[LINUX] Arch on lvm on luks build and initialization

Overview

In this article, we will create a logical volume with lvm on a partition encrypted with luks (dm-crypt) and build an Arch Linux desktop environment on it.

+--------------+--------------+-----------------+-----------------+
|              |              | Logical volume1 | Logical volume2 |
|     Grub     |     Boot     |     lv_root     |     lv_home     |
|   partition  |   pattition  |_ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _|
|              |              |    LUKS encrypted partition       |
|   /dev/sda1  |   /dev/sda2  |           /dev/sda3               |
+--------------+--------------+-----------------------------------+
|                           /dev/sda                              |
+-----------------------------------------------------------------+

With this method, all systems except the boot loader and / boot can be put in one large volume and encrypted, so the partition structure can be hidden or the entire lock can be unlocked with one key. I can I will also write a memorandum of what I investigated and the procedure I built when encrypting my mobile laptop.

dm-crypt ... Transparent disk encryption subsystem used on linux luks ... Open source encryption specifications [lvm](https://ja.wikipedia.org/wiki/%E8%AB%96%E7%90%86%E3%83%9C%E3%83%AA%E3%83%A5%E3%83 % BC% E3% 83% A0% E3% 83% 9E% E3% 83% 8D% E3% 83% BC% E3% 82% B8% E3% 83% A3) ・ ・ Bundle storage into a logical volume System to use

environment

・ Uefi-gpt ・ Cpu: intel i5 x86_64 ・ Memory: 8G ・ Disk: 64G

Caution

-Encryption always incurs overhead regardless of the method. With this method, both RW and RW are about 30% slower in my environment, so please verify in advance whether it is acceptable for virtual machines etc. -Data cannot be retrieved if the disk fails or the password is lost. · Disk encryption can only prevent physical attacks ・ There are many places where I skipped the explanation, so I think it's tough if you haven't touched Arch. Click here for the basic installation procedure-> [ArchWiki Installation Guide](https://wiki.archlinux.jp/index.php/%E3%82%A4%E3%83%B3%E3%82%B9%E3% 83% 88% E3% 83% BC% E3% 83% AB% E3% 82% AC% E3% 82% A4% E3% 83% 89) ・ If you don't like vim or don't know, please use nano. -The disk name may not be / dev / sda, so check with lsblk and rewrite as appropriate.

Example:/dev/For nvme0n1/dev/sda/dev/nvme0n1、/dev/sda1/dev/nvme0n1p1

Build

1. Preparation

First, burn the downloaded iso to USB with Balena Etcher or rufus, and boot from the EFI of the PC to install. ・ Confirm that you are connected to the Internet with ʻip a ・ If you are not connected by wire, follow the instructions with ʻiwctl and connect to wifi. -Add the Japanese server to the top with /etc/pacman.d/mirrorlist and update with pacman -Syy -Added a Japanese keyboard with loadkeys jp106 -Set the time with timedatectl set-ntp true

2. Erase the disc

First, use the shred command to completely erase the data on the disk. I don't think multiple overwrites are necessary because it will be encrypted and the life will be shortened. Check the disk configuration with lsblk -l and check the installation destination If you make a mistake here, the necessary data will be lost, so be careful. In this case, / dev / sda is the installation destination.

shred -n 0 -v -z /dev/sda

Screen Capture_konsole_20201015125532.jpg

3. Create physical partition

Click here for the completed form Screen Capture_konsole_20201015125645.jpg Partition 1 is Grub (boot loader) Partition 2 is / boot Partition 3 is /

parted /dev/sda

Command (): g

Command (): n
Partition number(): 1
First sector(----): Enter
Last sector(----) : +500M 

Command (): n
Partition number(): 2
First sector(----): Enter
Last sector(----) : +500M 

Command (): n
Partition number(): 3
First sector(----): Enter
Last sector(----) : Enter

