- Arch Linux iso
- Virtualbox
- Two virtual HDDs - 8G (main) & 1G (detached header & boot) respectively
On virtualbox, boot into Arch linux using live-usb iso
Create a single partition on 8G & 1G HDDs.
Assumptions:
- 8G HDD is where Arch Linux will be installed, is at
/dev/sdaand the single partition is/dev/sda1 - 1G HDD is where
boot& LUKS header will be, is at/dev/sdband the single partition is/dev/sdb1
Note:
- Interpret
/dev/sda,/dev/sda1,/dev/sdb&/dev/sdb1for the rest walkthrough accordingly. - No separate partitions for
swap&home
Create an empty header image to store the LUKS header
dd if=/dev/zero of=header.img bs=16M count=1
Create LUKS container on /dev/sda1
cryptsetup luksFormat --header header.img --offset 32768 /dev/sda1
Note: offset is used in case you want to re-attach the LUKS header to the main HDD
Open LUKS container /dev/sda1
cryptsetup open --header header.img /dev/sda1 crypt
Unlocked container should be available @ /dev/mapper/crypt
Note: /dev/mapper/crypt is the partition inside /dev/sda1 LUKS container. This is where we will install Arch Linux.
Ext4 format /dev/mapper/crypt
mkfs.ext4 /dev/mapper/crypt
Ext4 format /dev/sdb1
mkfs.ext4 /dev/sdb1
Copy LUKS header header.img into /dev/sdb1
mount /dev/sdb1 /mnt
cp header.img /mnt
umount /mnt
Update system clock
timedatectl set-ntp true
Source: https://wiki.archlinux.org/index.php/installation_guide#Update_the_system_clock
Mount LUKS container /dev/mapper/crypt to /mnt
mount /dev/mapper/crypt /mnt
Mount /dev/sdb1 to /mnt/boot
mkdir /mnt/boot
mount /dev/sdb1 /mnt/boot
Install Arch Linux
pacstrap /mnt base linux linux-firmware grub dhcpcd vim
Source: https://wiki.archlinux.org/index.php/installation_guide#Install_essential_packages
Generate fstab
genfstab -U /mnt >> /mnt/etc/fstab
Source: https://wiki.archlinux.org/index.php/installation_guide#Fstab
chroot into /mnt
arch-chroot /mnt
Source: https://wiki.archlinux.org/index.php/installation_guide#Chroot
Set timezone
ln -sf /usr/share/zoneinfo/Asia/Kolkata /etc/localtime
Generate /etc/adjtime
hwclock --systohc
Source: https://wiki.archlinux.org/index.php/installation_guide#Time_zone
Set localization
Edit /etc/locale.gen and uncomment en_US.UTF-8 UTF-8 and any other needed locales
locale-gen
Create /etc/locale.conf and set its contents to LANG=en_US.UTF.8
Source: https://wiki.archlinux.org/index.php/installation_guide#Localization
Network configuration
Create /etc/hostname and set its contents to arch
Create /etc/hosts and set its contents to,
127.0.0.1 localhost
::1 localhost
127.0.1.1 arch.localdomain arch
Source: https://wiki.archlinux.org/index.php/installation_guide#Network_configuration
Enable dhcpcd
systemctl enable dhcpcd
Setup root password with passwd
Source: https://wiki.archlinux.org/index.php/installation_guide#Root_password
Setup encrypt hooks
cp /usr/lib/initcpio/hooks/encrypt /etc/initcpio/hooks/encrypt2
cp /usr/lib/initcpio/install/encrypt /etc/initcpio/install/encrypt2
Edit /etc/initcpio/hooks/encrypt2 at line #52 and make sure the content looks like the following,
warn_deprecated() {
echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
}
local headerFlag=false
for cryptopt in ${cryptoptions//,/ }; do
case ${cryptopt} in
allow-discards)
cryptargs="${cryptargs} --allow-discards"
;;
header)
cryptargs="${cryptargs} --header /boot/header.img"
headerFlag=true
;;
*)
echo "Encryption option '${cryptopt}' not known, ignoring." >&2
;;
esac
done
if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then
if $headerFlag || cryptsetup isLuks ${resolved} >/dev/null 2>&1; then
[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
dopassphrase=1
Source: https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Modifying_encrypt_hook
Update the following in mkinitcpio.conf,
...
MODULES=(loop)
...
FILES=(/boot/header.img)
...
HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt2 filesystems fsck)
...
Note: The ... denote hidden statements for illustration purpose
Source: https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Modifying_encrypt_hook
Find by-id value for /dev/sda1 using,
ls -l /dev/disk/by-id
Update /etc/default/grub and set cryptdevice kernel parameter in GRUB_CMDLINE_LINUX
Example:
GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-id/ata-VBOX_HARDDISK_VB68b791cf-9aea8a05-part1:crypt:header"
Source: https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Modifying_encrypt_hook
Install grub on /dev/sdb
grub-install /dev/sdb
Generate initramfs
mkinitcpio -P
Source: https://wiki.archlinux.org/index.php/installation_guide#Initramfs
Generate grub config
grub-mkconfig -o /boot/grub/grub.cfg
Exit chroot
exit
Unmount all mounts
umount -R /mnt
Close LUKS container
cryptsetup close crypt
reboot
Press F12 in virtualbox, choose the disk that has detached LUKS header and boot partition
- You should reach the grub menu
- Choose
Arch Linux - Enter passphrase
- You should reach Arch Linux login menu, type
rootfor login and enter therootpassword - Check network with
ping archlinux.org - All done!