Full Disk Encryption Installation on Arch Linux

A couple of years ago someone introduced me to Full Disk Encryption (FDE) with Pavel Kogan’s guide. A few things have changed since then. So, here I try to complement Pavel’s post.

This guide doesn’t support UEFI, if you prefer UEFI check out this page (written in spanish) instead.

Partitioning the device

We’ll be using LUKS + LVM. You can check the ArchWiki documentation for more information.

parted -s /dev/sda mklabel msdos
parted -s /dev/sda mkpart primary 2048s 100%
# Read the notes below #
cryptsetup luksFormat --type luks1 /dev/sda1
cryptsetup luksOpen /dev/sda1 lvmarch
pvcreate /dev/mapper/lvmarch
vgcreate varch /dev/mapper/lvmarch
lvcreate -L 1G varch -n swap
lvcreate -L 30G varch -n root
lvcreate -l +100%FREE varch -n home
mkswap -L swap /dev/mapper/varch-swap
swapon /dev/mapper/varch-swap
mkfs.ext4 /dev/mapper/varch-root
mkfs.ext4 /dev/mapper/varch-home
mount /dev/mapper/varch-root /mnt
mkdir /mnt/home
mount /dev/mapper/varch-home /mnt/home

GRUB recently added support for LUKS2 devices, (check 55093), I haven’t tested it yet, so, for the moment we’ll be sticking with LUKS1. Expect an update soon though.

Installing Arch

Some things have changed, now we need to manually install the lvm2 module, the firmware and a text editor of your choice. Here we install the linux-hardened kernel, check the ArchWiki kernel page for supported kernels.

pacstrap /mnt base base-devel linux-hardened linux-firmware lvm2 grub vim
genfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mnt

Avoid entering password twice

When we turn on the computer, we’ll be prompted for entering the disk’s password twice (once in GRUB startup and once more when initramfs mounts the partitions), in order to avoid this we need to create an alternative method for unlocking the LUKS device, in this case we will use a keyfile, first we create it and next we add this file as a valid key for our block device.

dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
cryptseupt luksAddKey /dev/sda1 /crypto_keyfile.bin

chmod 000 /crypto_keyfile.bin, just to make sure. (:

Setting up mkinitcpio

The first step to generate a valid initramfs it’s to configure /etc/mkinitcpio.conf accordingly to our encryption scheme. We must add a couple of modules to the configuration file, so they will be included with initramfs and hence be used, also, we need to include the keyfile, so it will be used to open the LUKS device via encrypt hook.

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=/crypto_keyfile.bin

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
HOOKS=(base udev autodetect modconf block filesystems keyboard fsck lvm2 encrypt)

Now make sure you re-generate the initramfs running mkinitcpio -p KERNEL, in this case:

mkinitcpio -p linux-hardened

Configuring GRUB

Since we have /boot encrypted we need to enable GRUB’s encryption feature in it’s configuration file (/etc/default/grub), and set the encrypt hook.

# GRUB boot loader configuration
...
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:lvmarch"

# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y

Finally, just install and generate the configuration file of GRUB.

grub-install /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg

That’s it. Exit the chroot and reboot. You should see a message asking for the passphrase of the LUKS device.

Note: The keyboard layout it’s set to English (US).

Considerations

Encrypting your device is not a complete attack-proof solution, remember, this will protect your information IF someone tries to access when the device it’s off. You’re still vulnerable to cool boot attacks, and to someone getting your information trough the internet or social engineering IF the device it’s on, so keep that in mind.

Resources

Extra bits: