You are not logged in.

#1 2016-08-11 16:19:34

From: Chicagoland
Registered: 2016-07-31
Posts: 36

Multi-Drive, Dual Boot, Full Disk Encryption (including swap) install

Hello everyone,

I know this may be asking for a bit much, but I was wondering if someone could perhaps give me a start-to-finish walkthrough of setting up Full Disk Encryption for my Arch system. I've been reading whatever relevant documentation I can find and due to my lack of knowledge, it's starting to become like navigating a maze. So I was hoping someone might be kind enough to help me out. I've gone through the Base install quite a few times at this point following the Beginner's Guide so I at least feel comfortable with that, it's the encryption that's throwing me for a loop. I'm also switching between attempts on a VirtualBox installation (MBR/BIOS) while at work just for testing and practice, and my actual machine (GPT/UEFI) while at home, changing the necessary steps where appropriate.

Apologies in advance about the formatting, I don't know BBCode sad

Drive Setup:

60GB SSD - root and swap (used to be /dev/sda back when I was running Ubuntu, now /dev/sdb for some reason)
1TB HDD - /home (used to be /dev/sdc, now /dev/sdd)
1TB HDD - extra storage, doesn't need to be encrypted as the drive is failing anyway, I don't really use it anymore
500GB HDD - Windows 10 installation (unencrypted) (used to be /dev/sdd, now /dev/sda)

Desired Outcome:
- Boot computer, UEFI required for dual booting
- GRUB loads, gives me choice to boot Arch or Windows, either one works fine
- Arch has FDE, including swap (I don't usually sleep/hibernate but it would be nice to have that support if I ever needed to)
- Arch asks for passphrase for the encryption partitions (I realize this will have to happen at least twice due to using two drives)
- Arch encryption unlocks upon entering correct passphrase, use system normally. All data, including swap, remains secure through sleep/hibernations, reboots, and shutdowns

Arch Wiki Documentation I've Consulted: … ire_system … reparation … l_clearing … encryption … _.28SSD.29 … partitions

Other Documentation I've Consulted: … ncryption/  -  (this guide doesn't include swap though)  -  (this seems to be the best example to follow that I've found, unfortunately the comments/directions assume that the user isn't a noob like myself)

My Questions/Problems:

1. I have 16GB of RAM, do I even need swap? Although as I said, I don't usually sleep/hibernate, but it would be nice to be able to if I ever wanted to, so after some confusion I've decided that I would like encrypted swap; however I'm open to suggestions if anyone has a better opinion

2. Should I use LVM? Based on ( … sk_support) it seems that LVM on LUKS is the easiest way to gain encrypted swap with suspend to disk support, but again I'm open to suggestions if anyone has a better opinion. The complication comes into play if there's more than one drive being used, which is addressed at the bottom.

3. Upon after the complete install following ( as an example, modifying it only for the presence of the second drive as this guide was written for a single drive, Arch asks me for the password to my encrypted home volume, but says it can't find the encrypted root volume that has root and swap. I think it's because of this ( … partitions), which is addressed at the end, and is where I'm getting stuck.

Steps I've Done:

1. Fill both SSD and HDD with random noise, as per ( … ic_methods) (the empty disk section). Afterwards, I found out that filling an SSD completely can reduce performance, and when trying to clear memory cells the drive is Frozen (see memory cell clearing article) and the hot (re)plugging of the SSD doesn't allow it to become unfrozen, so I guess I just have to leave it now. (this step does not apply on VirtualBox, only my actual home system)

2. Reboot to clear the noise containers and start with the actual partitioning and container creation (or just starting with fresh drives when testing in VirtualBox)

3. Following a combination of the Beginners' Guide, the howtoforge article, and the above gist link, but with some minor changes:

# confirm the correct drives

# /dev/sdb is the SSD, /dev/sdd is the HDD
# /dev/sda is the windows install
# it used to be completely different, not sure why the drive letters changed

parted /dev/sdb
mklabel gpt    # or msdos if testing on virtualbox
mkpart EFS fat32 0% 350MiB  # or mkpart primary ext4 0% 350MiB if on virtualbox
set 1 boot on
print # to confirm

mkpart primary ext4 350MiB 100%
name 1 boot  # not applicable on msdos 
name 2 root   # not applicable on msdos
print # confirming again

mkfs.fat -F32 /dev/sdb1     # boot/EFI partition
mkfs.ext4 /dev/sdb2
    # output: "Discarding device blocks"? never seen this output before, only happened on my SSD at home

cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sdb2
cryptsetup luksOpen /dev/sdb2 cryptroot

# LVM partitions in the cryptsetup container
pvcreate /dev/mapper/cryptroot
vgcreate ssd /dev/mapper/cryptroot
lvcreate --size 17G ssd --name swap
lvcreate -l +100%FREE ssd --name root

# Format the encrypted LVM volumes
mkfs.ext4 /dev/mapper/ssd-root
mkswap /dev/mapper/ssd-swap

# Repeat these steps for the HDD for /home, /dev/sdd
parted /dev/sdd
mklabel gpt
mkpart primary ext4 0% 100%
name 1 home

# format partition
mkfs.ext4 /dev/sdd1

# encrypted container
cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sdd1
cryptsetup luksOpen /dev/sdd1 crypthome

# LVM on encrypted container
pvcreate /dev/mapper/crypthome
vgcreate hdd /dev/mapper/crypthome
lvcreate -l +100%FREE ssd --name home

# mount to /mnt
mount /dev/mapper/ssd-root /mnt
mkdir /mnt/boot
mount /dev/sdb1 /mnt/boot      # boot/EFI partition
swapon /dev/mapper/ssd-swap
mkdir /mnt/home
mount /dev/mapper/hdd-home /mnt/home

# Pacstrap
pacstrap -i /mnt base base-devel vim grub-efi-x86_64 efibootmgr   # or just "base base-devel vim grub" if on virtualbox msdos

# Generate fstab
genfstab -U >> /mnt/etc/fstab

# make tmp ramdisk (I don't know why this is done, it's just in the aforementioned gist instructions)
# add the following line to /mnt/etc/fstab
tmpfs      /tmp     tmpfs     defaults,noatime,mode=1777     0     0

# Chroot
arch-chroot /mnt /bin/bash

# Uncomment languages in /etc/locale.gen
en_US.UTF-8 UTF-8
ar_SA.UTF-8 UTF-8


# vim /etc/locale.conf
LANGUAGE=en_US.UTF-8     # idk what this does, not listed in beginner's guide
LC_ALL=C     # idk what this does, not listed in beginner's guide
# not sure how to add support for second language at this stage, I'd like to be able to switch between English and Arabic but that's not important now

# tzselect America/Chicago
ln -s /usr/share/zoneinfo/America/Chicago /etc/localtime
hwclock --systohc --utc

# Hostname
echo arch > /etc/hostname

# add hostname to /etc/hosts
vim /etc/hosts

# edit mkinitcpio to add hooks
vim /etc/mkinitcpio.conf
# add 'ext4' to MODULES
# add 'encrypt' and 'lvm2' immediately before 'filesystem' (after 'blocks' I think)

# generate initrd image
mkinitcpio -p linux

# If EFI (home system)
grub-install --target=x86_64-efi --efi-directory=/dev/sdb1 --bootloader-id=grub
# If MBR (vbox test system)
grub-install --target=i386-pc /dev/sda

# In /etc/default/grub edit the line
# GRUB_CMDLINE_LINUX to GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdxX:luks:allow-discards"
#                                    not sure what cryptdevice to specify here^
# then run
#  grub-mkconfig -o /boot/grub/grub.cfg (MBR)
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:luks:allow-discards,cryptdevice=/dev/sdb1:luks:allow-discards" # No idea if this is correct
grub-mkconfig -o /boot/grub/grub.cfg

Now here's where I get stuck

According to this ( … partitions) it seems that I need to edit [/lib/initcpio/hooks/encrypt]. The directions say:

" Maybe you have a requirement for using the encrypt hook on a non-root partition. Arch does not support this out of the box, however, you can easily change the cryptdev and cryptname values in /lib/initcpio/hooks/encrypt (the first one to your /dev/sd* partition, the second to the name you want to attribute). That should be enough."

When I [vim /lib/initcpio/hooks/encrypt], it opens a pretty substantially large bash script that I don't really understand (I understand that there are if statements, loops, etc, but I don't know what any of them actually do). However, I was able to use vim's search and find a block that says:


I'm pretty sure this is what I'm looking for because I wasn't able to find any other text that matches these values exactly as written in the above quoted wiki directions. So my question at this point is, what do I type here now? I've tried this entire process without this step of edting [/lib/initcpio/hooks/encrypt], and upon boot it will successfully locate and ask me to unlock the encrypted /home volume, but it cannot find the root and swap volumes, so it's unable to boot and it drops me to an emergency shell, at which point I can't really do anything except power cycle the machine and start from the beginning.

Error code:

And also, am I perhaps barking up the wrong tree here and there's an easier way to do this? Or am I on the right track? I'm starting to wonder where this Arch=simplicity thing came from tongue

So can someone either:

A) Tell me how to proceed from here
B) Point out where I'm going wrong?
C) Give me a better way to achieve my Desired Outcome ?

Thanks in advance!

Last edited by abdulhakeem (2016-08-11 20:25:39)

And the worldly life is not but amusement and diversion; but the home of the Hereafter is best for those who fear Allah, so will you not reason? {6:32}


Board footer

Powered by FluxBB