laurayka/garden
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 19 Wiki Activity
Files
1.27.0
garden/KaraKeep/attachments/9a9b353a-8157-4a4d-83fb-110aacca7bc3-dm-crypt-Encrypting-an-entire.jpg

951 lines
94 KiB
Plaintext
Raw Permalink Normal View History

updated content
2026-04-23 20:22:46 -05:00
<div id="readability-page-1" class="page"><div lang="en" dir="ltr" id="mw-content-text"><p><span>
</span>
The following are examples of common scenarios of full system encryption with <i>dm-crypt</i>. They explain all the adaptations that need to be done to the normal <a href="https://wiki.archlinux.org/title/Installation_guide" title="Installation guide">installation procedure</a>. All the necessary tools are on the <a rel="nofollow" href="https://archlinux.org/download/">installation image</a>.
</p><p>If you want to encrypt an existing unencrypted file system, see <a href="https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encrypt_an_existing_unencrypted_file_system" title="Dm-crypt/Device encryption">dm-crypt/Device encryption#Encrypt an existing unencrypted file system</a>.
</p>
<p></p><h2 id="Overview">Overview</h2><p></p>
<p>Securing a root file system is where <i>dm-crypt</i> excels, feature and performance-wise. Unlike selectively encrypting non-root file systems, an encrypted root file system can conceal information such as which programs are installed, the usernames of all user accounts, and common data-leakage vectors such as <a href="https://wiki.archlinux.org/title/Locate" title="Locate">locate</a> and <code>/var/log/</code>. Furthermore, an encrypted root file system makes tampering with the system far more difficult, as everything except the <a href="https://wiki.archlinux.org/title/Boot_loader" title="Boot loader">boot loader</a> and (usually) the kernel is encrypted.
</p><p>All scenarios illustrated in the following share these advantages, other pros and cons differentiating them are summarized below:
</p>
<table>
<tbody><tr>
<th>Scenarios
</th>
<th>Advantages
</th>
<th>Disadvantages
</th></tr>
<tr>
<td><a href="#LUKS_on_a_partition">#LUKS on a partition</a>
<p>shows a basic and straightforward set-up for a fully LUKS encrypted root.
</p>
</td>
<td>
<ul><li>Simple partitioning and setup</li>
<li>On a GPT partitioned disk, <a href="https://wiki.archlinux.org/title/Systemd#GPT_partition_automounting" title="Systemd">systemd can auto-mount</a> the root partition.</li></ul>
</td>
<td>
<ul><li>Inflexible; disk-space to be encrypted has to be pre-allocated</li></ul>
</td></tr>
<tr>
<td><a href="#LUKS_on_a_partition_with_TPM2_and_Secure_Boot">#LUKS on a partition with TPM2 and Secure Boot</a>
<p>Similar to the example above, with Secure Boot and TPM2 providing additional layers of security.
</p>
</td>
<td>
<p>Same advantages as above, and
</p>
<ul><li>Secure Boot allows protection against <a href="https://en.wikipedia.org/wiki/Evil_maid_attack" title="wikipedia:Evil maid attack">Evil maid attacks</a></li>
<li>TPM2 prevents the system from being unlocked if Secure Boot is disabled or modified</li></ul>
</td>
<td>
<ul><li>Same disadvantages as above.</li></ul>
</td></tr>
<tr>
<td><a href="#LVM_on_LUKS">#LVM on LUKS</a>
<p>achieves partitioning flexibility by using LVM inside a single LUKS encrypted partition.
</p>
</td>
<td>
<ul><li>Simple partitioning with knowledge of LVM</li>
<li>Only one key required to unlock all volumes (e.g. easy resume-from-disk setup)</li>
<li>Volume layout not visible when locked</li>
<li>Easiest method to allow <a href="https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption#With_suspend-to-disk_support" title="Dm-crypt/Swap encryption">suspension to disk</a></li></ul>
</td>
<td>
<ul><li>LVM adds an additional mapping layer and hook</li>
<li>Less useful, if a singular volume should receive a separate key</li>
<li>If you have several LVM physical volumes (PVs) in a volume group that you want to use inside LUKS, then each physical volume must be encrypted separately using LUKS. In order to use them, all containers must be unlocked individually before the volume group is activated during system boot.</li></ul>
</td></tr>
<tr>
<td><a href="#LUKS_on_LVM">#LUKS on LVM</a>
<p>uses dm-crypt only after the LVM is setup.
</p>
</td>
<td>
<ul><li>LVM can be used to have encrypted volumes span multiple disks</li>
<li>Easy mix of un-/encrypted volume groups</li></ul>
</td>
<td>
<ul><li>Complex; changing volumes requires changing encryption mappers too</li>
<li>Volumes require individual keys</li>
<li>LVM layout is visible when locked</li>
<li>Slower boot time; each encrypted LV must be unlocked seperately</li></ul>
</td></tr>
<tr>
<td><a href="#LUKS_on_software_RAID">#LUKS on software RAID</a>
<p>uses dm-crypt only after RAID is setup.
</p>
</td>
<td>
<ul><li>Analogous to LUKS on LVM</li></ul>
</td>
<td>
<ul><li>Analogous to LUKS on LVM and Encrypted boot partition (GRUB)</li></ul>
</td></tr>
<tr>
<td><a href="#Plain_dm-crypt">#Plain dm-crypt</a>
<p>uses dm-crypt plain mode, i.e. without a LUKS header and its options for multiple keys.
</p><p>This scenario also employs USB devices for <code>/boot</code> and key storage, which may be applied to the other scenarios.
</p>
</td>
<td>
<ul><li>Data resilience for cases where a LUKS header may be damaged</li>
<li>Allows <a href="https://en.wikipedia.org/wiki/Deniable_encryption" title="wikipedia:Deniable encryption">deniable encryption</a></li>
<li>Helps addressing <a href="https://wiki.archlinux.org/title/Dm-crypt/Specialties#Discard/TRIM_support_for_solid_state_drives_(SSD)" title="Dm-crypt/Specialties">problems</a> with SSDs</li></ul>
</td>
<td>
<ul><li>High care to all encryption parameters is required</li>
<li>Single encryption key and no option to change it</li>
<li>Very complicated setup for a regular used system</li></ul>
</td></tr>
<tr>
<td><a href="#Encrypted_boot_partition_(GRUB)">#Encrypted boot partition (GRUB)</a>
<p>shows how to encrypt the boot partition using the GRUB boot loader.
</p><p>This scenario also employs an EFI system partition, which may be applied to the other scenarios.
</p>
</td>
<td>
<ul><li>Same advantages as the scenario the installation is based on (LVM on LUKS for this particular example)</li>
<li>Less data is left unencrypted, i.e. the boot loader and the EFI system partition, if present</li></ul>
</td>
<td>
<ul><li>Same disadvantages as the scenario the installation is based on (LVM on LUKS for this particular example)</li>
<li>More complicated configuration</li>
<li>Not supported by other boot loaders</li>
<li><a href="https://wiki.archlinux.org/title/GRUB/Tips_and_tricks#Speeding_up_LUKS_decryption_in_GRUB" title="GRUB/Tips and tricks">GRUB takes a long time to unlock LUKS</a>, thus slowing down boot</li></ul>
</td></tr>
<tr>
<td><a href="#Root_on_ZFS">#Root on ZFS</a>
</td>
<td>
<ul><li>In the case of a encrypted <code>zpool</code> all datasets are contained inside the same cryptographic environment making it easy to dual-boot and share data across installs.</li>
<li>Backups can be made to a destination with an unencrypted zfs setup. Snapshots will be <a rel="nofollow" href="https://freebsdfoundation.org/our-work/journal/browser-based-edition/storage-and-filesystems/protecting-data-with-zfs-native-encryption/#:~:text=As%20you%20have%20seen%2C%20ZFS,able%20to%20mount%20the%20dataset.">encrypted natively on the destination</a>.</li></ul>
</td>
<td>
<ul><li><a rel="nofollow" href="https://openzfs.github.io/openzfs-docs/man/v2.2/8/zfs-load-key.8.html">ZFS will not encrypt</a> metadata related to the pool structure, including dataset and snapshot names, dataset hierarchy, properties, file size, file holes, and deduplication tables (though the deduplicated data itself is encrypted).</li>
<li>Pool creation requires the user to have a more in-depth knowledge of disks geometry setting even block size (<code>ashift</code>) for best performance.</li>
<li>ZFS has some caveats with its own implementation of <code>aes</code> and some encryption algorithms <a rel="nofollow" href="https://github.com/openzfs/zfs/issues/15276">may not perform well</a>.</li>
<li>Swap on a <code>zvol</code> or file inside a dataset is a <a rel="nofollow" href="https://github.com/openzfs/zfs/issues/7734">old and well-known issue</a> with no workaround other than having your swap in another partition or lv and suspend to disk disabled (see below).</li></ul>
</td></tr></tbody></table>
<p>While all above scenarios provide much greater protection from outside threats than encrypted secondary file systems, they also share a common disadvantage: any user in possession of the encryption key is able to decrypt the entire drive, and therefore can access other users' data. If that is of concern, it is possible to use a combination of block device and stacked file system encryption and reap the advantages of both. See <a href="https://wiki.archlinux.org/title/Data-at-rest_encryption" title="Data-at-rest encryption">Data-at-rest encryption</a> to plan ahead.
</p><p>See <a href="https://wiki.archlinux.org/title/Dm-crypt/Drive_preparation#Partitioning" title="Dm-crypt/Drive preparation">dm-crypt/Drive preparation#Partitioning</a> for a general overview of the partitioning strategies used in the scenarios.
</p><p>Another area to consider is whether to set up an encrypted swap partition and what kind. See <a href="https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption" title="Dm-crypt/Swap encryption">dm-crypt/Swap encryption</a> for alternatives.
</p><p>If you anticipate to protect the system's data not only against physical theft, but also have a requirement of precautions against logical tampering, see <a href="https://wiki.archlinux.org/title/Dm-crypt/Specialties#Securing_the_unencrypted_boot_partition" title="Dm-crypt/Specialties">dm-crypt/Specialties#Securing the unencrypted boot partition</a> for further possibilities after following one of the scenarios.
</p><p>For <a href="https://wiki.archlinux.org/title/Solid_state_drive" title="Solid state drive">solid state drives</a> you might want to consider enabling TRIM support, but be warned, there are potential security implications. See <a href="https://wiki.archlinux.org/title/Dm-crypt/Specialties#Discard/TRIM_support_for_solid_state_drives_(SSD)" title="Dm-crypt/Specialties">dm-crypt/Specialties#Discard/TRIM support for solid state drives (SSD)</a> for more information.
</p>
<div><p><strong>Warning</strong></p><ul><li>In any scenario, never use file system repair software such as <a href="https://wiki.archlinux.org/title/Fsck" title="Fsck">fsck</a> directly on an encrypted volume, or it will destroy any means to recover the key used to decrypt your files. Such tools must be used on the decrypted (opened) device instead.</li>
<li>The Argon2 key derivation function has a high RAM usage per design, defaulting to 1 GiB per encrypted mapper. Machines with low RAM and/or multiple LUKS2 partitions unlocked in parallel may error on boot. See the <code>--pbkdf-memory</code> option to control memory usage.<a rel="nofollow" href="https://gitlab.com/cryptsetup/cryptsetup/issues/372">[1]</a></li>
<li>GRUB's support for LUKS2 is limited; see <a href="https://wiki.archlinux.org/title/GRUB#Encrypted_/boot" title="GRUB">GRUB#Encrypted /boot</a> for details. Use LUKS2 with PBKDF2 (<code>cryptsetup luksFormat --pbkdf pbkdf2</code>) for partitions that GRUB will need to unlock.</li>
<li>Waking-up from suspend to disk on a ZFS dataset can corrupt your pool so, be extra careful when setting up hibernation even if swap is placed outside the zvol. <a rel="nofollow" href="https://github.com/openzfs/zfs/issues/260#issuecomment-991912492">Reference here</a>.</li></ul>
</div>
<p></p><h2 id="LUKS_on_a_partition">LUKS on a partition</h2><p></p>
<p>This example covers a full system encryption with <i>dm-crypt</i> + LUKS in a simple partition layout:
</p>
<pre>+-----------------------+------------------------+-----------------------+
| Boot partition | LUKS encrypted root | Optional free space |
| | partition | for additional |
| | | partitions to be set |
| /boot | / | up later |
| | | |
| | /dev/mapper/root | |
| |------------------------| |
| /dev/sda1 | /dev/sda2 | |
+-----------------------+------------------------+-----------------------+
</pre>
<p>The first steps can be performed directly after booting the Arch Linux install image.
