[LINUX] Arch on lvm on luks build and initialization
Overview
In this article, we will create a logical volume with lvm on a partition encrypted with luks (dm-crypt) and build an Arch Linux desktop environment on it.
+--------------+--------------+-----------------+-----------------+
| | | Logical volume1 | Logical volume2 |
| Grub | Boot | lv_root | lv_home |
| partition | pattition |_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|
| | | LUKS encrypted partition |
| /dev/sda1 | /dev/sda2 | /dev/sda3 |
+--------------+--------------+-----------------------------------+
| /dev/sda |
+-----------------------------------------------------------------+
With this method, all systems except the boot loader and / boot can be put in one large volume and encrypted, so the partition structure can be hidden or the entire lock can be unlocked with one key. I can I will also write a memorandum of what I investigated and the procedure I built when encrypting my mobile laptop.
dm-crypt ... Transparent disk encryption subsystem used on linux luks ... Open source encryption specifications [lvm](https://ja.wikipedia.org/wiki/%E8%AB%96%E7%90%86%E3%83%9C%E3%83%AA%E3%83%A5%E3%83 % BC% E3% 83% A0% E3% 83% 9E% E3% 83% 8D% E3% 83% BC% E3% 82% B8% E3% 83% A3) ・ ・ Bundle storage into a logical volume System to use
environment
・ Uefi-gpt ・ Cpu: intel i5 x86_64 ・ Memory: 8G ・ Disk: 64G
Caution
-Encryption always incurs overhead regardless of the method. With this method, both RW and RW are about 30% slower in my environment, so please verify in advance whether it is acceptable for virtual machines etc.
-Data cannot be retrieved if the disk fails or the password is lost.
· Disk encryption can only prevent physical attacks
・ There are many places where I skipped the explanation, so I think it's tough if you haven't touched Arch.
Click here for the basic installation procedure-> [ArchWiki Installation Guide](https://wiki.archlinux.jp/index.php/%E3%82%A4%E3%83%B3%E3%82%B9%E3% 83% 88% E3% 83% BC% E3% 83% AB% E3% 82% AC% E3% 82% A4% E3% 83% 89)
・ If you don't like vim or don't know, please use nano.
-The disk name may not be / dev / sda, so check with lsblk and rewrite as appropriate.
Example:/dev/For nvme0n1/dev/sda/dev/nvme0n1、/dev/sda1/dev/nvme0n1p1
Build
1. Preparation
First, burn the downloaded iso to USB with Balena Etcher or rufus, and boot from the EFI of the PC to install.
・ Confirm that you are connected to the Internet with ʻip a ・ If you are not connected by wire, follow the instructions with ʻiwctl and connect to wifi.
-Add the Japanese server to the top with /etc/pacman.d/mirrorlist and update with pacman -Syy
-Added a Japanese keyboard with loadkeys jp106
-Set the time with timedatectl set-ntp true
2. Erase the disc
First, use the shred command to completely erase the data on the disk.
I don't think multiple overwrites are necessary because it will be encrypted and the life will be shortened.
Check the disk configuration with lsblk -l and check the installation destination
If you make a mistake here, the necessary data will be lost, so be careful.
In this case, / dev / sda is the installation destination.
shred -n 0 -v -z /dev/sda
3. Create physical partition
Click here for the completed form
Partition 1 is Grub (boot loader)
Partition 2 is / boot
Partition 3 is /
parted /dev/sda
Command (): g
Command (): n
Partition number(): 1
First sector(----): Enter
Last sector(----) : +500M
Command (): n
Partition number(): 2
First sector(----): Enter
Last sector(----) : +500M
Command (): n
Partition number(): 3
First sector(----): Enter
Last sector(----) : Enter
Command (): t
Partition number(): 1
Partition type () : 1
Command (): t
Partition number(): 3
Partition type () : 30
4. Partition formatting and encryption
Format grub partition to fat32 and / boot to ext4
mkfs.fat -F32 /dev/sda1
mkfs.ext4 /dev/sda2
Encrypt root partition Enter YES in uppercase and then set password Reopen it with the name lvm and make it readable and writable
cryptsetup -v luksFormat /dev/sda3
cryptsetup open --type luks /dev/sda3 lvm
5. Split the encrypted block by lvm
Initialize the physical volume (pv) and create a volume group (vg) on it Generate a logical volume (lv) from the volume group with 20GB as root and the remaining 100% as home This value will change depending on the size and preference of the disk used Recommended is about 2: 3
pvcreate --dataalignment 1m /dev/mapper/lvm
vgcreate vol /dev/mapper/lvm
lvcreate -L 20G vol -n lv_root
lvcreate -l 100%FREE vol -n lv_home
Format logical volume to xfs
ext4 and btrfs are fine
mkfs.xfs /dev/vol/lv_root
mkfs.xfs /dev/vol/lv_home
6. Mount drive and generate fstab
Generate and mount the required directories
mount /dev/vol/lv_root /mnt
mkdir /mnt/home
mount /dev/vol/lv_home /mnt/home
mkdir /mnt/boot
mount /dev/sda2 /mnt/boot
mkdir /mnt/etc
fstab generation
genfstab -U -p /mnt >> /mnt/etc/fstab
cat /mnt/etc/fstab
7. Base system installation
pacstrap -i /mnt base
Change root directory
arch-chroot /mnt
Install base system, network manager, required packages Rewrite headers when using linux-lts or linux-zen intel-ucode is installed only when using intel cpu
pacman -S base-devel linux linux-headers linux-firmware \
networkmanager wpa_supplicant wireless_tools wireless_tools netctl \
lvm2 xfsprogs zsh vim openssh intel-ucode;
Start ssh and NetworkManager automatically when you start your PC
systemctl enable sshd
systemctl enable NetworkManager
8. Add hook
Added hooks to load kernel modules and tools needed for decryption and activation of lvm volumes at boot time
vim /etc/mkinitcpio.conf
Added between block and filesystems in HOOK in mkinitcpio.conf Keyboard is required for usb connection, and keymap is required for Japanese keyboard. It will be read in order from the front, so make sure it is in the correct order.