Command (): t
Partition number(): 1
Partition type () : 1

Command (): t
Partition number(): 3
Partition type () : 30

4. Partition formatting and encryption

Format grub partition to fat32 and / boot to ext4

mkfs.fat -F32 /dev/sda1
mkfs.ext4 /dev/sda2

Encrypt root partition Enter YES in uppercase and then set password Reopen it with the name lvm and make it readable and writable

cryptsetup -v luksFormat /dev/sda3
cryptsetup open --type luks /dev/sda3 lvm

Screen Capture_konsole_20201015125846.jpg

5. Split the encrypted block by lvm

Initialize the physical volume (pv) and create a volume group (vg) on it Generate a logical volume (lv) from the volume group with 20GB as root and the remaining 100% as home This value will change depending on the size and preference of the disk used Recommended is about 2: 3

pvcreate --dataalignment 1m /dev/mapper/lvm
vgcreate vol /dev/mapper/lvm
lvcreate -L 20G vol -n lv_root
lvcreate -l 100%FREE vol -n lv_home

Untitled.jpg Format logical volume to xfs ext4 and btrfs are fine

mkfs.xfs /dev/vol/lv_root
mkfs.xfs /dev/vol/lv_home

Screen Capture_konsole_20201015130120.jpg

6. Mount drive and generate fstab

Generate and mount the required directories

mount /dev/vol/lv_root /mnt
mkdir /mnt/home
mount /dev/vol/lv_home /mnt/home
mkdir /mnt/boot
mount /dev/sda2 /mnt/boot
mkdir /mnt/etc

fstab generation

genfstab -U -p /mnt >> /mnt/etc/fstab
cat /mnt/etc/fstab

Untitled.png

7. Base system installation

pacstrap -i /mnt base 

Untitled.png Change root directory

arch-chroot /mnt

Install base system, network manager, required packages Rewrite headers when using linux-lts or linux-zen intel-ucode is installed only when using intel cpu

pacman -S base-devel linux linux-headers linux-firmware \
          networkmanager wpa_supplicant wireless_tools wireless_tools netctl \
          lvm2 xfsprogs zsh vim openssh intel-ucode;

Start ssh and NetworkManager automatically when you start your PC

systemctl enable sshd
systemctl enable NetworkManager

Untitled.png

8. Add hook

Added hooks to load kernel modules and tools needed for decryption and activation of lvm volumes at boot time

vim /etc/mkinitcpio.conf

Added between block and filesystems in HOOK in mkinitcpio.conf Keyboard is required for usb connection, and keymap is required for Japanese keyboard. It will be read in order from the front, so make sure it is in the correct order.

mkinitcpio.conf


keyboard keymap encrypt lvm2

Untitled.png Regeneration of initramfs image

mkinitcpio -p linux

Untitled.png

9. Locale, time and language settings

Delete the leading # in ja_JP.UTF-8 and ʻen_US.UTF-8 in /etc/locale.gen`

vim /etc/locale.gen

Apply with locale-gen

locale-gen

Set the time to Tokyo

ln -fs /usr/share/zoneinfo/Asia/Tokyo /etc/localtime
hwclock --systohc --utc
export LANG=ja_JP.UTF-8

Untitled.png

10. Add user and set password

Rewrite user name Here, zsh is the default shell, but it can be changed to bash, fish, etc.

passwd
useradd -m -G wheel -s /bin/zsh username
passwd username

Untitled.png Enable sudo

EDITOR=vim visudo

# wheel ALL = (ALL) Delete the leading # of ALL

Untitled.png

11. Install the GRUB bootloader

Install grub related Edit / etc / default / grub

Remove the # at the beginning of GRUB_ENABLE_CRYPTODISK = "~" Added between loglevel = 3 and quiet in GRUB_CMDLINE_LINUX_DEFAULT ↓