</p>
<p></p><h3 id="Preparing_the_disk">Preparing the disk</h3><p></p>
<p>Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in <a href="https://wiki.archlinux.org/title/Dm-crypt/Drive_preparation" title="Dm-crypt/Drive preparation">dm-crypt/Drive preparation</a>.
</p><p>Then create the needed partitions, at least one for <code>/</code> (e.g. <code>/dev/sda2</code>) and <code>/boot</code> (<code>/dev/sda1</code>). See <a href="https://wiki.archlinux.org/title/Partitioning" title="Partitioning">Partitioning</a>.
</p>
<p></p><h3 id="Preparing_non-boot_partitions">Preparing non-boot partitions</h3><p></p>
<p>This and the next section replace the instructions of <a href="https://wiki.archlinux.org/title/Installation_guide#Format_the_partitions" title="Installation guide">Installation guide#Format the partitions</a>.
</p><p>The following commands create and mount the encrypted root partition. They correspond to the procedure described in detail in <a href="https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encrypting_devices_with_LUKS_mode" title="Dm-crypt/Device encryption">dm-crypt/Device encryption#Encrypting devices with LUKS mode</a>. If you want to use particular non-default encryption options (e.g. cipher, key length, sector size), see the <a href="https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode" title="Dm-crypt/Device encryption">encryption options</a> before executing the first command.
</p>
<pre># cryptsetup -v luksFormat /dev/sda2
# cryptsetup open /dev/sda2 root
</pre>
<p><a href="https://wiki.archlinux.org/title/Create_a_file_system" title="Create a file system">Create a file system</a> on unlocked LUKS device. For example, to create an <a href="https://wiki.archlinux.org/title/Ext4" title="Ext4">Ext4</a> file system, run:
</p>
<pre># mkfs.ext4 /dev/mapper/root
</pre>
<p>Mount the root volume to <code>/mnt</code>:
</p>
<pre># mount /dev/mapper/root /mnt
</pre>
<p>Check the mapping works as intended:
</p>
<pre># umount /mnt
# cryptsetup close root
# cryptsetup open /dev/sda2 root
# mount /dev/mapper/root /mnt
</pre>
<p>If you created separate partitions (e.g. <code>/home</code>), these steps have to be adapted and repeated for all of them, <i>except</i> for <code>/boot</code>. See <a href="https://wiki.archlinux.org/title/Dm-crypt/Encrypting_a_non-root_file_system#Automated_unlocking_and_mounting" title="Dm-crypt/Encrypting a non-root file system">dm-crypt/Encrypting a non-root file system#Automated unlocking and mounting</a> on how to handle additional partitions at boot.
</p><p>Note that each block device requires its own passphrase. This may be inconvenient, because it results in a separate passphrase to be input during boot. An alternative is to use a keyfile stored in the root partition to unlock the separate partition via <code>crypttab</code>. See <a href="https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Using_LUKS_to_format_partitions_with_a_keyfile" title="Dm-crypt/Device encryption">dm-crypt/Device encryption#Using LUKS to format partitions with a keyfile</a> for instructions.
</p>
<p></p><h3 id="Preparing_the_boot_partition">Preparing the boot partition</h3><p></p>
<p>What you do have to setup is a non-encrypted <code>/boot</code> partition, which is needed for an encrypted root. For an <a href="https://wiki.archlinux.org/title/EFI_system_partition" title="EFI system partition">EFI system partition</a> on UEFI systems, execute the following command to format the newly created partition:
</p>
<p><strong>Warning</strong> Only format the EFI system partition if you created it during the partitioning step. If there already was an EFI system partition on disk beforehand, reformatting it can destroy the boot loaders of other installed operating systems.</p>
<pre># mkfs.fat -F32 /dev/sda1
</pre>
<p>or for an ordinary boot partition on BIOS systems:
</p>
<pre># mkfs.ext4 /dev/sda1
</pre>
<p>Afterwards create the directory for the mountpoint and mount the partition:
</p>
<pre># mount --mkdir /dev/sda1 /mnt/boot
</pre>
<p></p><h3 id="Mounting_the_devices">Mounting the devices</h3><p></p>
<p>At the step <a href="https://wiki.archlinux.org/title/Installation_guide#Mount_the_file_systems" title="Installation guide">Installation guide#Mount the file systems</a>, you should mount the <code>/dev/mapper/*</code> devices (the contents of LUKS), not the actual partitions. Of course, the partition for <code>/boot</code>, which is not encrypted, should still be mounted directly. During installation, it should be mounted to <code>/mnt/boot</code> (assuming the device for the root file system is mounted to <code>/mnt</code> during installation).
</p>
<p></p><h3 id="Configuring_mkinitcpio">Configuring mkinitcpio</h3><p></p>
<p>Before following <a href="https://wiki.archlinux.org/title/Installation_guide#Initramfs" title="Installation guide">Installation guide#Initramfs</a> you must do the following to your new system:
</p><p>If using the default <a href="https://wiki.archlinux.org/title/Mkinitcpio" title="Mkinitcpio">systemd-based initramfs</a>, add the <code>keyboard</code> and <code>sd-encrypt</code> hooks to <a href="https://wiki.archlinux.org/title/Mkinitcpio.conf" title="Mkinitcpio.conf">mkinitcpio.conf</a>. If you use a non-US console keymap or a non-default console font, additionally add the <code>sd-vconsole</code> hook.
</p>
<pre>HOOKS=(base <b>systemd</b> autodetect microcode modconf kms <b>keyboard</b> <b>sd-vconsole</b> block <b>sd-encrypt</b> filesystems fsck)
</pre>
<p>If using a busybox-based initramfs, add the <code>keyboard</code> and <code>encrypt</code> hooks. If you use a non-US console keymap or a non-default console font, additionally add the <code>keymap</code> and <code>consolefont</code> hooks, respectively.
</p>
<pre>HOOKS=(base <b>udev</b> autodetect microcode modconf kms <b>keyboard</b> <b>keymap</b> <b>consolefont</b> block <b>encrypt</b> filesystems fsck)
</pre>
<p><a href="https://wiki.archlinux.org/title/Regenerate_the_initramfs" title="Regenerate the initramfs">Regenerate the initramfs</a> after saving the changes. See <a href="https://wiki.archlinux.org/title/Dm-crypt/System_configuration#mkinitcpio" title="Dm-crypt/System configuration">dm-crypt/System configuration#mkinitcpio</a> for details and other hooks that you may need.
</p>
<p></p><h3 id="Configuring_the_boot_loader">Configuring the boot loader</h3><p></p>
<p>In order to unlock the encrypted root partition at boot, the following <a href="https://wiki.archlinux.org/title/Kernel_parameters" title="Kernel parameters">kernel parameters</a> need to be set by the boot loader:
</p>
<pre>rd.luks.name=<i>device-UUID</i>=root root=/dev/mapper/root
</pre>
<p>If using the <code>encrypt</code> hook, the following need to be set instead:
</p>
<pre>cryptdevice=UUID=<i>device-UUID</i>:root root=/dev/mapper/root
</pre>
<p>The <code><i>device-UUID</i></code> refers to the UUID of the LUKS superblock. See <a href="https://wiki.archlinux.org/title/Persistent_block_device_naming" title="Persistent block device naming">Persistent block device naming</a> for details.
</p><p>Also see <a href="https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Kernel_parameters" title="Dm-crypt/System configuration">dm-crypt/System configuration#Kernel parameters</a> for more details.
</p>
<p><strong>Tip</strong> If the root partition is on the same disk as the <code>/boot</code> partition and your UEFI boot loader supports <a href="https://wiki.archlinux.org/title/Systemd#GPT_partition_automounting" title="Systemd">GPT partition automounting</a>, you can configure the <a href="https://en.wikipedia.org/wiki/GUID_Partition_Table#Partition_type_GUIDs" title="wikipedia:GUID Partition Table">partition type GUID</a> (type should be "Root partition", not "LUKS partition") and rely on <span title="$ man 8 systemd-gpt-auto-generator"><a rel="nofollow" href="https://man.archlinux.org/man/systemd-gpt-auto-generator.8">systemd-gpt-auto-generator(8)</a></span> instead of using the kernel parameters.</p>
<p></p><h2 id="LUKS_on_a_partition_with_TPM2_and_Secure_Boot">LUKS on a partition with TPM2 and Secure Boot</h2><p></p>
<p>This example is similar to <a href="#LUKS_on_a_partition">#LUKS on a partition</a>, but integrates the use of <a href="https://wiki.archlinux.org/title/Secure_Boot" title="Secure Boot">Secure Boot</a> and a <a href="https://wiki.archlinux.org/title/Trusted_Platform_Module" title="Trusted Platform Module">Trusted Platform Module</a> (TPM), enhancing the overall security of the boot process.
</p><p>In this configuration, only the <a href="https://wiki.archlinux.org/title/EFI_system_partition" title="EFI system partition">EFI system partition</a> remains unencrypted, housing a <a href="https://wiki.archlinux.org/title/Unified_kernel_image" title="Unified kernel image">unified kernel image</a> and <a href="https://wiki.archlinux.org/title/Systemd-boot" title="Systemd-boot">systemd-boot</a>—both signed for use with Secure Boot. If Secure Boot is disabled or its key databases are tampered with, the TPM will not release the key to unlock the encrypted partition. This approach is akin to BitLocker on Windows or FileVault on macOS. A recovery-key will also be created to make sure the data remains accessible in case of a problem with the TPM unlocking mechanism (unsigned boot loader or kernel update, firmware update, etc.). Optionally, a TPM pin can be set to be required during boot time to prevent fully automatic unlocking.
</p><p>Make sure to thoroughly read the discussion and warnings in <a href="https://wiki.archlinux.org/title/Trusted_Platform_Module#LUKS_encryption" title="Trusted Platform Module">Trusted Platform Module#LUKS encryption</a>.
</p><p>In this example, partitions are created respecting <a href="https://wiki.archlinux.org/title/Systemd#GPT_partition_automounting" title="Systemd">systemd#GPT partition automounting</a>, there is no need for an fstab or crypttab file.
</p>
<pre>+-----------------------+---------------------------------+
| EFI system partition | LUKS encrypted root partition |
| | |
| | |
| /boot | / |
| | |
| | /dev/mapper/root |
| |---------------------------------|
| /dev/sda1 | /dev/sda2 |
+-----------------------+---------------------------------+
</pre>
<p>Follow the <a href="https://wiki.archlinux.org/title/Installation_guide" title="Installation guide">Installation guide</a> up to step <a href="https://wiki.archlinux.org/title/Installation_guide#Partition_the_disks" title="Installation guide">Installation guide#Partition the disks</a>.
</p>
<p></p><h3 id="Preparing_the_disk_2">Preparing the disk</h3><p></p>
<p>Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in <a href="https://wiki.archlinux.org/title/Dm-crypt/Drive_preparation" title="Dm-crypt/Drive preparation">dm-crypt/Drive preparation</a>.
</p><p><a href="https://wiki.archlinux.org/title/Partition" title="Partition">Partition</a> the drive with the <a href="https://wiki.archlinux.org/title/GUID_Partition_Table" title="GUID Partition Table">GUID Partition Table</a> (GPT).
</p><p>Create an <a href="https://wiki.archlinux.org/title/EFI_system_partition#GPT_partitioned_disks" title="EFI system partition">EFI system partition</a> (e.g., <code>/dev/sda1</code>) with an appropriate size. This will be mounted at <code>/boot</code>.
</p><p>In the remaining space, create a root partition (e.g., <code>/dev/sda2</code>) that will be encrypted and mounted at <code>/</code>. Set the partition type GUID for the root partition using type "Linux root (x86-64)" in <a href="https://wiki.archlinux.org/title/Fdisk" title="Fdisk">fdisk</a> or type code <code>8304</code> in <a href="https://wiki.archlinux.org/title/Gdisk" title="Gdisk">gdisk</a>.
</p><p>Check the output of <code>fdisk -l</code> to make sure partition types are properly set.
</p>
<p></p><h3 id="Preparing_the_root_partition">Preparing the root partition</h3><p></p>
<p>The following commands create and mount the encrypted root partition. They correspond to the procedure described in detail in <a href="https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encrypting_devices_with_LUKS_mode" title="Dm-crypt/Device encryption">dm-crypt/Device encryption#Encrypting devices with LUKS mode</a>.
</p><p>If you want to use particular non-default encryption options (e.g. cipher, key length), or if you don't want to use TPM based decryption, see the <a href="https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode" title="Dm-crypt/Device encryption">encryption options</a> before executing the first command.
</p>
<p><strong>Warning</strong> Use a sufficiently secure password. Even though the keyslot will be wiped later, SSD wear-leveling can cause it to persist after removal for an indefinite amount of time.</p>
<p>Create the LUKS volume and mount it:
</p>
<pre># cryptsetup luksFormat /dev/sda2
# cryptsetup open /dev/sda2 root
</pre>
<p><a href="https://wiki.archlinux.org/title/Create_a_file_system" title="Create a file system">Create a file system</a> on unlocked LUKS device. For example, to create an <a href="https://wiki.archlinux.org/title/Ext4" title="Ext4">Ext4</a> file system, run:
</p>
<pre># mkfs.ext4 /dev/mapper/root
</pre>
<p>Mount the root volume to <code>/mnt</code>:
</p>
<pre># mount /dev/mapper/root /mnt
</pre>
<p></p><h3 id="Preparing_the_EFI_system_partition">Preparing the EFI system partition</h3><p></p>
<p>Format the newly created EFI system partition as instructed in <a href="https://wiki.archlinux.org/title/EFI_system_partition#Format_the_partition" title="EFI system partition">EFI system partition#Format the partition</a> and mount it afterwards.
</p>
<pre># mount --mkdir /dev/sda1 /mnt/boot
</pre>
<p>Continue the installation process until <a href="https://wiki.archlinux.org/title/Installation_guide#Initramfs" title="Installation guide">Installation guide#Initramfs</a>. You can skip <a href="https://wiki.archlinux.org/title/Installation_guide#Fstab" title="Installation guide">Installation guide#Fstab</a>.
</p>
<p></p><h3 id="Configuring_mkinitcpio_2">Configuring mkinitcpio</h3><p></p>
<p>To build a working systemd based initramfs, modify the <code>HOOKS=</code> line in <a href="https://wiki.archlinux.org/title/Mkinitcpio.conf" title="Mkinitcpio.conf">mkinitcpio.conf</a> as follows:
</p>
<pre>HOOKS=(base <b>systemd</b> autodetect microcode modconf kms <b>keyboard</b> <b>sd-vconsole</b> block <b>sd-encrypt</b> filesystems fsck)
</pre>
<p>Next, see <a href="https://wiki.archlinux.org/title/Unified_kernel_image#mkinitcpio" title="Unified kernel image">Unified kernel image#mkinitcpio</a> to configure mkinitcpio for <a href="https://wiki.archlinux.org/title/Unified_kernel_image" title="Unified kernel image">Unified kernel images</a>.
</p><p>Do <b>not</b> regenerate the initramfs <b>yet</b>, as the <code>/boot/EFI/Linux</code> directory needs to be created by the boot loader installer first.
</p>
<p></p><h3 id="Installing_the_boot_loader">Installing the boot loader</h3><p></p>
<p>You can configure your system to directly boot the UEFI image without any boot loader, see <a href="https://wiki.archlinux.org/title/Unified_kernel_image#Directly_from_UEFI" title="Unified kernel image">Unified kernel image#Directly from UEFI</a>.
</p><p>If a boot loader is desired, continue installing <a href="https://wiki.archlinux.org/title/Systemd-boot" title="Systemd-boot">systemd-boot</a> with
</p>
<pre># bootctl install
</pre>
<p>The <a href="https://wiki.archlinux.org/title/Unified_kernel_image" title="Unified kernel image">Unified kernel image</a> generated by mkinitcpio will be automatically recognized and does not need an entry in <code>/boot/loader/entries/</code>.
</p><p>See <a href="https://wiki.archlinux.org/title/Systemd-boot#Updating_the_UEFI_boot_manager" title="Systemd-boot">systemd-boot#Updating the UEFI boot manager</a> and <a href="https://wiki.archlinux.org/title/Systemd-boot#Loader_configuration" title="Systemd-boot">systemd-boot#Loader configuration</a> for further configuration.
</p>
<p></p><h3 id="Finalizing_the_installation">Finalizing the installation</h3><p></p>
<p>First, <a href="https://wiki.archlinux.org/title/Regenerate_the_initramfs" title="Regenerate the initramfs">Regenerate the initramfs</a>, and make sure the image generation is successful.
</p><p>Make sure you did not forget to <a href="https://wiki.archlinux.org/title/Installation_guide#Root_password" title="Installation guide">set a root password</a>, <a href="https://wiki.archlinux.org/title/Installation_guide#Reboot" title="Installation guide">reboot</a> to finish the installation.
</p>
<p></p><h3 id="Secure_Boot">Secure Boot</h3><p></p>
<p>You can now sign the boot loader executables and the EFI binary, in order to enable <a href="https://wiki.archlinux.org/title/Secure_Boot" title="Secure Boot">Secure Boot</a>. For a quick and easy way, see <a href="https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Assisted_process_with_sbctl" title="Unified Extensible Firmware Interface/Secure Boot">Unified Extensible Firmware Interface/Secure Boot#Assisted process with sbctl</a>.
</p>
<p></p><h3 id="Enrolling_the_TPM">Enrolling the TPM</h3><p></p>
<p>After signing the boot loader executables and enabling Secure Boot, you can now enroll the TPM in order to use it to unlock the LUKS volume. The following commands will remove the empty passphrase created during the LUKS format process, create a key bound to the TPM <a href="https://wiki.archlinux.org/title/Trusted_Platform_Module#Accessing_PCR_registers" title="Trusted Platform Module">PCR 7</a> (<a href="https://wiki.archlinux.org/title/Secure_Boot" title="Secure Boot">Secure Boot</a> state and enrolled certificates) and create a recovery key to be used in case of any problems. The TPM will automatically release the key as long as the boot chain is not tampered with. See <a href="https://wiki.archlinux.org/title/Systemd-cryptenroll#Trusted_Platform_Module" title="Systemd-cryptenroll">systemd-cryptenroll#Trusted Platform Module</a> and <span title="$ man 1 systemd-cryptenroll"><a rel="nofollow" href="https://man.archlinux.org/man/systemd-cryptenroll.1">systemd-cryptenroll(1)</a></span>.
</p>
<pre># systemd-cryptenroll /dev/sda2 --recovery-key
# systemd-cryptenroll /dev/sda2 --wipe-slot=empty --tpm2-device=auto --tpm2-pcrs=7+15:sha256=0000000000000000000000000000000000000000000000000000000000000000
</pre>
<div><p><strong>Note</strong></p><ul><li>If a passphrase was set during the LUKS format process, the corresponding keyslot should be wiped (e.g. <code>--wipe-slot=0</code>).</li>
<li>You can list keyslots using <code>systemd-cryptenroll /dev/sda2</code>. See <a href="https://wiki.archlinux.org/title/Systemd-cryptenroll#List_keyslots" title="Systemd-cryptenroll">systemd-cryptenroll#List keyslots</a>.</li></ul>
</div>
<p><strong>Tip</strong> Add <code>--tpm2-with-pin=yes</code> to require an additional PIN to unlock at boot time.</p>
<div><p><strong>Warning</strong></p><ul><li>Make sure <a href="https://wiki.archlinux.org/title/Secure_Boot" title="Secure Boot">Secure Boot</a> is active and in user mode when binding to PCR 7, otherwise, unauthorized boot devices could unlock the encrypted volume.</li>
<li>The state of PCR 7 can change if firmware certificates change, which can risk locking the user out. This can be implicitly done by <a href="https://wiki.archlinux.org/title/Fwupd" title="Fwupd">fwupd</a><a rel="nofollow" href="https://raw.githubusercontent.com/systemd/systemd/ed272a9ff59a26beedaab508dd3c9d631de67165/TODO">[2]</a> or explicitly by rotating Secure Boot keys.</li></ul>
</div>
<p></p><h2 id="LVM_on_LUKS">LVM on LUKS</h2><p></p>
<p>The straightforward method is to set up <a href="https://wiki.archlinux.org/title/LVM" title="LVM">LVM</a> on top of the encrypted partition instead of the other way round. Technically the LVM is setup inside one big encrypted block device. Hence, the LVM is not visible until the block device is unlocked and the underlying volume structure is scanned and mounted during boot.
</p><p>The disk layout in this example is:
</p>
<pre>+-----------------------------------------------------------------------+ +----------------+
| Logical volume 1 | Logical volume 2 | Logical volume 3 | | Boot partition |
| | | | | |
| [SWAP] | / | /home | | /boot |
| | | | | |
| /dev/MyVolGroup/swap | /dev/MyVolGroup/root | /dev/MyVolGroup/home | | |
|_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _| | (may be on |
| | | other device) |
| LUKS encrypted partition | | |
| /dev/sda1 | | /dev/sdb1 |
+-----------------------------------------------------------------------+ +----------------+
</pre>
<div><p><strong>Tip</strong> Two variants of this setup:
</p><ul><li>Instructions at <a href="https://wiki.archlinux.org/title/Dm-crypt/Specialties#Encrypted_system_using_a_detached_LUKS_header" title="Dm-crypt/Specialties">dm-crypt/Specialties#Encrypted system using a detached LUKS header</a> use this setup with a detached LUKS header on a USB device to achieve a two factor authentication with it.</li>
<li>Instructions at <a href="https://wiki.archlinux.org/title/Dm-crypt/Specialties#Encrypted_/boot_and_a_detached_LUKS_header_on_USB" title="Dm-crypt/Specialties">dm-crypt/Specialties#Encrypted /boot and a detached LUKS header on USB</a> use this setup with a detached LUKS header, encrypted <code>/boot</code> partition, and encrypted keyfile all on a USB device.</li></ul>
</div>
<p></p><h3 id="Preparing_the_disk_3">Preparing the disk</h3><p></p>
<p>Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in <a href="https://wiki.archlinux.org/title/Dm-crypt/Drive_preparation" title="Dm-crypt/Drive preparation">dm-crypt/Drive preparation</a>.
</p>
<p><a href="https://wiki.archlinux.org/title/Installation_guide#Partition_the_disks" title="Installation guide">Create a partition</a> to be mounted at <code>/boot</code> with a size of 1 GiB or more.
</p>
<p>Create a partition which will later contain the encrypted container.
</p><p>Create the LUKS encrypted container at the designated partition. Enter the chosen password twice.
</p>
<pre># cryptsetup luksFormat /dev/sda1
</pre>
<p>For more information about the available cryptsetup options see the <a href="https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode" title="Dm-crypt/Device encryption">LUKS encryption options</a> prior to above command.
</p><p>Open the container:
</p>
<pre># cryptsetup open /dev/sda1 cryptlvm
</pre>
<p>The decrypted container is now available at <code>/dev/mapper/cryptlvm</code>.
</p>
<p></p><h3 id="Preparing_the_logical_volumes">Preparing the logical volumes</h3><p></p>
<p>Create a physical volume on top of the opened LUKS container:
</p>
<pre># pvcreate /dev/mapper/cryptlvm
</pre>
<p>Create a volume group (in this example named <code>MyVolGroup</code>, but it can be whatever you want) and add the previously created physical volume to it:
</p>
<pre># vgcreate MyVolGroup /dev/mapper/cryptlvm
</pre>
<p>Create all your logical volumes on the volume group:
</p>
<p><strong>Tip</strong> If a logical volume will be formatted with <a href="https://wiki.archlinux.org/title/Ext4" title="Ext4">ext4</a>, leave at least 256 MiB free space in the volume group to allow using <span title="$ man 8 e2scrub"><a rel="nofollow" href="https://man.archlinux.org/man/e2scrub.8">e2scrub(8)</a></span>. After creating the last volume with <code>-l 100%FREE</code>, this can be accomplished by reducing its size with <code>lvreduce -L -256M MyVolGroup/home</code>.</p>
<pre># lvcreate -L 4G -n swap MyVolGroup
# lvcreate -L 32G -n root MyVolGroup
# lvcreate -l 100%FREE -n home MyVolGroup
</pre>
<p><a href="https://wiki.archlinux.org/title/Format" title="Format">Format</a> your file systems on each logical volume. For example, using <a href="https://wiki.archlinux.org/title/Ext4" title="Ext4">Ext4</a> for the root and home volumes:
</p>
<pre># mkfs.ext4 /dev/MyVolGroup/root
# mkfs.ext4 /dev/MyVolGroup/home
# mkswap /dev/MyVolGroup/swap
</pre>
<p>Mount your file systems:
</p>
<pre># mount /dev/MyVolGroup/root /mnt
# mount --mkdir /dev/MyVolGroup/home /mnt/home
# swapon /dev/MyVolGroup/swap
</pre>
<p></p><h3 id="Preparing_the_boot_partition_2">Preparing the boot partition</h3><p></p>
<p>The boot loader loads the kernel, <a href="https://wiki.archlinux.org/title/Initramfs" title="Initramfs">initramfs</a>, and its own configuration files from the <code>/boot</code> directory. Any file system on a disk that can be read by the boot loader is eligible.
</p><p>Create a <a href="https://wiki.archlinux.org/title/File_system" title="File system">file system</a> on the partition intended for <code>/boot</code>. For an <a href="https://wiki.archlinux.org/title/EFI_system_partition" title="EFI system partition">EFI system partition</a> on UEFI systems, execute the following command to format the newly created partition:
</p>
<p><strong>Warning</strong> Only format the EFI system partition if you created it during the partitioning step. If there already was an EFI system partition on disk beforehand, reformatting it can destroy the boot loaders of other installed operating systems.</p>
<pre># mkfs.fat -F32 /dev/sdb1
</pre>
<p>or for an ordinary boot partition on BIOS systems:
</p>
<pre># mkfs.ext4 /dev/sdb1
</pre>
<p>Mount the partition to <code>/mnt/boot</code>:
</p>
<pre># mount --mkdir /dev/sdb1 /mnt/boot
</pre>
<p>At this point resume the common <a href="https://wiki.archlinux.org/title/Installation_guide#Installation" title="Installation guide">Installation guide#Installation</a> steps. Return to this page to customize the <a href="https://wiki.archlinux.org/title/Installation_guide#Initramfs" title="Installation guide">Initramfs</a> and <a href="https://wiki.archlinux.org/title/Installation_guide#Boot_loader" title="Installation guide">Boot loader</a> steps.
</p>
<p></p><h3 id="Configuring_mkinitcpio_3">Configuring mkinitcpio</h3><p></p>
<p>Make sure the <span><a rel="nofollow" href="https://archlinux.org/packages/?name=lvm2">lvm2</a></span> package is <a href="https://wiki.archlinux.org/title/Install" title="Install">installed</a>.
</p><p>If using the default systemd-based initramfs, add the <code>keyboard</code>, <code>sd-encrypt</code> and <code>lvm2</code> hooks to <a href="https://wiki.archlinux.org/title/Mkinitcpio.conf" title="Mkinitcpio.conf">mkinitcpio.conf</a>. If you use a non-US console keymap or a non-default console font, additionally add the <code>sd-vconsole</code> hook.
</p>
<pre>HOOKS=(base <b>systemd</b> autodetect microcode modconf kms <b>keyboard</b> <b>sd-vconsole</b> block <b>sd-encrypt</b> <b>lvm2</b> filesystems fsck)
</pre>
<p>If using a busybox-based initramfs, instead add the <code>keyboard</code>, <code>encrypt</code> and <code>lvm2</code> hooks. If you use a non-US console keymap or a non-default console font, additionally add the <code>keymap</code> and <code>consolefont</code> hooks, respectively.
</p>
<pre>HOOKS=(base <b>udev</b> autodetect microcode modconf kms <b>keyboard</b> <b>keymap</b> <b>consolefont</b> block <b>encrypt</b> <b>lvm2</b> filesystems fsck)
</pre>
<p><a href="https://wiki.archlinux.org/title/Regenerate_the_initramfs" title="Regenerate the initramfs">Regenerate the initramfs</a> after saving the changes. See <a href="https://wiki.archlinux.org/title/Dm-crypt/System_configuration#mkinitcpio" title="Dm-crypt/System configuration">dm-crypt/System configuration#mkinitcpio</a> for details and other hooks that you may need.
</p>
<p></p><h3 id="Configuring_the_boot_loader_2">Configuring the boot loader</h3><p></p>
<p>In order to unlock the encrypted root partition at boot, the following <a href="https://wiki.archlinux.org/title/Kernel_parameters" title="Kernel parameters">kernel parameters</a> need to be set by the boot loader:
</p>
<pre>rd.luks.name=<i>device-UUID</i>=cryptlvm root=/dev/MyVolGroup/root
</pre>
<p>If using the <code>encrypt</code> hook, the following needs to be set instead:
</p>
<pre>cryptdevice=UUID=<i>device-UUID</i>:cryptlvm root=/dev/MyVolGroup/root
</pre>
<p>The <code><i>device-UUID</i></code> refers to the UUID of the LUKS superblock, in this example it is the UUID of <code>/dev/sda1</code> e.g. <code>a144e931-7580-40bf-ae8c-6beff4c1ac45</code>. See <a href="https://wiki.archlinux.org/title/Persistent_block_device_naming" title="Persistent block device naming">Persistent block device naming</a> for details.
</p><p>If using <a href="https://wiki.archlinux.org/title/Dracut" title="Dracut">dracut</a>, these parameters are known to work:
</p>
<pre>rd.luks.uuid=<i>device-UUID</i> root=/dev/MyVolGroup/root
</pre>
<p>you may need a more extensive list of parameters, try:
</p>
<pre>rd.luks.uuid=luks-<i>deviceUUID</i> rd.lvm.lv=<i>MyVolGroup</i>/root rd.lvm.lv=<i>MyVolGroup</i>/swap root=/dev/mapper/<i>MyVolGroup</i>-root rootfstype=ext4 rootflags=rw,relatime
</pre>
<p>See <a href="https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Kernel_parameters" title="Dm-crypt/System configuration">dm-crypt/System configuration#Kernel parameters</a> for details.
</p>
<p></p><h2 id="LUKS_on_LVM">LUKS on LVM</h2><p></p>
<p>To use encryption on top of <a href="https://wiki.archlinux.org/title/LVM" title="LVM">LVM</a>, the LVM volumes are set up first and then used as the base for the encrypted partitions. This way, a mixture of encrypted and non-encrypted volumes/partitions is possible as well.
</p>
<p><strong>Tip</strong> Unlike <a href="#LVM_on_LUKS">#LVM on LUKS</a>, this method allows normally spanning the logical volumes over multiple disks.</p>
<p>The following short example creates a LUKS on LVM setup and mixes in the use of a key-file for the /home partition and a temporary encrypted volume for swap. This is considered desirable from a security perspective, because no potentially sensitive temporary data survives the reboot, when the encryption is re-initialised. If you are experienced with LVM, you will be able to ignore/replace LVM and other specifics according to your plan.
</p><p>If you want to span a logical volume over multiple disks that have already been set up, or expand the logical volume for <code>/home</code> (or any other volume), a procedure to do so is described in <a href="https://wiki.archlinux.org/title/Dm-crypt/Specialties#Expanding_LVM_on_multiple_disks" title="Dm-crypt/Specialties">dm-crypt/Specialties#Expanding LVM on multiple disks</a>. It is important to note that the LUKS encrypted container has to be resized as well.
</p>
<div>
<p><span><span><img src="https://wiki.archlinux.org/images/1/19/Tango-view-fullscreen.svg" decoding="async" width="48" height="48"></span></span><b>This article or section needs expansion.</b></p>
<p><b>Reason:</b> The intro of this scenario needs some adjustment now that a comparison has been added to <a href="#Overview">#Overview</a>. A suggested structure is to make it similar to the <a href="#LUKS_on_a_partition">#LUKS on a partition</a> intro. (Discuss in <a rel="nofollow" href="https://wiki.archlinux.org/title/Talk:Dm-crypt/Encrypting_an_entire_system">Talk:Dm-crypt/Encrypting an entire system</a>)</p>
</div>
<p></p><h3 id="Preparing_the_disk_4">Preparing the disk</h3><p></p>
<p>Partitioning scheme:
</p>
<pre>+----------------+-------------------------------------------------------------------------------------------------+
| Boot partition | dm-crypt plain encrypted volume | LUKS encrypted volume | LUKS encrypted volume |
| | | | |
| /boot | [SWAP] | / | /home |
| | | | |
| | /dev/mapper/swap | /dev/mapper/root | /dev/mapper/home |
| |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
| | Logical volume 1 | Logical volume 2 | Logical volume 3 |
| | /dev/MyVolGroup/cryptswap | /dev/MyVolGroup/cryptroot | /dev/MyVolGroup/crypthome |
| |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
| | |
| /dev/sda1 | /dev/sda2 |
+----------------+-------------------------------------------------------------------------------------------------+
</pre>
<p>Randomise <code>/dev/sda2</code> according to <a href="https://wiki.archlinux.org/title/Dm-crypt/Drive_preparation#dm-crypt_wipe_on_an_empty_device_or_partition" title="Dm-crypt/Drive preparation">dm-crypt/Drive preparation#dm-crypt wipe on an empty device or partition</a>.
</p>
<p></p><h3 id="Preparing_the_logical_volumes_2">Preparing the logical volumes</h3><p></p>
<pre># pvcreate /dev/sda2
# vgcreate MyVolGroup /dev/sda2
# lvcreate -L 4G -n cryptswap MyVolGroup
# lvcreate -L 32G -n cryptroot MyVolGroup
# lvcreate -l 100%FREE -n crypthome MyVolGroup
</pre>
<pre># cryptsetup luksFormat /dev/MyVolGroup/cryptroot
# cryptsetup open /dev/MyVolGroup/cryptroot root
</pre>
<p><a href="https://wiki.archlinux.org/title/Create_a_file_system" title="Create a file system">Create a file system</a> on unlocked LUKS device and mount it. For example, to create an <a href="https://wiki.archlinux.org/title/Ext4" title="Ext4">Ext4</a> file system, run:
</p>
<pre># mkfs.ext4 /dev/mapper/root
# mount /dev/mapper/root /mnt
</pre>
<p>More information about the encryption options can be found in <a href="https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode" title="Dm-crypt/Device encryption">dm-crypt/Device encryption#Encryption options for LUKS mode</a>.
Note that <code>/home</code> will be encrypted in <a href="#Encrypting_logical_volume_/home">#Encrypting logical volume /home</a>.
</p>
<p><strong>Tip</strong> If you ever have to access the encrypted root from the Arch-ISO, the above <code>open</code> action will allow you to after the <a href="https://wiki.archlinux.org/title/LVM#Logical_volumes_do_not_show_up" title="LVM">LVM shows up</a>.</p>
<p></p><h3 id="Preparing_the_boot_partition_3">Preparing the boot partition</h3><p></p>
<p>Create a <a href="https://wiki.archlinux.org/title/File_system" title="File system">file system</a> on the partition intended for <code>/boot</code>. For an <a href="https://wiki.archlinux.org/title/EFI_system_partition" title="EFI system partition">EFI system partition</a> on UEFI systems, execute the following command to format the newly created partition:
</p>
<p><strong>Warning</strong> Only format the EFI system partition if you created it during the partitioning step. If there already was an EFI system partition on disk beforehand, reformatting it can destroy the boot loaders of other installed operating systems.</p>
<pre># mkfs.fat -F32 /dev/sda1
</pre>
<p>or for an ordinary boot partition on BIOS systems:
</p>
<pre># mkfs.ext4 /dev/sda1
</pre>
<p>Afterwards create the directory for the mountpoint and mount the partition:
</p>
<pre># mount --mkdir /dev/sda1 /mnt/boot
</pre>
<p></p><h3 id="Configuring_mkinitcpio_4">Configuring mkinitcpio</h3><p></p>
<p>Make sure the <span><a rel="nofollow" href="https://archlinux.org/packages/?name=lvm2">lvm2</a></span> package is <a href="https://wiki.archlinux.org/title/Install" title="Install">installed</a>.
