2024-03-05 - ArchlinuxWithGRUB+LUKS

INDEX

2023-04-12 00:00 - How to Install Arch Linux with GRUB, LUKS and LVM
## 2024-03-05 15:15 - Adjusted grub section
(This was written in an old style, with markdown formatting)

Lines with (*) can be skipped if using endpoint system.sh script

######################################
Initial Partitioning
######################################
If needed, wipe the entire drive (in my case, `nvme0n1`).
	blkdiscard /dev/nvme0n1

Partition disk into `root`, `boot` and `efi` as per the spec below.
	# 1 - boot [/boot] - 1000MB - boot - ext4
	# 2 - efi [/boot/efi] - 100MB - fat32 efi
	# 3 - root - Remaining space
	parted /dev/nvme0n1
	 mklabel gpt
	 mkpart "boot" ext4 1MB 1001MB
	 mkpart "efi" fat32 1002MB 1102MB
	 set 2 boot on
	 mkpart "root" 1103MB 100%
	 print
	 quit
	partprobe

Ensure that `/boot` is ext4 and `/boot/efi` is fat32, as this is needed for grub to work.

You can just have a single fat32 partition but I prefer having the two separated.



######################################
Adding Encrypted Partitions
######################################
Encrypt LVM partition - remember the "root" is `/dev/nvme0n1p3`.
	cryptsetup luksFormat /dev/nvme0n1p3

Open LVM partition under the name `baseLVM`.
	cryptsetup luksOpen /dev/nvme0n1p3 baseLVM

Make `baseVLM` into a physical volume and create the volume group `base`.
	pvcreate /dev/mapper/baseLVM
	vgcreate base /dev/mapper/baseLVM

Create logical volumes inside the `base` volume group for `swap`, `/` and `/home`.
	lvcreate -L 512M base -n swap
	lvcreate -L 80G base -n root
	lvcreate -l 100%FREE base -n home

Format these logical volumes.
	mkswap /dev/mapper/base-swap
	mkfs.btrfs /dev/mapper/base-root
	mkfs.btrfs /dev/mapper/base-home

Mount and structure the drives ("boot" is `/dev/nvme0n1p1` and "efi" is `/dev/nvme0n1p2`)

This makes `/mnt` the root file system for the new arch install.
	swapon /dev/mapper/base-swap

	mount /dev/mapper/base-root /mnt

	mkdir -p /mnt/{boot,home}
	mount /dev/mapper/base-home /mnt/home
	mount /dev/nvme0n1p1 /mnt/boot

	mkdir /mnt/boot/efi
	mount /dev/nvme0n1p2 /mnt/boot/efi

If there are issues here, try to reformat the boot partitions with `mkfs`
Process might be a little off as this keeps happening for me



######################################
Set up internet connection
######################################
This is assuming you have, say, computer (1) and another laptop (2), with a wifi connection
	# Connect (1) and (2) with ethernet cable
	# On (2), add a shared network with `ignore link negotiation` and restart wired connection

Get the IP address of this ethernet connection on (2).
	nmcli
	# e.g. inet4 10.42.0.1/24

On (1), connect over ethernet to (2). You do this by adding an interface for, say, `wlan0`.
	ip link set wlan0 down
	ip addr add 10.42.0.2/24 dev wlan0
	ip link set wlan0 up
	ip route add default via 10.42.0.1 dev wlan0
	ping 1.1.1.1

At this stage you will have shared internet between devices, but no DNS



######################################
Set up userspace
######################################
Install arch and other necessary software on the new system
	pacstrap /mnt base base-devel vim lvm2 linux-lts linux-firmware net-tools
	
Generate boot mount config using the current mounts on the system as reference
	genfstab -U /mnt >> /mnt/etc/fstab
	lsblk -af | grep LUKS | tr -s ' ' | cut -d' ' -f4 >> /mnt/luksUUID

Chroot into the system and configure it properly - changes `/mnt` to act as `/`
	arch-chroot /mnt

	# Set hostname of server
	echo 'SERVERNAME' > /etc/hostname

(*)Set locale on the system
	# Uncomments "en_GB.UTF-8 UTF-8" - set to something appropriate
	sed -i 's/^# \(en_GB.UTF-8 UTF-8\)/\1/' /etc/locale.gen
	locale-gen && locale > /etc/locale. conf