cryptdevice=/dev/Encrypted partition:lvm volume name:allow-discards



 Typoing here would be annoying

pacman -S grub efibootmgr dosfstools os-prober mtools vim /etc/default/grub



#### **`/etc/default/grub`**
```sh

-# GRUB_ENABLE_CRYPTODISK=
cryptdevice=/dev/sda3:vol:allow-discards

Untitled.png Mount and load grub partitions

mkdir /boot/EFI
mount /dev/sda1 /boot/EFI
grub-install --target=x86_64-efi --bootloader-id=grub_uefi --recheck

cp /usr/share/locale/en\@quot/LC_MESSAGES/grub.mo /boot/grub/locale/en.mo
grub-mkconfig -o /boot/grub/grub.cfg

Untitled.png

12. Reboot

exit
umount -a
reboot -h now

Untitled.png Log in again as a general user after restarting

13. Installation of AUR helper (yay)

sudo pacman -S go git 
git clone https://aur.archlinux.org/yay.git
cd yay; makepkg -si; cd ..; rm -rf yay

After that, use yay instead of pacman Untitled.png

14. Installing the deepin desktop environment (DDE)

I'm using DDE here, but of course you can replace or add to another environment Installing the X Window System and graphics drivers For nvidia grabbo 1000 series or later, install nvidia nvidia-settings nvidia-utils additionally If you are using AMD or Gravo older than 1000 Check and install the required packages

yay -S xorg-server xorg-apps xorg-xinit xorg-twm xorg-xclock xterm mesa

DDE and login manager installation As of 10/16, there is a problem that the deepin-extra group cannot be installed normally due to a conflict, so the deepin-extra group should select the package to be installed numerically.

yay -S lightdm deepin deepin-extra 

lightdm login manager settings Remove the # at the beginning of greeter-session in /etc/lightdm/lightdm.conf = and rewrite after = to lightdm-deepin-greeter

sudo vim /etc/lightdm/lightdm.conf 
greeter-session=lightdm-deepin-greeter

Untitled.png

sudo systemctl enable lightdm 
sudo systemctl start lightdm

If DDE starts up with this, the construction is completed

Untitled.png

14. Initial settings

Install zsh theme

touch ~/.zshrc
yay -S --noconfirm zsh-theme-powerlevel10k-git
echo 'source /usr/share/zsh-theme-powerlevel10k/powerlevel10k.zsh-theme' >>! ~/.zshrc

Download Japanese font

Download Source Han Sans and Hakugen / HackGen By the way, all the console screens in this article are Hackgen35Nerd Console.

yay -S adobe-source-han-sans-jp-fonts ttf-hackgen

Japanese input settings

Japanese input using fcitx and mozc

yay -S fcitx-im fcitx-configtool fcitx-mozc
vim ~/.xprofile

Create ~ / .xprofile and add the 3 lines below After rebooting open fcitx Configration and add mozc to the top

.xprofile


export GTK_IM_MODULE=fcitx
export QT_IM_MODULE=fcitx
export XMODIFIERS=”@im=fcitx”

Installation of other packages

Put software such as google-chrome, vscode, virtualbox with yay

End

That is all If you have any mistakes or questions, please leave them in the comments

reference

[Installation Guide](https://wiki.archlinux.jp/index.php/%E3%82%A4%E3%83%B3%E3%82%B9%E3%83%88%E3%83%BC% E3% 83% AB% E3% 82% AC% E3% 82% A4% E3% 83% 89) [dm-crypt / system-wide encryption](https://wiki.archlinux.jp/index.php/Dm-crypt/%E3%82%B7%E3%82%B9%E3%83%86%E3 % 83% A0% E5% 85% A8% E4% BD% 93% E3% 81% AE% E6% 9A% 97% E5% 8F% B7% E5% 8C% 96) How to install Arch linux on encrypted lvm

Recommended Posts

Arch on lvm on luks build and initialization
[UE4] Build DedicatedServer on Windows and Linux
Build Python3 and OpenCV environment on Ubuntu 18.04
Build an NFS server on Arch Linux
Build a Samba server on Arch Linux
Build an Arch Linux environment on Raspberry Pi
Install Python3 on Mac and build environment [Definitive Edition]
Build Apache HTTP Server and Wildfly on Oracle Linux 8
Install Docker on Arch Linux and run it remotely
jblas on Arch Linux
Build TensorFlow on Windows
Build XGBoost on Windows
build Python on Ubuntu
OpneJDK8 build on CentOS7_x86_64
Install LAMP on Amazon Linux 2 and build a WordPress environment.