Waltibaba · November 1, 2020 21:25
diff --git a/install arch with FDE b/install arch with FDE
 # to install with full disk encryption and more than 1 partition, you need to either 
 * enter your password for each encrypted partition (also your disk layout is transparent)
 * install a helper to enter a single password multiple times
 * put all the partitions into LVM and decrypt once (at the cost of more abstraction layers)

 with EFI + GRUB + LVM on a big LUKS on /dev/sda, these are the steps:
 1. partition with a small (~300MB ESP partition for EFI) as /dev/sda1, and a large LUKS partition as /dev/sda2
 2. encrypt /dev/sda2
  `cryptsetup -v --type luks --iter-time 5000 --verify-passphrase luksFormat /dev/sda2`
  --iter-time increases iterations of pbkdf2, to increase security at the cost of time
 3. mount the crypt partition /dev/sda2 to "cryptdrive" (this can be any name)
  `cryptsetup open /dev/sda2 cryptdrive` 
 4. create lvs inside:
  `pvcreate /dev/mapper/cryptdrive`
  `vgcreate someVG /dev/mapper/cryptdrive`
  `lvcreate -L 1G someVG -n swap` # change size, only if you want swap
  `lvcreate -L 10G someVG -n root` # change size
  `lvcreate -l 100%FREE someVG -n home` # change size/extent, only if you want separate home
   lv names don't matter, this is my convention
 5. mkfs/mkswap for /dev/someVG/{swap,root,home}
    `mkfs.fat -F32 /dev/sda1` # ESP needs to be fat32
 6. relative to new root /mnt, mount root to /, home to /home, and /dev/sda1 (ESP) to /boot
 7. pacstrap, arch-chroot into the new root, and do whatever you need according to arch install guide
 8. in /etc/mkinitcpio.conf, change HOOKS to add keyboard, keymap, encrypt, and lvm2. mine is this:
    HOOKS="base udev autodetect keyboard keymap modconf block resume encrypt lvm2 filesystems fsck"
 9. in /etc/default/grub, add the UUID of /dev/sda1 and the mount point of the root LV to kernel params, and add cryptodisk enable
    `GRUB_ENABLE_CRYPTODISK=y`
    `quiet cryptdevice=UUID=<UUID of /dev/sda2>:crypt:allow-discards root=/dev/someVG/root ...` UUID should be without quotes or tags
 10. easiest way to initialize /boot with a kernel is to reinstall linux, mkinitcpio, grub (or mkinitcpio -p linux)
 11. mkdir /boot/grub/, mkdir /boot/EFI
     grub-mkconfig -o /boot/grub/grub.cfg
 12. grub-install --target=x86_64-efi --recheck --efi-directory=/boot/EFI (might have to be /boot, it has done a /boot/EFI/EFI/... subdirectory for no reason before)
 13. quit, `sync` disks, reboot, ???, profit
	# to install with full disk encryption and more than 1 partition, you need to either
	* enter your password for each encrypted partition (also your disk layout is transparent)
	* install a helper to enter a single password multiple times
	* put all the partitions into LVM and decrypt once (at the cost of more abstraction layers)

	with EFI + GRUB + LVM on a big LUKS on /dev/sda, these are the steps:
	1. partition with a small (~300MB ESP partition for EFI) as /dev/sda1, and a large LUKS partition as /dev/sda2
	2. encrypt /dev/sda2
	`cryptsetup -v --type luks --iter-time 5000 --verify-passphrase luksFormat /dev/sda2`
	--iter-time increases iterations of pbkdf2, to increase security at the cost of time
	3. mount the crypt partition /dev/sda2 to "cryptdrive" (this can be any name)
	`cryptsetup open /dev/sda2 cryptdrive`
	4. create lvs inside:
	`pvcreate /dev/mapper/cryptdrive`
	`vgcreate someVG /dev/mapper/cryptdrive`
	`lvcreate -L 1G someVG -n swap` # change size, only if you want swap
	`lvcreate -L 10G someVG -n root` # change size
	`lvcreate -l 100%FREE someVG -n home` # change size/extent, only if you want separate home
	lv names don't matter, this is my convention
	5. mkfs/mkswap for /dev/someVG/{swap,root,home}
	`mkfs.fat -F32 /dev/sda1` # ESP needs to be fat32
	6. relative to new root /mnt, mount root to /, home to /home, and /dev/sda1 (ESP) to /boot
	7. pacstrap, arch-chroot into the new root, and do whatever you need according to arch install guide
	8. in /etc/mkinitcpio.conf, change HOOKS to add keyboard, keymap, encrypt, and lvm2. mine is this:
	HOOKS="base udev autodetect keyboard keymap modconf block resume encrypt lvm2 filesystems fsck"
	9. in /etc/default/grub, add the UUID of /dev/sda1 and the mount point of the root LV to kernel params, and add cryptodisk enable
	`GRUB_ENABLE_CRYPTODISK=y`
	`quiet cryptdevice=UUID=<UUID of /dev/sda2>:crypt:allow-discards root=/dev/someVG/root ...` UUID should be without quotes or tags
	10. easiest way to initialize /boot with a kernel is to reinstall linux, mkinitcpio, grub (or mkinitcpio -p linux)
	11. mkdir /boot/grub/, mkdir /boot/EFI
	grub-mkconfig -o /boot/grub/grub.cfg
	12. grub-install --target=x86_64-efi --recheck --efi-directory=/boot/EFI (might have to be /boot, it has done a /boot/EFI/EFI/... subdirectory for no reason before)
	13. quit, `sync` disks, reboot, ???, profit