</p><p>If using the default systemd-based initramfs, add the <code>keyboard</code>, <code>sd-encrypt</code> and <code>lvm2</code> hooks to <a href="https://wiki.archlinux.org/title/Mkinitcpio.conf" title="Mkinitcpio.conf">mkinitcpio.conf</a>. If you use a non-US console keymap or a non-default console font, additionally add the <code>sd-vconsole</code> hook.
</p>
<pre>HOOKS=(base <b>systemd</b> autodetect microcode modconf kms <b>keyboard</b> <b>sd-vconsole</b> block <b>sd-encrypt</b> <b>lvm2</b> filesystems fsck)
</pre>
<p>If using a busybox-based initramfs, instead add the <code>keyboard</code>, <code>encrypt</code> and <code>lvm2</code> hooks. If you use a non-US console keymap or a non-default console font, additionally add the <code>keymap</code> and <code>consolefont</code> hooks, respectively.
</p>
<pre>HOOKS=(base <b>udev</b> autodetect microcode modconf kms <b>keyboard</b> <b>keymap</b> <b>consolefont</b> block <b>encrypt</b> <b>lvm2</b> filesystems fsck)
</pre>
<p><a href="https://wiki.archlinux.org/title/Regenerate_the_initramfs" title="Regenerate the initramfs">Regenerate the initramfs</a> after saving the changes. See <a href="https://wiki.archlinux.org/title/Dm-crypt/System_configuration#mkinitcpio" title="Dm-crypt/System configuration">dm-crypt/System configuration#mkinitcpio</a> for details and other hooks that you may need.
</p>
<p></p><h3 id="Configuring_the_boot_loader_3">Configuring the boot loader</h3><p></p>
<p>In order to unlock the encrypted root partition at boot, the following <a href="https://wiki.archlinux.org/title/Kernel_parameters" title="Kernel parameters">kernel parameters</a> need to be set by the boot loader:
</p>
<pre>rd.luks.name=<i>device-UUID</i>=root root=/dev/mapper/root
</pre>
<p>If using the <code>encrypt</code> hook, the following need to be set instead:
</p>
<pre>cryptdevice=UUID=<i>device-UUID</i>:root root=/dev/mapper/root
</pre>
<p>The <code><i>device-UUID</i></code> refers to the UUID of the LUKS superblock, in this example it is the UUID of <code>/dev/MyVolGroup/cryptroot</code> e.g. <code>a144e931-7580-40bf-ae8c-6beff4c1ac45</code>. See <a href="https://wiki.archlinux.org/title/Persistent_block_device_naming" title="Persistent block device naming">Persistent block device naming</a> for details.
</p><p>See <a href="https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Kernel_parameters" title="Dm-crypt/System configuration">dm-crypt/System configuration#Kernel parameters</a> for details.
</p>
<p></p><h3 id="Configuring_fstab_and_crypttab">Configuring fstab and crypttab</h3><p></p>
<p>Both <a href="https://wiki.archlinux.org/title/Crypttab" title="Crypttab">crypttab</a> and <a href="https://wiki.archlinux.org/title/Fstab" title="Fstab">fstab</a> entries are required to both unlock the device and mount the file systems, respectively. The following lines will re-encrypt the swap volume on each reboot:
</p>
<pre>/etc/crypttab</pre>
<pre>swap /dev/MyVolGroup/cryptswap /dev/urandom swap,cipher=aes-xts-plain64,size=256,sector-size=4096</pre>
<pre>/etc/fstab</pre>
<pre>/dev/mapper/root / ext4 defaults 0 1
UUID=<i>xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</i> /boot ext4 defaults 0 2
/dev/mapper/swap none swap defaults 0 0</pre>
<p></p><h3 id="Encrypting_logical_volume_/home"><span id="Encrypting_logical_volume_.2Fhome"></span>Encrypting logical volume /home</h3><p></p>
<p>Since this scenario uses LVM as the primary and dm-crypt as secondary mapper, each encrypted logical volume requires its own encryption. Yet, unlike the temporary file systems configured with volatile encryption above, the logical volume for <code>/home</code> should of course be persistent. The following assumes you have rebooted into the installed system, otherwise you have to adjust paths.
To save on entering a second passphrase at boot, a <a href="https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Keyfiles" title="Dm-crypt/Device encryption">keyfile</a> is created:
</p>
<pre># dd bs=512 count=4 if=/dev/random iflag=fullblock | install -m 0600 /dev/stdin /etc/cryptsetup-keys.d/home.key
</pre>
<p>The logical volume is encrypted with it:
</p>
<pre># cryptsetup luksFormat -v /dev/MyVolGroup/crypthome /etc/cryptsetup-keys.d/home.key
# cryptsetup -d /etc/cryptsetup-keys.d/home.key open /dev/MyVolGroup/crypthome home
</pre>
<p><a href="https://wiki.archlinux.org/title/Create_a_file_system" title="Create a file system">Create a file system</a> on unlocked LUKS device and mount it. For example, to create an <a href="https://wiki.archlinux.org/title/Ext4" title="Ext4">Ext4</a> file system, run:
</p>
<pre># mkfs.ext4 /dev/mapper/home
# mount /dev/mapper/home /home
</pre>
<p>The encrypted mount is configured in both <a href="https://wiki.archlinux.org/title/Crypttab" title="Crypttab">crypttab</a> and <a href="https://wiki.archlinux.org/title/Fstab" title="Fstab">fstab</a>:
</p>
<pre>/etc/crypttab</pre>
<pre>home /dev/MyVolGroup/crypthome none
</pre>
<pre>/etc/fstab</pre>
<pre>/dev/mapper/home /home ext4 defaults 0 2
</pre>
<p></p><h2 id="LUKS_on_software_RAID">LUKS on software RAID</h2><p></p>
<p>This example is based on a real-world setup for a workstation class laptop equipped with two SSDs of equal size, and an additional HDD for bulk storage. The end result is LUKS based full disk encryption (including <code>/boot</code>) for all drives, with the SSDs in a <a href="https://wiki.archlinux.org/title/RAID" title="RAID">RAID0</a> array, and keyfiles used to unlock all encryption after <a href="https://wiki.archlinux.org/title/GRUB" title="GRUB">GRUB</a> is given a correct passphrase at boot.
</p><p>This setup utilizes a very simplistic partitioning scheme, with all the available RAID storage being mounted at <code>/</code> (no separate <code>/boot</code> partition), and the decrypted HDD being mounted at <code>/data</code>.
</p><p>Please note that regular <a href="https://wiki.archlinux.org/title/System_backup" title="System backup">backups</a> are very important in this setup. If either of the SSDs fail, the data contained in the RAID array will be practically impossible to recover. You may wish to select a different <a href="https://wiki.archlinux.org/title/RAID#Standard_RAID_levels" title="RAID">RAID level</a> if fault tolerance is important to you.
</p><p>The encryption is not deniable in this setup.
</p><p>For the sake of the instructions below, the following block devices are used:
</p>
<pre>/dev/sda = first SSD
/dev/sdb = second SSD
/dev/sdc = HDD
</pre>
<pre>+---------------------+---------------------------+---------------------------+ +---------------------+---------------------------+---------------------------+ +---------------------------+
| BIOS boot partition | EFI system partition | LUKS encrypted volume | | BIOS boot partition | EFI system partition | LUKS encrypted volume | | LUKS encrypted volume |
| | | | | | | | | |
| | /efi | / | | | /efi | / | | /data |
| | | | | | | | | |
| | | /dev/mapper/root | | | | /dev/mapper/root | | |
| +---------------------------+---------------------------+ | +---------------------------+---------------------------+ | |
| | RAID1 array (part 1 of 2) | RAID0 array (part 1 of 2) | | | RAID1 array (part 2 of 2) | RAID0 array (part 2 of 2) | | |
| | | | | | | | | |
| | /dev/md/ESP | /dev/md/root | | | /dev/md/ESP | /dev/md/root | | /dev/mapper/data |
| +---------------------------+---------------------------+ | +---------------------------+---------------------------+ +---------------------------+
| /dev/sda1 | /dev/sda2 | /dev/sda3 | | /dev/sdb1 | /dev/sdb2 | /dev/sdb3 | | /dev/sdc1 |
+---------------------+---------------------------+---------------------------+ +---------------------+---------------------------+---------------------------+ +---------------------------+
</pre>
<p>Be sure to substitute them with the appropriate device designations for your setup, as they may be different.
</p>
<p></p><h3 id="Preparing_the_disks">Preparing the disks</h3><p></p>
<p>Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in <a href="https://wiki.archlinux.org/title/Dm-crypt/Drive_preparation" title="Dm-crypt/Drive preparation">dm-crypt/Drive preparation</a>.
</p><p>For <a href="https://wiki.archlinux.org/title/GRUB#BIOS_systems" title="GRUB">BIOS systems</a> with GPT, create a <a href="https://wiki.archlinux.org/title/BIOS_boot_partition" title="BIOS boot partition">BIOS boot partition</a> with size of 1 MiB for GRUB to store the second stage of BIOS boot loader. Do not mount the partition.
</p><p>For <a href="https://wiki.archlinux.org/title/GRUB#UEFI_systems" title="GRUB">UEFI systems</a> create an <a href="https://wiki.archlinux.org/title/EFI_system_partition" title="EFI system partition">EFI system partition</a> with an appropriate size, it will later be mounted at <code>/efi</code>.
</p><p>In the remaining space on the drive create a partition (<code>/dev/sda3</code> in this example) for "Linux RAID". Choose partition type ID <code>fd</code> for MBR or partition type GUID <code>A19D880F-05FC-4D3B-A006-743F0F84911E</code> for GPT.
</p><p>Once partitions have been created on <code>/dev/sda</code>, the following commands can be used to clone them to <code>/dev/sdb</code>.
</p>
<pre># sfdisk -d /dev/sda &gt; sda.dump
# sfdisk /dev/sdb &lt; sda.dump
</pre>
<p>The HDD is prepared with a single Linux partition covering the whole drive at <code>/dev/sdc1</code>.
</p>
<p></p><h3 id="Building_the_RAID_array">Building the RAID array</h3><p></p>
<p>Create the RAID array for the SSDs.
</p>
<div><p><strong>Note</strong></p><ul><li>All parts of an EFI system partition RAID array must be individually usable, that means that ESP can only placed in a RAID1 array.</li>
<li>The RAID superblock must be placed at the end of the EFI system partition using <code>--metadata=1.0</code>, otherwise the firmware will not be able to access the partition.</li></ul>
</div>
<pre># mdadm --create --verbose --level=1 --metadata=1.0 --raid-devices=2 /dev/md/ESP /dev/sda2 /dev/sdb2
</pre>
<p>This example utilizes RAID0 for root, you may wish to substitute a different level based on your preferences or requirements.
</p>
<pre># mdadm --create --verbose --level=0 --metadata=1.2 --raid-devices=2 /dev/md/root /dev/sda3 /dev/sdb3
</pre>
<p></p><h3 id="Preparing_the_block_devices">Preparing the block devices</h3><p></p>
<p>As explained in <a href="https://wiki.archlinux.org/title/Dm-crypt/Drive_preparation" title="Dm-crypt/Drive preparation">dm-crypt/Drive preparation</a>, the devices are wiped with random data utilizing <code>/dev/zero</code> and a crypt device with a random key. Alternatively, you could use <code>dd</code> with <code>/dev/random</code> or <code>/dev/urandom</code>, though it will be much slower.
</p>
<pre># cryptsetup open --type plain --sector-size 4096 --key-file /dev/urandom /dev/md/root to_be_wiped
# dd if=/dev/zero of=/dev/mapper/to_be_wiped bs=1M status=progress
# cryptsetup close to_be_wiped
</pre>
<p>And repeat above for the HDD (<code>/dev/sdc1</code> in this example).
</p><p>Set up encryption for <code>/dev/md/root</code>:
</p>
<p><strong>Warning</strong> GRUB's support for LUKS2 is limited; see <a href="https://wiki.archlinux.org/title/GRUB#Encrypted_/boot" title="GRUB">GRUB#Encrypted /boot</a> for details. Use LUKS2 with PBKDF2 (<code>cryptsetup luksFormat --pbkdf pbkdf2</code>) for partitions that GRUB will need to unlock.</p>
<pre># cryptsetup -v luksFormat --pbkdf pbkdf2 /dev/md/root
# cryptsetup open /dev/md/root root
</pre>
<p><a href="https://wiki.archlinux.org/title/Create_a_file_system" title="Create a file system">Create a file system</a> on unlocked LUKS device. For example, to create an <a href="https://wiki.archlinux.org/title/Ext4" title="Ext4">Ext4</a> file system, run:
</p>
<pre># mkfs.ext4 /dev/mapper/root
</pre>
<p>Mount the root volume to <code>/mnt</code>:
</p>
<pre># mount /dev/mapper/root /mnt
</pre>
<p>And repeat for the HDD:
</p>
<pre># cryptsetup -v luksFormat /dev/sdc1
# cryptsetup open /dev/sdc1 data
# mkfs.ext4 /dev/mapper/data
# mount --mkdir /dev/mapper/data /mnt/data
</pre>
<p>For UEFI systems, format the newly created EFI system partition and mount it:
</p>
<p><strong>Warning</strong> Only format the EFI system partition if you created it during the partitioning step. If there already was an EFI system partition on disk beforehand, reformatting it can destroy the boot loaders of other installed operating systems.</p>
<pre># mkfs.fat -F32 /dev/md/ESP
# mount --mkdir /dev/md/ESP /mnt/efi
</pre>
<p></p><h3 id="Configuring_GRUB">Configuring GRUB</h3><p></p>
<p>Configure <a href="https://wiki.archlinux.org/title/GRUB" title="GRUB">GRUB</a> for the LUKS encrypted system by editing <code>/etc/default/grub</code> with the following:
</p>
<pre>GRUB_CMDLINE_LINUX="cryptdevice=/dev/md/root:root"
GRUB_ENABLE_CRYPTODISK=y
</pre>
<p>If you have a USB keyboard on a newer system either enable legacy USB support in firmware or add the following to <code>/etc/default/grub</code>:
</p>
<pre>GRUB_TERMINAL_INPUT="usb_keyboard"
GRUB_PRELOAD_MODULES="usb usb_keyboard ohci uhci ehci"
</pre>
<p>Otherwise you may not be able to use your keyboard at the LUKS prompt.
</p><p>See <a href="https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Kernel_parameters" title="Dm-crypt/System configuration">dm-crypt/System configuration#Kernel parameters</a> and <a href="https://wiki.archlinux.org/title/GRUB#Encrypted_/boot" title="GRUB">GRUB#Encrypted /boot</a> for details.
</p><p>Complete the GRUB install to both SSDs (in reality, installing only to <code>/dev/sda</code> will work).
</p>
<pre># grub-install --target=i386-pc /dev/sda
# grub-install --target=i386-pc /dev/sdb
# grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB
# grub-mkconfig -o /boot/grub/grub.cfg
</pre>
<p></p><h3 id="Creating_the_keyfiles">Creating the keyfiles</h3><p></p>
<p>The next steps save you from entering your passphrase twice when you boot the system (once so GRUB can unlock the LUKS device, and second time once the initramfs assumes control of the system). This is done by creating a <a href="https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Keyfiles" title="Dm-crypt/Device encryption">keyfile</a> for the encryption and adding it to the initramfs image to allow the encrypt hook to unlock the root device. See <a href="https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#With_a_keyfile_embedded_in_the_initramfs" title="Dm-crypt/Device encryption">dm-crypt/Device encryption#With a keyfile embedded in the initramfs</a> for details.
</p>
<ul><li>Create the <a href="https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Keyfiles" title="Dm-crypt/Device encryption">keyfile</a> and add the key to <code>/dev/md/root</code>.</li>
<li>Create another keyfile for the HDD (<code>/dev/sdc1</code>) so it can also be unlocked at boot. For convenience, leave the passphrase created above in place as this can make recovery easier if you ever need it. Edit <code>/etc/crypttab</code> to decrypt the HDD at boot. See <a href="https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Unlocking_with_a_keyfile" title="Dm-crypt/System configuration">dm-crypt/System configuration#Unlocking with a keyfile</a>.</li></ul>
<p></p><h3 id="Configuring_the_system">Configuring the system</h3><p></p>
<p>Edit <a href="https://wiki.archlinux.org/title/Fstab" title="Fstab">fstab</a> to mount the root and data block devices and the ESP:
</p>
<pre>/dev/mapper/root / ext4 rw,noatime 0 1
/dev/mapper/data /data ext4 defaults 0 2
/dev/md/ESP /efi vfat rw,relatime,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,tz=UTC,errors=remount-ro 0 2
</pre>
<p>Save the RAID configuration:
</p>
<pre># mdadm --detail --scan &gt;&gt; /etc/mdadm.conf
</pre>
<p>Edit <a href="https://wiki.archlinux.org/title/Mkinitcpio.conf" title="Mkinitcpio.conf">mkinitcpio.conf</a> to include your keyfile and add the proper hooks:
</p>
<pre>FILES=(/crypto_keyfile.bin)
HOOKS=(base udev autodetect microcode modconf kms <b>keyboard</b> <b>keymap</b> <b>consolefont</b> block <b>mdadm_udev</b> <b>encrypt</b> filesystems fsck)
</pre>
<p>See <a href="https://wiki.archlinux.org/title/Dm-crypt/System_configuration#mkinitcpio" title="Dm-crypt/System configuration">dm-crypt/System configuration#mkinitcpio</a> for details.
</p>
<p></p><h2 id="Plain_dm-crypt">Plain dm-crypt</h2><p></p>
<p>Contrary to LUKS, dm-crypt <i>plain</i> mode does not require a header on the encrypted device: this scenario exploits this feature to set up a system on an unpartitioned, encrypted disk that will be indistinguishable from a disk filled with random data, which could allow <a href="https://en.wikipedia.org/wiki/Deniable_encryption" title="wikipedia:Deniable encryption">deniable encryption</a>. See also <a href="https://en.wikipedia.org/wiki/Disk_encryption#Full_disk_encryption" title="wikipedia:Disk encryption">wikipedia:Disk encryption#Full disk encryption</a>.
</p><p>Note that if full disk encryption is not required, the methods using LUKS described in the sections above are better options for both system encryption and encrypted partitions. <a href="https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Cryptsetup_actions_specific_for_LUKS" title="Dm-crypt/Device encryption">LUKS features</a> like key management with multiple passphrases/key-files, master key backups or re-encrypting a device in-place are unavailable with <i>plain</i> mode.
</p><p><i>Plain</i> dm-crypt encryption can be more resilient to damage than LUKS, because it does not rely on an encryption master-key which can be a single-point of failure if damaged or forcefully destroyed. However, using <i>plain</i> mode also requires more manual configuration of encryption options to achieve the same cryptographic strength. See also <a href="https://wiki.archlinux.org/title/Data-at-rest_encryption#Cryptographic_metadata" title="Data-at-rest encryption">Data-at-rest encryption#Cryptographic metadata</a>. Using <i>plain</i> mode could also be considered if concerned with the problems explained in <a href="https://wiki.archlinux.org/title/Dm-crypt/Specialties#Discard/TRIM_support_for_solid_state_drives_(SSD)" title="Dm-crypt/Specialties">dm-crypt/Specialties#Discard/TRIM support for solid state drives (SSD)</a>.
</p>
<div><p><strong>Tip</strong> If headerless encryption is your goal but you are unsure about the lack of key-derivation with <i>plain</i> mode, then two alternatives are:
</p><ul><li><a href="https://wiki.archlinux.org/title/Dm-crypt/Specialties#Encrypted_system_using_a_detached_LUKS_header" title="Dm-crypt/Specialties">dm-crypt LUKS mode with a detached header</a> by using the <i>cryptsetup</i> <code>--header</code> option. It cannot be used with the standard <i>encrypt</i> hook, but the hook may be modified.</li>
<li><a href="https://wiki.archlinux.org/title/Tcplay" title="Tcplay">tcplay</a> which offers headerless encryption but with the PBKDF2 function.</li></ul>
</div>
<p>The scenario uses two USB sticks:
</p>
<ul><li>one for the boot device, which also allows storing the options required to open/unlock the plain encrypted device in the boot loader configuration, since typing them on each boot would be error prone;</li>
<li>another for the encryption key file, assuming it stored as raw bits so that to the eyes of an unaware attacker who might get the usbkey the encryption key will appear as random data instead of being visible as a normal file. See also <a href="https://en.wikipedia.org/wiki/Security_through_obscurity" title="wikipedia:Security through obscurity">Wikipedia:Security through obscurity</a>, follow <a href="https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Keyfiles" title="Dm-crypt/Device encryption">dm-crypt/Device encryption#Keyfiles</a> to prepare the keyfile.</li></ul>
<p>The disk layout is:
</p>
<pre>+----------------------+----------------------+----------------------+ +----------------+ +----------------+
| Logical volume 1 | Logical volume 2 | Logical volume 3 | | Boot device | | Encryption key |
| | | | | | | file storage |
| / | [SWAP] | /home | | /boot | | (unpartitioned |
| | | | | | | in example) |
| /dev/MyVolGroup/root | /dev/MyVolGroup/swap | /dev/MyVolGroup/home | | /dev/sdb1 | | /dev/sdc |
|----------------------+----------------------+----------------------| |----------------| |----------------|
| disk drive /dev/sda encrypted using plain mode and LVM | | USB stick 1 | | USB stick 2 |
+--------------------------------------------------------------------+ +----------------+ +----------------+
</pre>
<div><p><strong>Tip</strong></p><ul><li>It is also possible to use a single USB key physical device:
<ul><li>By putting the key on another partition (/dev/sdb2) of the USB storage device (/dev/sdb).</li>
<li>By copying the keyfile to the initramfs directly. An example keyfile <code>/etc/cryptsetup-keys.d/root.key</code> gets copied to the initramfs image by setting <code>FILES=(/etc/cryptsetup-keys.d/root.key)</code> in <code>/etc/mkinitcpio.conf</code>. The way to instruct the <code>encrypt</code> hook to read the keyfile in the initramfs image is using <code>rootfs:</code> prefix before the filename, e.g. <code>cryptkey=rootfs:/etc/cryptsetup-keys.d/root.key</code>.</li></ul></li>
<li>Another option is using a passphrase with good <a href="https://wiki.archlinux.org/title/Security#Choosing_secure_passwords" title="Security">entropy</a>.</li></ul>
</div>
<p></p><h3 id="Preparing_the_disk_5">Preparing the disk</h3><p></p>
<p>It is vital that the mapped device is filled with random data. In particular this applies to the scenario use case we apply here.
</p><p>See <a href="https://wiki.archlinux.org/title/Dm-crypt/Drive_preparation" title="Dm-crypt/Drive preparation">dm-crypt/Drive preparation</a> and <a href="https://wiki.archlinux.org/title/Dm-crypt/Drive_preparation#dm-crypt_specific_methods" title="Dm-crypt/Drive preparation">dm-crypt/Drive preparation#dm-crypt specific methods</a>
</p>
<p></p><h3 id="Preparing_the_non-boot_partitions">Preparing the non-boot partitions</h3><p></p>
<p>See <a href="https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_for_plain_mode" title="Dm-crypt/Device encryption">dm-crypt/Device encryption#Encryption options for plain mode</a> for details.