Secure system by setting root password and configuring sudoer access for a new user
	passwd

	useradd -m -G wheel,users -s /bin/bash USER
	passwd USER

	# Add in `Defaults rootpw` under "# User privilege specification"
	# Uncomment the "%wheel" line
	sed -i 's/^#\(%wheel.*\)/Defaults rootpw\n\1/' /etc/suders

######################################
Configure boot process
######################################

(*)Set system to boot with encrypted LVM
	pacman -S grub efibootmgr

	# Add "encrypt lvm2" before "filesystem" in the line that starts with "HOOKS="
	sed -E 's/(^HOOKS.*)(filesystems)(.*)/\1encrypt lvm2 \2\3/' /etc/mkinitcpio.conf

	mkinitcpio -P

Install grub on efi partition - may fail if `/boot/efi` is not formatted properly
	grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Arch

	# /etc/default/grub:GRUB_CMDLINE_LINUX_DEFAULT="..." should contain value in $GRUB_C
	GRUB_C="loglevel=3 quiet cryptdevice=UUID=`cat /uuid`:baseLVM root=/dev/mapper/base-root"
	sed -E "s|(GRUB_CMDLINE_LINUX_DEFAULT=).*|\1\"$GRUB_C\"|g" /etc/default/grub

	grub-mkconfig -o /boot/grub/grub.cfg

(*)Password lock admin settings in grub and allow regular boot without password
These changes are not persistent after grub updates
	grub-mkpasswd-pbkdf2 # copy this result

	# Copy credentials into grub config
	GRUB_USER="" # Put username in here
	GRUB_HASH="" # Put output of above command here
	echo -e "
	cat << EOF\nset superusers=\"${GRUB_USER}\"
	password_pbkdf2 ${GRUB_USER} ${GRUB_HASH}
	EOF" | tee -a /etc/grub.d/00_header

	# Add "--unrestricted" before "${CLASS}" in any appropriate line containing "menuentry"
	vim /etc/grub.d/10_linux
	# sed -i -E 's/(.*menuentry.*)(\$\{CLASS\})(.*)/\1--unrestricted \2\3/' /etc/grub.d/10_linux

	grub-mkconfig -o /boot/grub/grub.cfg

These commands are just personal preference to allow drives to mount easily
	ln -Ts /run/media /mnt/_

	# Add in "UUID=ID /mnt/NAME FORMAT noauto,user 0 0" (ID=UUID of device)
	# This just lets you mount a known device, as any user, quickly by doing `mount /mnt/NAME`
	vim /etc/fstab
	mkdir /mnt/NAME # Do this for all mounts



######################################
Configure networking, UI and audio
######################################
(*)Download user packages and configure pacman properly
	# Uncomment "ParallelDownloads" for faster downloads
	vim /etc/pacman.conf

	pacman -S xorg-server xorg-xinit xorg-xinput xorg-xset xorg-xsetroot \
	libx11 libxft libxinerama freetype2 xf86-video-vesa xf86-video-fbdev ttf-dejavu

	pacman -S git networkmanager pulseaudio

(*)Configure system to disable beep and turn on network
	rmmod pcspkr ; echo "blacklist pcspkr" >> /etc/modprobe.d/blacklist.conf
	systemctl enable NetworkManager

At this stage you may want to reboot to check everything is working as expected

(*)Download and configure DWM
	cd /usr/local/src
	git clone https://git.suckless.org/dwm && cd /usr/local/src/dwm && make clean install; cd -
	git clone https://git.suckless.org/dmenu && cd /usr/local/src/dmenu && make clean install; cd -

	# Add "exec dwm" to the end of this file
	vim ~/.xinitrc

Enable touchpad tapping by following [this stackexchange answer](https://superuser.com/questions/1528211/enabling-touchpad-tapping-after-installing-dwm-on-arch-linux)

Now start the window manager
	startx

Now, in theory, you have a fully functioning archlinux client



Further Reading
- archwiki - grub
- reddit - grub + luks
- marcocetica - lvm luks
- daniel-lange - secure grub
- blastrock - full disk encryption
- askubuntu - full disk encryption
- stackexchane - beep
- arch forum - xorg modules