrap /mnt base base-devel wireless_tools wpa_supplicant wpa_actiond
Let's configure the primary configuration files.
Generate an fstab file:
The fstab file contains static filesystem information. It defines how storage devices and partitions are to be mounted and integrated into the overall system. It is read by the mount command to determine which options to use when mounting a specific device or partition.
Check the resulting file afterwards, especially watch for the swap entry.
# genfstab -p /mnt >> /mnt/etc/fstab
# vi /mnt/etc/fstab
/dev/mapper/lvm-swap none swap defaults 0 0
Chroot into the system (Change root into the new system):
# arch-chroot /mnt
/etc/rc.conf is the configuration file for Arch's initscripts. Some of options in this file has been obsolete and they now have own configuration files (ex: hostname, etc...). /etc/rc.conf still configures daemons to start during boot-up and some networking and storage information.
Since LVM is used on this system, I need to enable it so that the kernel knows about it.
# vi /etc/rc.conf -------------------- USELVM="yes"
Configuring hostname requires updating two files, /etc/hostname and /etc/hosts
Add hostname in /etc/hostname
# cat > /etc/hostname
Add hostname in /etc/hosts
# vi /etc/hosts
127.0.0.1 localhost.localdomain localhost archy64
::1 localhost.localdomain localhost archy64
Console fonts and keymap:
The console, meaning a terminal running with no X Window System, uses the ASCII character set as the default.
A console font is limited to either 256 or 512 characters. The fonts are found in /usr/share/kbd/consolefonts/.
Keymaps, the connection between the key pressed and the character used by the computer, are found in the subdirectories of /usr/share/kbd/keymaps/
# cat > /etc/vconsole.conf
- KEYMAP - the default (us) is ok
- FONT - the default (blank) is ok
- FONT_MAP - the default (blank) is ok
Available time zones and subzones can be found in the /usr/share/zoneinfo/<Zone>/<SubZone> directories.
Create a symlink /etc/localtime to zone file.
# ln -s /usr/share/zoneinfo/US/Eastern /etc/localtime
Choose the locale(s) from /etc/locale.gen and uncomment them.
# vi /etc/locale.gen
Setting up system-wide locale:
# cat > /etc/locale.conf LANG=en_US.UTF-8 LC_TIME=en_US.UTF-8 ^D
Set the LANG variable for the ramdisk creation
# export LANG=en_US.UTF-8
Hardware clock time:
It's recommended to use UTC.
# hwclock --systohc --utc
Create an initial ramdisk environment:
Configure /etc/mkinitcpio.conf for encryption and LVM by adding encrypt lvm2 (in this order) in the HOOKS section before filesystems so that the kernel will find LVM volumes at boot time.
# vi /etc/mkinitcpio.conf
HOOKS="...encrypt lvm2 filesystems..."
Now generate the kernel image.
# cd /boot
# mkinitcpio -p linux
Install and configure a bootloader:
# pacman -S grub-bios os-prober # grub-install --recheck /dev/sda
Create a grub configuration file.
# grub-mkconfig --output /boot/grub/grub.cfg
Add cryptdevice=/dev/sda2:lvmvg between root=... and ro in the line starts with linx. This needs to be done for "Arch Linux" and "Arch Linux Fallback".
# vi /boot/grub/grub.cfg
linux /boot/vmlinuz-linux root=/dev/mapper/lvmvg-root cryptdevice=/dev/sda2:lvmvg ro quiet
Set the root password now.
Exit from chroot, unmount the partitions, close the device and reboot.
# umount -R /mnt/boot
# umount -R /mnt
# cryptsetup close lvm
After rebooting, it should ask you for a passphrase like below:
Updating the system:
Sync, refresh, and upgrade the entire new system.
# pacman -Syu (or pacman --sync --refresh --sysupgrade)
Pacman will now download a fresh copy of the master package list from the server(s) defined in /etc/pacman.conf and perform all available upgrades.
Note: If you get following errors after executing above statement, it most likely you don't have dhcpcd is not running or your network setting is not correct.
error: failed retrieving file '...' from ... : Could not resolve host: ...
Pacman output is saved in /var/log/pacman.log
Adding a user:
Now add a normal user account for daily tasks
# useradd -m -g users -G audio,games,log,lp,optical,power,scanner,storage,video,wheel -s /bin/bash ubyt3m3
Set a password for ubyt3m3
# passwd ubyt3m3
X Window System:
The X Window System (commonly X11, or X) is a networking and display protocol which provides windowing on bitmap displays. It provides the standard toolkit and protocol to build graphical user interfaces (GUIs).
Before installing the X11, try to see what kind of video card you have
# lspci | grep -e VGA -e 3D
Then install the base Xorg packages using pacman.
# pacman -S xorg-server xorg-xinit xorg-server-utils
During the installation, it'll ask you for the type of libgl. Use below information based on the type of video card you have (returned value from the lspci command above), choose a proper driver.
xf86-video-amdgpu ... mesa-libgl
xf86-video-ati ... mesa-libgl
catalyst ... catalyst-libgl
xf86-video-intel ... mesa-libgl
xf86-video-nouveau ... mesa-libgl
nvidia ... nvidia-libgl
nvidia-340xx ... nvidia-340xx-libgl
nvidia-304xx ... nvidia-304xx-libgl
Install video driver:
My system came with ATI Graphics Card, so install the open source raden driver.
# pacman -S xf86-video-ati
Install input driver:
Since this install is for notebook, following package is needed for touchpad.
# pacman -S xf86-input-synaptics
Are you installing Arch Linux as VirtualBox Guest?
If you are like me, you'd test the installation of OS or software on a virtual system before actually installing on main systems. I use VirtualBox for that. In order for Arch Linux to run X11 within the VirtualBox guest environment, VirtualBox Guest Additions need to be installed.
# pacman -S virtualbox-guest-utils
After executing above command, it'll ask you for guest modules. Choose virtualbox-guest-modules-arch if you used linux kernel when you ran mkinitcpio -p linux during the configuration period. For other modules, use virtualbox-guest-dkms
Loading the VirtualBox kernel modules:
Before getting X11 work on the guest environment, VirtualBox kernel modules must be loaded. To do this automatically, enable the vboxservice service.
# systemctl enable vboxservice
Load the modules
# modprobe -a vboxguest vboxsf vboxvideo
Install the default environment.
# pacman -S xorg-twm xorg-xclock xterm
Install a set of TrueType fonts, as only unscalable bitmap fonts are included by default. DejaVu is a set of high quality.
# pacman -S ttf-dejavu