Post

Arch Linux with LUKS + LVM

Posted Updated
By Gerrit
4 min read
Arch Linux with LUKS + LVM

When I saw that Arch Linux was actually providing a guided installer again, I was up for the challenge. Having used Arch Linux a couple of years ago very happily I wanted to give it a try again. I would have done earlier, but the manual installation process is quite time consuming and I was too lazy to go through with it. As it turned out, the installer failed on me and my setup, so I did go through installing Arch Linux the “hard way” ;-)

My current Linux set up is using LUKS and LVM and it seems archinstall currently has issues with that and it bailed out… So, I got my tablet, opened Arch’s installation guide and followed the instructions. I will not repeat them here, I will just point out where I diverged from them. Also, the LVM guide and DM crypt guide were of help.

Arch Linux installation

Once you boot up Arch Linux’ installer image from USB you will be logged into a root shell. So far, so good. First thing you should do is getting your keyboard layout right. In my case:

1

# loadkeys de

Partitioning

Now go along the installation instructions until it’s time to create disk partitions. Of course you can use any partitioning tool you like, I’ve opted for cfdisk and created three partitions:

  1. ~380 MB for EFI
  2. ~1.5 GB for /boot
  3. the remaining space for the encrypted partition which will host the LVM volumes later

Depending on your hardware it should look something like this:

1
2
3

/dev/nvme0n1p1    2048    788479    786432  384M EFI-System
/dev/nvme0n1p2  788480   3934207   3145728  1,5G Linux-Dateisystem
/dev/nvme0n1p3 3934208 488396799 484462592  231G Linux-Dateisystem

Cryptsetup

Next we need to encrypt the 3rd partition, in my case /dev/nvme0n1p3. With a current version of cryptsetup you do not have do add any options, the defaults should be fine:

1

# cryptsetup luksFormat /dev/nvme0n1p3

You will be prompted for a password - choose a strong one! Now open the new disk via:

1

# cryptsetup open /dev/nvme0n1p3 <NAME>

Where NAME can be anything, i.e. “mycrypt”.

Configure LVM

We will now use the mycrypt device as physical volume for LVM:

1

# pvcreate /dev/mapper/mycrypt

…and add it to our new volume group, i.e. let’s call it “mycryptvg”:

1

# vgcreate mycryptvg /dev/mapper/mycrypt

As we now have a volume group, we can create our logical volumes. I’d create at least two, one for / and one for /home (optionally: swap). Depending on disk size:

1
2

# lvcreate -L 50G mycryptvg rootlv
# lvcreate -l 100%FREE mycryptvg homelv

-l 100%FREE will simply use the complete remaining space in this volume group. Make sure all volumes are active:

1

# vgchange -a y mycryptvg

Create filesystems

With that out of the way, we can create filesystems. The EFI partition requires FAT32, however, for the rest you can choose any Linux filesystem you like, i.e.:

1
2
3
4

# mkfs.fat -F 32 /dev/nvme0n1p1
# mkfs.ext4 /dev/nvme0n1p2
# mkfs.ext4 /dev/mapper/mycryptvg-rootlv
# mkfs.ext4 /dev/mapper/mycryptvg-homelv

Mount the filesystems:

1
2
3
4
5
6

# mount /dev/mapper/mycryptvg-rootlv /mnt
# mkdir /mnt/boot /mnt/home
# mount /dev/nvme0n1p2 /mnt/boot
# mkdir /mnt/boot/efi
# mount /dev/nvme0n1p1 /mnt/boot/efi
# mount /dev/mapper/mycryptvg-homelv /mnt/home

Install Arch base system

Just follow the installation instructions again. At the point where you run pacstrap, add lvm and cryptsetup:

1

# pacstrap -K /mnt base linux linux-firmware lvm cryptsetup

Depending on your CPU I’d also add either intel-ucode or amd-ucode and whatever you think is useful, like networkmanager.

After generating fstab you’ll chroot into your newly installed system. Again, follow the instructions, but before creating the initramfs, add some hooks to /etc/mkinitcpio.conf. The default would be the busybox-based initramfs, but I switched to systemd-based. Make sure all hooks are lined up as shown here:

1

HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt lvm2 filesystems fsck)

Once done, you can generate the initramfs via:

1

# mkinitcpio -P

Next set a root password and install a bootloader. I still go for grub2. Before creating the grub.cfg file, edit /etc/default/grub and add the following (I put it at the beginning. Make sure you get the device names right!):

1

GRUB_CMDLINE_LINUX_DEFAULT="rd.luks.name=/dev/nvme0n1p3=cryptlvm root=/dev/mycryptvg/rootlv ..."

Then run:

1

# grub-mkconfig -o /boot/grub/grub.cfg

Exit the chroot environment and reboot. Upon boot you should be prompted for your LUKS password.

Adding a Yubikey BIO as LUKS key

To make things a little easier, you can also add a Yubikey as key to your LUKS partition. Depending on your key, switches might differ, but this is how it worked for my Yubikey BIO:

First we need to install libfido2:

1

# pacman -S libfido2

Plug in your Yubikey and see if it is detected:

1
2
3

# systemd-cryptenroll --fido2-device=list
PATH         MANUFACTURER PRODUCT     
/dev/hidraw5 Yubico       YubiKey FIDO

…and then enroll the key (again: make sure you get the device right)

1

# systemd-cryptenroll --fido2-device=auto /dev/nvme0n1p3 --fido2-with-client-pin=no --fido2-with-user-presence=yes --fido2-with-user-verification=yes

You will be prompted for your LUKS password.

To make this work at boot, create /etc/crypttab.initramfs:

1

mycrypt UUID=<DEVICE_UUID> none fido2-device=auto

Get your device’s UUID by lsblk -f, check for the device marked crypto_LUKS.

Generate a new initramfs:

1

# mkinitcpio -P

Fingers crossed - reboot!

HOWTO, Linux
Arch Linux
This post is licensed under CC BY-SA 4.0 by the author.