</p><p>Using the device <code>/dev/sda</code>, with the aes-xts cipher with a 512 bit key size and using a keyfile we have the following options for this scenario:
</p>
<pre># cryptsetup open --type plain --cipher=aes-xts-plain64 --offset=0 --key-file=/dev/sdc --key-size=512 --sector-size 4096 /dev/sda cryptlvm
</pre>
<p>Unlike encrypting with LUKS, the above command must be executed <i>in full</i> whenever the mapping needs to be re-established, so it is important to remember the cipher, and key file details.
</p><p>We can now check a mapping entry has been made for <code>/dev/mapper/cryptlvm</code>:
</p>
<pre># fdisk -l
</pre>
<div><p><strong>Tip</strong></p><ul><li>A simpler alternative to using LVM, advocated in the cryptsetup FAQ for cases where LVM is not necessary, is to just create a file system on the entirety of the mapped dm-crypt device.</li>
<li>If a logical volume will be formatted with <a href="https://wiki.archlinux.org/title/Ext4" title="Ext4">ext4</a>, leave at least 256 MiB free space in the volume group to allow using <span title="$ man 8 e2scrub"><a rel="nofollow" href="https://man.archlinux.org/man/e2scrub.8">e2scrub(8)</a></span>. After creating the last volume with <code>-l 100%FREE</code>, this can be accomplished by reducing its size with <code>lvreduce -L -256M MyVolGroup/home</code>.</li></ul>
</div>
<p>Next, we setup <a href="https://wiki.archlinux.org/title/LVM" title="LVM">LVM</a> logical volumes on the mapped device. See <a href="https://wiki.archlinux.org/title/Install_Arch_Linux_on_LVM" title="Install Arch Linux on LVM">Install Arch Linux on LVM</a> for further details:
</p>
<pre># pvcreate /dev/mapper/cryptlvm
# vgcreate MyVolGroup /dev/mapper/cryptlvm
# lvcreate -L 32G MyVolGroup -n root
# lvcreate -L 4G MyVolGroup -n swap
# lvcreate -l 100%FREE MyVolGroup -n home
</pre>
<p>We format and mount them and activate swap. See <a href="https://wiki.archlinux.org/title/File_systems#Create_a_file_system" title="File systems">File systems#Create a file system</a> for further details:
</p>
<pre># mkfs.ext4 /dev/MyVolGroup/root
# mkfs.ext4 /dev/MyVolGroup/home
# mount /dev/MyVolGroup/root /mnt
# mount --mkdir /dev/MyVolGroup/home /mnt/home
# mkswap /dev/MyVolGroup/swap
# swapon /dev/MyVolGroup/swap
</pre>
<p></p><h3 id="Preparing_the_boot_partition_4">Preparing the boot partition</h3><p></p>
<p>The <code>/boot</code> partition can be a typical FAT32 formatted partition on a USB stick, if required. But if manual partitioning is needed, then a small 1 GiB partition is all that is required. Create the partition using a <a href="https://wiki.archlinux.org/title/Partitioning#Partitioning_tools" title="Partitioning">partitioning tool</a> of your choice.
</p><p>Create a <a href="https://wiki.archlinux.org/title/File_system" title="File system">file system</a> on the newly created partition intended for <code>/boot</code>:
</p>
<p><strong>Warning</strong> Only format the EFI system partition if you created it during the partitioning step. If there already was an EFI system partition on disk beforehand, reformatting it can destroy the boot loaders of other installed operating systems.</p>
<pre># mkfs.fat -F32 /dev/sdb1
# mount --mkdir /dev/sdb1 /mnt/boot
</pre>
<p></p><h3 id="Configuring_mkinitcpio_5">Configuring mkinitcpio</h3><p></p>
<p>Make sure the <span><a rel="nofollow" href="https://archlinux.org/packages/?name=lvm2">lvm2</a></span> package is <a href="https://wiki.archlinux.org/title/Install" title="Install">installed</a>.
</p><p>If using a busybox-based initramfs, add the <code>keyboard</code>, <code>encrypt</code> and <code>lvm2</code> hooks. If you use a non-US console keymap or a non-default console font, additionally add the <code>keymap</code> and <code>consolefont</code> hooks, respectively.
</p>
<pre>HOOKS=(base <b>udev</b> autodetect microcode modconf kms <b>keyboard</b> <b>keymap</b> <b>consolefont</b> block <b>encrypt</b> <b>lvm2</b> filesystems fsck)
</pre>
<p><a href="https://wiki.archlinux.org/title/Regenerate_the_initramfs" title="Regenerate the initramfs">Regenerate the initramfs</a> after saving the changes. See <a href="https://wiki.archlinux.org/title/Dm-crypt/System_configuration#mkinitcpio" title="Dm-crypt/System configuration">dm-crypt/System configuration#mkinitcpio</a> for details and other hooks that you may need.
</p>
<p></p><h3 id="Configuring_the_boot_loader_4">Configuring the boot loader</h3><p></p>
<p>In order to boot the encrypted root partition, the following <a href="https://wiki.archlinux.org/title/Kernel_parameters" title="Kernel parameters">kernel parameters</a> need to be set by the boot loader (note that 64 is the number of bytes in 512 bits):
</p>
<pre>cryptdevice=/dev/disk/by-id/<i>disk-ID-of-sda</i>:cryptlvm:sector-size=4096 cryptkey=/dev/disk/by-id/<i>disk-ID-of-sdc</i>:0:64 crypto=:aes-xts-plain64:512:0:
</pre>
<p>The <code><i>disk-ID-of-<b>disk</b></i></code> refers to the id of the referenced disk. See <a href="https://wiki.archlinux.org/title/Persistent_block_device_naming" title="Persistent block device naming">Persistent block device naming</a> for details.
</p><p>See <a href="https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Kernel_parameters" title="Dm-crypt/System configuration">dm-crypt/System configuration#Kernel parameters</a> for details and other parameters that you may need.
</p>
<div><p><strong>Tip</strong> If using <a href="https://wiki.archlinux.org/title/GRUB" title="GRUB">GRUB</a>, you can install it on the same USB as the <code>/boot</code> partition.
</p><p>For BIOS:
</p>
<pre># grub-install --target=i386-pc --recheck /dev/sdb</pre>
<p>For UEFI:
</p>
<pre># grub-install --target=x86_64-efi --efi-directory=/boot --removable</pre>
</div>
<p></p><h3 id="Post-installation">Post-installation</h3><p></p>
<p>You may wish to remove the USB sticks after booting. Since the <code>/boot</code> partition is not usually needed, the <code>noauto</code> option can be added to the relevant line in <code>/etc/fstab</code>:
</p>
<pre>/etc/fstab</pre>
<pre># /dev/sdb1
UUID=<i>XXXX-XXXX</i> /boot vfat <b>noauto</b>,rw,noatime 0 2</pre>
<p>However, when an update to anything used in the initramfs, or a kernel, or the boot loader is required; the <code>/boot</code> partition must be present and mounted. As the entry in <code>fstab</code> already exists, it can be mounted simply with:
</p>
<pre># mount /boot
</pre>
<p></p><h2 id="Encrypted_boot_partition_(GRUB)"><span id="Encrypted_boot_partition_.28GRUB.29"></span>Encrypted boot partition (GRUB)</h2><p></p>
<p>This setup utilizes the same partition layout and configuration as the previous <a href="#LVM_on_LUKS">#LVM on LUKS</a> section, with the difference that the <a href="https://wiki.archlinux.org/title/GRUB" title="GRUB">GRUB</a> boot loader is used since it is capable of booting from an LVM logical volume and a LUKS-encrypted <code>/boot</code>. See also <a href="https://wiki.archlinux.org/title/GRUB#Encrypted_/boot" title="GRUB">GRUB#Encrypted /boot</a>.
</p><p>The disk layout in this example is:
</p>
<pre>+---------------------+----------------------+----------------------+----------------------+----------------------+
| BIOS boot partition | EFI system partition | Logical volume 1 | Logical volume 2 | Logical volume 3 |
| | | | | |
| | /efi | / | [SWAP] | /home |
| | | | | |
| | | /dev/MyVolGroup/root | /dev/MyVolGroup/swap | /dev/MyVolGroup/home |
| /dev/sda1 | /dev/sda2 |----------------------+----------------------+----------------------+
| unencrypted | unencrypted | /dev/sda3 encrypted using LVM on LUKS |
+---------------------+----------------------+--------------------------------------------------------------------+
</pre>
<div><p><strong>Tip</strong></p><ul><li>All scenarios are intended as examples. It is, of course, possible to apply both of the two above distinct installation steps with the other scenarios as well. See also the variants linked in <a href="#LVM_on_LUKS">#LVM on LUKS</a>.</li>
<li>You can use <code>cryptboot</code> script from <span><a rel="nofollow" href="https://aur.archlinux.org/packages/cryptboot/">cryptboot</a></span><sup><small>AUR</small></sup> package for simplified encrypted boot management (mounting, unmounting, upgrading packages) and as a defense against <a rel="nofollow" href="https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html">Evil Maid</a> attacks with <a href="https://wiki.archlinux.org/title/Secure_Boot#Using_your_own_keys" title="Secure Boot">UEFI Secure Boot</a>. For more information and limitations see <a rel="nofollow" href="https://github.com/kmille/cryptboot">cryptboot project</a> page.</li></ul>
</div>
<p></p><h3 id="Preparing_the_disk_6">Preparing the disk</h3><p></p>
<p>Prior to creating any partitions, you should inform yourself about the importance and methods to securely erase the disk, described in <a href="https://wiki.archlinux.org/title/Dm-crypt/Drive_preparation" title="Dm-crypt/Drive preparation">dm-crypt/Drive preparation</a>.
</p><p>For <a href="https://wiki.archlinux.org/title/GRUB#UEFI_systems" title="GRUB">UEFI systems</a> create an <a href="https://wiki.archlinux.org/title/EFI_system_partition" title="EFI system partition">EFI system partition</a> with an appropriate size, it will later be mounted at <code>/efi</code>.
</p><p>For <a href="https://wiki.archlinux.org/title/GRUB#GUID_Partition_Table_(GPT)_specific_instructions" title="GRUB">BIOS/GPT setups</a> create a <a href="https://wiki.archlinux.org/title/BIOS_boot_partition" title="BIOS boot partition">BIOS boot partition</a> with size of 1 MiB for GRUB to store the second stage of BIOS boot loader. Do not mount the partition. For BIOS/MBR setups this is not necessary.
</p><p>Create a partition of type <code>8309</code>, which will later contain the encrypted container for the LVM.
</p><p>Create the LUKS encrypted container:
</p>
<p><strong>Warning</strong> GRUB's support for LUKS2 is limited; see <a href="https://wiki.archlinux.org/title/GRUB#Encrypted_/boot" title="GRUB">GRUB#Encrypted /boot</a> for details. Use LUKS2 with PBKDF2 (<code>cryptsetup luksFormat --pbkdf pbkdf2</code>) for partitions that GRUB will need to unlock.</p>
<pre># cryptsetup luksFormat --pbkdf pbkdf2 /dev/sda3
</pre>
<p>For more information about the available cryptsetup options see the <a href="https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode" title="Dm-crypt/Device encryption">LUKS encryption options</a> prior to above command.
</p><p>Your partition layout should look similar to this:
</p>
<pre># gdisk -l /dev/sda</pre>
<pre>...
Number Start (sector) End (sector) Size Code Name
1 2048 4095 1024.0 KiB EF02 BIOS boot partition
2 4096 2101247 1024.0 MiB EF00 EFI system partition
3 2101248 69210111 32.0 GiB 8309 Linux LUKS
</pre>
<p>Open the container:
</p>
<pre># cryptsetup open /dev/sda3 cryptlvm
</pre>
<p>The decrypted container is now available at <code>/dev/mapper/cryptlvm</code>.
</p>
<p></p><h3 id="Preparing_the_logical_volumes_3">Preparing the logical volumes</h3><p></p>
<p>The LVM logical volumes of this example follow the exact layout as the <a href="#LVM_on_LUKS">#LVM on LUKS</a> scenario. Therefore, please follow <a href="#Preparing_the_logical_volumes">#Preparing the logical volumes</a> above and adjust as required.
