How to use cryptsetup while installing archlinux
Practical guide: how to use cryptsetup while installing archlinux.
The following walkthrough covers a full Arch Linux installation with LUKS disk encryption and BTRFS subvolumes. It starts from booting the Arch ISO and covers partitioning, encrypting partitions with cryptsetup, creating filesystems, installing the base system, configuring GRUB with cryptodisk support, and finalizing the setup.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# boot arch iso and set root passwd
passwd
systemctl start sshd
ssh -l root 192.168.1.225
ping archlinux.org
timedatectl set-ntp true
date
cfdisk /dev/sda
# sda1 450MB EFI
# sda2 450MB Linux
# sda3 rest Linux
cryptsetup luksFormat --type luks1 /dev/sda2
cryptsetup open /dev/sda2 boot
cryptsetup luksFormat /dev/sda3
cryptsetup open /dev/sda3 system
mkfs.fat -F32 /dev/sda1
mkfs.btrfs -L boot /dev/mapper/boot
mkfs.btrfs -L system /dev/mapper/system
vim /etc/pacman.d/mirrorlist
mkdir /mnt/{subvolumes,arch-chroot}
mount /dev/mapper/system /mnt/subvolumes
btrfs subvolume create /mnt/subvolumes/home
btrfs subvolume create /mnt/subvolumes/root
mount -o subvol=root /dev/mapper/system /mnt/arch-chroot
mkdir /mnt/arch-chroot/{home,boot,efi}
mount -o subvol=home /dev/mapper/system /mnt/arch-chroot/home
mount /dev/mapper/boot /mnt/arch-chroot/boot
mount /dev/sda1 /mnt/arch-chroot/efi
pacstrap /mnt/arch-chroot base vim openssh btrfs-progs base-devel refind-efi intel-ucode grub grub-btrfs efibootmgr linux linux-firmware mkinitcpio dhcpcd dhclient wpa_supplicant netctl
genfstab -U /mnt/arch-chroot >> /mnt/arch-chroot/etc/fstab
arch-chroot /mnt/arch-chroot
ln -sf /usr/share/zoneinfo/Europe/Bratislava /etc/localtime
hwclock --systohc
date
cat <<EOF >>/etc/locale.gen
en_US.UTF-8 UTF-8
en_US ISO-8859-1
sk_SK.UTF-8 UTF-8
sk_SK ISO-8859-2
EOF
locale-gen
cat <<EOF >>~/.vimrc
set mouse-=a
EOF
cat <<EOF >/etc/locale.conf
LANG=en_US.UTF-8
EOF
cat <<EOF >/etc/hostname
archvbox
EOF
cat <<EOF >>/etc/hosts
127.0.0.1 localhost
127.0.0.1 archvbox.localdomain archvbox
EOF
vim /etc/mkinitcpio.conf
# HOOKS=(base udev autodetect keyboard keymap modconf block encrypt filesystems fsck)
mkinitcpio -p linux
passwd
# uncomment in /etc/default/grub
GRUB_ENABLE_CRYPTODISK=y
# add to GRUB_CMDLINE_LINUX_DEFAULT
cryptdevice=UUID=</dev/sda3 UUID from /dev/disk/by-uuid>:system
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg
exit
umount -R /mnt/arch-chroot
umount -R /mnt/subvolumes
cryptsetup close boot
cryptsetup close system
sync
reboot
These additional commands demonstrate common cryptsetup operations on an NVMe drive, including benchmarking encryption performance, formatting and opening LUKS partitions, inspecting raw device data, and removing encryption from a partition.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
sudo cfdisk /dev/nvme0n1
sudo cryptsetup benchmark
sudo cryptsetup -v luksFormat /dev/nvme0n1p5
sudo cryptsetup -v luksDump /dev/nvme0n1p5
sudo xxd /dev/nvme0n1p2
sudo xxd /dev/nvme0n1p2 | less
sudo cryptsetup open /dev/nvme0n1p2 archlinux
sudo xxd /dev/mapper/archlinux | less
sudo mkfs.ext4 /dev/mapper/archlinux
sudo mount /dev/mapper/archlinux /mnt
# remove filesystem crypto_LUKS
cryptsetup-reencrypt --decrypt /dev/nvme0n1p5
This post is licensed under CC BY 4.0 by the author.