mkinitcpio.conf
keyboard keymap encrypt lvm2
Regeneration of initramfs image
mkinitcpio -p linux
9. Locale, time and language settings
Delete the leading # in ja_JP.UTF-8 and ʻen_US.UTF-8 in /etc/locale.gen`
vim /etc/locale.gen
Apply with locale-gen
locale-gen
Set the time to Tokyo
ln -fs /usr/share/zoneinfo/Asia/Tokyo /etc/localtime
hwclock --systohc --utc
export LANG=ja_JP.UTF-8
10. Add user and set password
Rewrite user name Here, zsh is the default shell, but it can be changed to bash, fish, etc.
passwd
useradd -m -G wheel -s /bin/zsh username
passwd username
Enable sudo
EDITOR=vim visudo
# wheel ALL = (ALL) Delete the leading # of ALL
11. Install the GRUB bootloader
Install grub related Edit / etc / default / grub
Remove the # at the beginning of GRUB_ENABLE_CRYPTODISK = "~" Added between loglevel = 3 and quiet in GRUB_CMDLINE_LINUX_DEFAULT ↓
cryptdevice=/dev/Encrypted partition:lvm volume name:allow-discards
Typoing here would be annoying
pacman -S grub efibootmgr dosfstools os-prober mtools vim /etc/default/grub
#### **`/etc/default/grub`**
```sh
-# GRUB_ENABLE_CRYPTODISK=
cryptdevice=/dev/sda3:vol:allow-discards
Mount and load grub partitions
mkdir /boot/EFI
mount /dev/sda1 /boot/EFI
grub-install --target=x86_64-efi --bootloader-id=grub_uefi --recheck
cp /usr/share/locale/en\@quot/LC_MESSAGES/grub.mo /boot/grub/locale/en.mo
grub-mkconfig -o /boot/grub/grub.cfg
12. Reboot
exit
umount -a
reboot -h now
Log in again as a general user after restarting
13. Installation of AUR helper (yay)
sudo pacman -S go git
git clone https://aur.archlinux.org/yay.git
cd yay; makepkg -si; cd ..; rm -rf yay
After that, use yay instead of pacman
14. Installing the deepin desktop environment (DDE)
I'm using DDE here, but of course you can replace or add to another environment
Installing the X Window System and graphics drivers
For nvidia grabbo 1000 series or later, install nvidia nvidia-settings nvidia-utils additionally
If you are using AMD or Gravo older than 1000 Check and install the required packages
yay -S xorg-server xorg-apps xorg-xinit xorg-twm xorg-xclock xterm mesa
DDE and login manager installation As of 10/16, there is a problem that the deepin-extra group cannot be installed normally due to a conflict, so the deepin-extra group should select the package to be installed numerically.
yay -S lightdm deepin deepin-extra
lightdm login manager settings
Remove the # at the beginning of greeter-session in /etc/lightdm/lightdm.conf = and rewrite after = to lightdm-deepin-greeter
sudo vim /etc/lightdm/lightdm.conf
greeter-session=lightdm-deepin-greeter
sudo systemctl enable lightdm
sudo systemctl start lightdm
If DDE starts up with this, the construction is completed
14. Initial settings
Install zsh theme
touch ~/.zshrc
yay -S --noconfirm zsh-theme-powerlevel10k-git
echo 'source /usr/share/zsh-theme-powerlevel10k/powerlevel10k.zsh-theme' >>! ~/.zshrc
Download Japanese font
Download Source Han Sans and Hakugen / HackGen By the way, all the console screens in this article are Hackgen35Nerd Console.
yay -S adobe-source-han-sans-jp-fonts ttf-hackgen
Japanese input settings
Japanese input using fcitx and mozc
yay -S fcitx-im fcitx-configtool fcitx-mozc
vim ~/.xprofile
Create ~ / .xprofile and add the 3 lines below After rebooting open fcitx Configration and add mozc to the top
.xprofile
export GTK_IM_MODULE=fcitx
export QT_IM_MODULE=fcitx
export XMODIFIERS=”@im=fcitx”
Installation of other packages
Put software such as google-chrome, vscode, virtualbox with yay
End
That is all If you have any mistakes or questions, please leave them in the comments
reference
[Installation Guide](https://wiki.archlinux.jp/index.php/%E3%82%A4%E3%83%B3%E3%82%B9%E3%83%88%E3%83%BC% E3% 83% AB% E3% 82% AC% E3% 82% A4% E3% 83% 89) [dm-crypt / system-wide encryption](https://wiki.archlinux.jp/index.php/Dm-crypt/%E3%82%B7%E3%82%B9%E3%83%86%E3 % 83% A0% E5% 85% A8% E4% BD% 93% E3% 81% AE% E6% 9A% 97% E5% 8F% B7% E5% 8C% 96) How to install Arch linux on encrypted lvm
Recommended Posts