</p><p>For UEFI systems, create a mountpoint for the <a href="https://wiki.archlinux.org/title/EFI_system_partition" title="EFI system partition">EFI system partition</a> at <code>/efi</code> for compatibility with <code>grub-install</code> and mount it:
</p>
<pre># mount --mkdir /dev/sda2 /mnt/efi
</pre>
<p>At this point, you should have the following partitions and logical volumes inside of <code>/mnt</code>:
</p>
<pre>$ lsblk</pre>
<pre>NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 200G 0 disk
├─sda1 8:1 0 1M 0 part
├─sda2 8:2 0 550M 0 part /mnt/efi
└─sda3 8:3 0 100G 0 part
└─cryptlvm 254:0 0 100G 0 crypt
├─MyVolGroup-swap 254:1 0 4G 0 lvm [SWAP]
├─MyVolGroup-root 254:2 0 32G 0 lvm /mnt
└─MyVolGroup-home 254:3 0 60G 0 lvm /mnt/home
</pre>
<p>Now at this point resume the common <a href="https://wiki.archlinux.org/title/Installation_guide#Installation" title="Installation guide">Installation guide#Installation</a> steps. Return to this page to customize the <a href="https://wiki.archlinux.org/title/Installation_guide#Initramfs" title="Installation guide">Initramfs</a> and <a href="https://wiki.archlinux.org/title/Installation_guide#Boot_loader" title="Installation guide">Boot loader</a> steps.
</p>
<p></p><h3 id="Configuring_mkinitcpio_6">Configuring mkinitcpio</h3><p></p>
<p>Make sure the <span><a rel="nofollow" href="https://archlinux.org/packages/?name=lvm2">lvm2</a></span> package is <a href="https://wiki.archlinux.org/title/Install" title="Install">installed</a>.
</p><p>If using the default systemd-based initramfs, add the <code>keyboard</code>, <code>sd-encrypt</code> and <code>lvm2</code> hooks to <a href="https://wiki.archlinux.org/title/Mkinitcpio.conf" title="Mkinitcpio.conf">mkinitcpio.conf</a>. If you use a non-US console keymap or a non-default console font, additionally add the <code>sd-vconsole</code> hook.
</p>
<pre>HOOKS=(base <b>systemd</b> autodetect microcode modconf kms <b>keyboard</b> <b>sd-vconsole</b> block <b>sd-encrypt</b> <b>lvm2</b> filesystems fsck)
</pre>
<p>If using a busybox-based initramfs, instead add the <code>keyboard</code>, <code>encrypt</code> and <code>lvm2</code> hooks. If you use a non-US console keymap or a non-default console font, additionally add the <code>keymap</code> and <code>consolefont</code> hooks, respectively.
</p>
<pre>HOOKS=(base <b>udev</b> autodetect microcode modconf kms <b>keyboard</b> <b>keymap</b> <b>consolefont</b> block <b>encrypt</b> <b>lvm2</b> filesystems fsck)
</pre>
<p><a href="https://wiki.archlinux.org/title/Regenerate_the_initramfs" title="Regenerate the initramfs">Regenerate the initramfs</a> after saving the changes. See <a href="https://wiki.archlinux.org/title/Dm-crypt/System_configuration#mkinitcpio" title="Dm-crypt/System configuration">dm-crypt/System configuration#mkinitcpio</a> for details and other hooks that you may need.
</p>
<p></p><h3 id="Configuring_GRUB_2">Configuring GRUB</h3><p></p>
<p>Configure GRUB to allow booting from <code>/boot</code> on a LUKS encrypted partition:
</p>
<pre>/etc/default/grub</pre>
<pre>GRUB_ENABLE_CRYPTODISK=y</pre>
<p>Set the kernel parameters, so that the initramfs can unlock the encrypted root partition. Using the <code>sd-encrypt</code> hook:
</p>
<pre>/etc/default/grub</pre>
<pre>GRUB_CMDLINE_LINUX="... rd.luks.name=<i>device-UUID</i>=cryptlvm ..."</pre>
<p>If using the <code>encrypt</code> hook, the following need to be set instead:
</p>
<pre>/etc/default/grub</pre>
<pre>GRUB_CMDLINE_LINUX="... cryptdevice=UUID=<i>device-UUID</i>:cryptlvm ..."</pre>
<p>See <a href="https://wiki.archlinux.org/title/Dm-crypt/System_configuration#Kernel_parameters" title="Dm-crypt/System configuration">dm-crypt/System configuration#Kernel parameters</a> and <a href="https://wiki.archlinux.org/title/GRUB#Encrypted_/boot" title="GRUB">GRUB#Encrypted /boot</a> for details. The <code><i>device-UUID</i></code> refers to the UUID of the LUKS superblock, in this example it is the UUID of <code>/dev/sda3</code> (the partition which holds the lvm containing the root file system) e.g. <code>a144e931-7580-40bf-ae8c-6beff4c1ac45</code>. See <a href="https://wiki.archlinux.org/title/Persistent_block_device_naming" title="Persistent block device naming">Persistent block device naming</a> for details.
</p><p><a href="https://wiki.archlinux.org/title/GRUB#Installation_2" title="GRUB">install GRUB</a> to the mounted ESP for UEFI booting:
</p>
<pre># grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --recheck
</pre>
<p><a href="https://wiki.archlinux.org/title/GRUB#Installation" title="GRUB">install GRUB</a> to the disk for BIOS booting:
</p>
<pre># grub-install --target=i386-pc --recheck /dev/sda
</pre>
<p>Generate GRUB's <a href="https://wiki.archlinux.org/title/GRUB#Generate_the_main_configuration_file" title="GRUB">configuration</a> file:
</p>
<pre># grub-mkconfig -o /boot/grub/grub.cfg
</pre>
<p>If all commands finished without errors, GRUB should prompt for the passphrase to unlock the <code>/dev/sda3</code> partition after the next reboot.
</p>
<p></p><h3 id="Avoiding_having_to_enter_the_passphrase_twice">Avoiding having to enter the passphrase twice</h3><p></p>
<p>While GRUB asks for a passphrase to unlock the LUKS encrypted partition after above instructions, the partition unlock is not passed on to the initramfs. Hence, you have to enter the passphrase twice at boot: once for GRUB and once for the initramfs.
</p><p>This section deals with extra configuration to let the system boot by only entering the passphrase once, in GRUB. This is accomplished by <a href="https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#With_a_keyfile_embedded_in_the_initramfs" title="Dm-crypt/Device encryption">with a keyfile embedded in the initramfs</a>.
</p><p>First create a keyfile and add it as LUKS key:
</p>
<pre># dd bs=512 count=4 if=/dev/random iflag=fullblock | install -m 0600 /dev/stdin /etc/cryptsetup-keys.d/cryptlvm.key
# cryptsetup -v luksAddKey /dev/sda3 /etc/cryptsetup-keys.d/cryptlvm.key
</pre>
<p>Add the keyfile to the initramfs image:
</p>
<pre>/etc/mkinitcpio.conf</pre>
<pre>FILES=(/etc/cryptsetup-keys.d/cryptlvm.key)</pre>
<p><a href="https://wiki.archlinux.org/title/Regenerate_the_initramfs" title="Regenerate the initramfs">Regenerate the initramfs</a>.
</p><p>When using the default <a href="https://wiki.archlinux.org/title/Sd-encrypt" title="Sd-encrypt">sd-encrypt</a> hook, <code>/etc/cryptsetup-keys.d/<i>name</i>.key</code> will be used by default, so no additional kernel parameters need to be set.
</p><p>When using the <code>encrypt</code> hook, set the following kernel parameters to unlock the LUKS partition with the keyfile:
</p>
<pre>GRUB_CMDLINE_LINUX="... cryptkey=rootfs:/etc/cryptsetup-keys.d/cryptlvm.key"
</pre>
<p>If for some reason the keyfile fails to unlock the boot partition, systemd will fallback to ask for a passphrase to unlock and, in case that is correct, continue booting.
</p>
<p><strong>Tip</strong> If you want to encrypt the <code>/boot</code> partition to protect against offline tampering threats, the <a href="https://wiki.archlinux.org/title/Dm-crypt/Specialties#mkinitcpio-chkcryptoboot" title="Dm-crypt/Specialties">mkinitcpio-chkcryptoboot</a> hook has been contributed to help.</p>
<p></p><h3 id="Using_a_USB_drive_to_unlock_/boot"><span id="Using_a_USB_drive_to_unlock_.2Fboot"></span>Using a USB drive to unlock /boot</h3><p></p>
<p>To avoid having to memorise a complicated password, or using a simple one which may be guessed, a keyfile stored on an external USB drive can be used to unlock the LUKS volume. For this to be secure, this USB drive must be stored securely away from the computer when not in use.
</p><p>First, generate a keyfile in the same way as in <a href="#Avoiding_having_to_enter_the_passphrase_twice">#Avoiding having to enter the passphrase twice</a>. Do not use the same keyfile as if the USB drive is lost or compromised you will need to replace the keyfile embedded in initramfs.
</p><p>Copy this keyfile to your USB drive and create a new GRUB configuration file:
</p>
<pre>/boot/grub/grub-pre.cfg</pre>
<pre>set crypto_uuid=UUID-of-the-luks-volume
set key_disk=UUID-of-the-volume-with-the-key
cryptomount -u $crypto_uuid -k ($key_disk)/the-location-of-the-key-on-your-usb
set root=UUID-of-the-unlocked-volume-as-in-grub.cfg
set prefix=($root)/boot/grub
insmod normal
normal</pre>
<p>Create a GRUB image and install it (not all of these modules will be needed depending on your file system):
</p>
<pre># grub-mkimage -p /boot/grub -O x86_64-efi -c /boot/grub/grub-pre.cfg -o /tmp/grubx64.efi part_gpt part_msdos cryptodisk luks gcry_rijndael gcry_sha512 lvm ext2 ntfs fat exfat
# install -v /tmp/grubx64.efi /efi/EFI/GRUB/grubx64.efi
</pre>
<p></p><h2 id="Root_on_ZFS">Root on ZFS</h2><p></p>
<div>
<p><span><span><img src="https://wiki.archlinux.org/images/0/07/Tango-edit-cut.svg" decoding="async" width="48" height="48"></span></span><b>This article or section is being considered for removal.</b></p>
<p><b>Reason:</b> There is nothing inherently different in the encryption setup between ZFS on LUKS or plain dm-crypt compared to any other file system on LUKS or plain dm-crypt. ZFS native encryption is out of scope of this article. (Discuss in <a rel="nofollow" href="https://wiki.archlinux.org/title/Talk:Dm-crypt/Encrypting_an_entire_system">Talk:Dm-crypt/Encrypting an entire system</a>)</p>
</div>
<p>To use dm-crypt with <a href="https://wiki.archlinux.org/title/ZFS" title="ZFS">ZFS</a>, see <a href="https://wiki.archlinux.org/title/ZFS#Encryption_in_ZFS_using_dm-crypt" title="ZFS">ZFS#Encryption in ZFS using dm-crypt</a>.
</p><p>Additionally, ZFS features <a href="https://wiki.archlinux.org/title/ZFS#Native_encryption" title="ZFS">native encryption</a>, which may also be utilized to encrypt the system root, excluding the boot loader and file system metadata. See:
</p>
<ul><li><a rel="nofollow" href="https://openzfs.github.io/openzfs-docs/Getting%20Started/Arch%20Linux/Root%20on%20ZFS.html">Arch Linux Root on ZFS</a> guide on the OpenZFS page,</li>
<li><a href="https://wiki.archlinux.org/title/Install_Arch_Linux_on_ZFS" title="Install Arch Linux on ZFS">Install Arch Linux on ZFS</a>.</li></ul>
<p>After the installation, a boot loader can be verified with <a href="https://wiki.archlinux.org/title/Secure_Boot" title="Secure Boot">Secure Boot</a> on UEFI-based systems.
</p>
</div></div>
Reference in New Issue Copy Permalink