Created
January 17, 2021 09:09
-
-
Save sepsemi/43ce458a18cf3c32bb57f048158270c2 to your computer and use it in GitHub Desktop.
Full disk encryption using luks 1 and lvm encrypt /boot and make a keyfile to avoid double password partiton scheme seperated (/var, /tmp /home, swap) )
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| PRE_INSTALL_PKG_LIST="parted" | |
| POST_INSTALL_PKG_LIST="parted grub cryptsetup lvm2 zsh nano runit elogind-runit linux linux-firmware" | |
| STATIC_SIZE_ROOT=50G | |
| STATIC_SIZE_VAR=20G | |
| STATIC_SIZE_TMP=5G | |
| STATIC_SIZE_SWAP=8G | |
| STATIC_DISK="/dev/sda" | |
| STATIC_LUKS_PASSWORD='toor' | |
| # Needed packages | |
| pacman -Syy $PRE_INSTALL_PKG_LIST --noconfirm | |
| # Setting up partitons | |
| parted -s $STATIC_DISK mklabel msdos | |
| parted -s $STATIC_DISK mkpart primary 2048s 100% | |
| echo -n $STATIC_LUKS_PASSWORD | cryptsetup luksFormat --type luks1 -c aes-xts-plain64 --hash whirlpool -s 512 -i 1500 --use-random $STATIC_DISK"1" | |
| echo -n $STATIC_LUKS_PASSWORD | cryptsetup luksOpen $STATIC_DISK"1" cryptlvm | |
| # Setting up volume groups | |
| pvcreate /dev/mapper/cryptvlm | |
| vgcreate vg /dev/mapper/cryptlvm | |
| lvcreate -L $STATIC_SIZE_SWAP vg -n swap | |
| lvcreate -L $STATIC_SIZE_VAR vg -n var | |
| lvcreate -L $STATIC_SIZE_TMP vg -n tmp | |
| lvcreate -L $STATIC_SIZE_ROOT vg -n root | |
| lvcreate -l +100%FREE vg -n home | |
| # Formating the new logical volumes to ext4 (tmp,var have journaling disabled) | |
| mkfs.ext4 /dev/mapper/vg-root | |
| mkfs.ext4 /dev/mapper/vg-home | |
| mkfs.ext4 -O ^has_journal /dev/mapper/vg-tmp | |
| mkfs.ext4 -O ^has_journal /dev/mapper/vg-var | |
| mkswap /dev/mapper/vg-swap | |
| # Mounting the logical volumes | |
| mount /dev/mapper/vg-root /mnt/ | |
| for dir in home var tmp; do | |
| mkdir -p /mnt/$dir | |
| mount /dev/mapper/vg-$dir /mnt/$dir | |
| done | |
| # Enable swap | |
| swapon /dev/mapper/vg-swap | |
| # Base system install | |
| basestrap /mnt base base-devel $POST_INSTALL_PKG_LIST | |
| fstabgen -pU /mnt > /mnt/etc/fstab | |
| artix-chroot /mnt /bin/bash | |
| # End of file will need to do more manual | |
| # 1 in /etc/default/grub un comment or add GRUB_ENABLE_CRYPTODISK=y | |
| # 2 then change GRUB_CMDLINE_LINUX="" to GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:cryptlvm root=/dev/vg/root cryptkey=rootfs:/etc/thunder" | |
| # 4 add encrypt lvm2 to /etc/mkinitcpio.conf to HOOKS before filesystems ie: HOOKS="base udev autodetect modconf block keymap encrypt lvm2 filesystems" | |
| # 5 change FILES=() to FILES=(/etc/thunder) | |
| # 6 run all these commands till 7 | |
| # dd bs=512 count=4 if=/dev/random of=/etc/thunder iflag=fullblock | |
| # chmod 000 /etc/thunder | |
| # cryptsetup -v luksAddKey /dev/sda1 /etc/thunder | |
| # 7 mkinitcpio -p linux | |
| # 8 grub-install --target=i386-pc --recheck /dev/sda | |
| # 9 grub-mkconfig -o /boot/grub/grub.cfg | |
| # 10 proceed with the instalation like setting up users and what not. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment