install arch linux with an encrypted boot partition.
The Arch Wiki will tell you how to install Arch with a separate, unencrypted boot partition, but it won’t help if you want to encrypt your boot partition and mount it along with your other ones. The following is an explanation of how to create them using GRUB modules, LVM, and LUKS.
1. Boot your Arch installation image.
Download the latest image here and be sure to verify the image after it is downloaded. After all, encryption is pointless if the installation image itself is compromised.
Burn the image to disk or copy it to a USB. Then, boot from it.
2. Create your partitions.
You’ll first need to do the steps already outlined on the Arch Wiki installation guide up to partition creation. Basically, set up your network interface an identify the devices within the filesystem.
The following will create three partitions for
/dev/sdX with the letter corresponding to the hard drive
you are installing on. Modify the code as suits your needs.
These instructions are copied basically verbatim from the blog mentioned at the beginning.
3. Install Arch Linux.
Now, follow the generic install instructions. Don’t forget to generate the fstab.
When you install the kernel, you’ll need to add some modules to the
lvm2 to the kernel build
hooks. The order shouldn’t matter, but just in case, edit the line so that it
reads as follows:
NOTE: If there are other modules not shown in the above example, leave them alone.
The modules added to the build hooks are necessary for the initramfs to be able
to decrypt partitions and mount the filesystem they live on. Save your changes
mkinitcpio.conf and rebuild the kernel image. Run:
4. Install GRUB.
Continue with the install instructions until you set to the part that tells you
how to install a bootloader. Install GRUB as you normally would. Then, open
/etc/default/grub and add the line:
Then, also in
GRUB_CMDLINE_LINUX to pass extra boot
parameters to the kernel:
Note that if you have an SSD and don’t mind the security implications of allowing discards, do this instead:
Then, regenerate the GRUB config file:
5. (Optional) Create LUKS key.
If you booted your system already, you’ll notice that you have to enter your LUKS password each time you try to decrypt a block device. It gets annoying, but you can get around it by supplying a keyfile to the kernel that’ll boot the decrypt partitions after you decrypt the bootloader. This doesn’t carry security implications because until you enter the password in GRUB, the keyfile is encrypted on the hard drive.
The only security hazards the key poses is when the system is booted and the key resides in the ramfs, unencrypted. At this point, so does the LUKS master key, so if attackers can get hold of your keyfile in this state, they might as well get your master key. If an attacker is that determined and pernicious, you’ll need to do a lot more to secure your system, something well beyond the scope of this post.
Generate the keyfile by doing the following:
1. Fill a file with random bits.
You can stick
crypto_keyfile.bin anywhere in the root partition if you’d
like. Also, adding the key will prompt you for a password. Enter any existing
2. Build the key into the initramfs.
Add the key to the
FILES parameter in
/etc/mkinitcpio.conf. Then regenerate
the initramfs image by:
3. Add the key to GRUB.
/etc/default/grub and append
cryptkey=rootfs:/crypto_keyfile.bin. Do not delete the cryptdevice parts
Then, regenerate the grub.cfg file with
Now, the key will be loaded into the boot image and decrypt your partitions once you select a kernel from the GRUB boot menu.