June 30, 2016

archlinux: Encrypted LVM install and post-install

Wipe your drive with random data and install on LVM

From the official guide (which has some issues), other pages and some divine inspiration.

Let’s start random-shredding the whole disk

# shred --verbose --random-source=/dev/urandom --iterations=1 /dev/sda

(and go to bed)

Now create two partitions

# cfdisk /dev/sda

(choose dos if not uefi)

New-> Partition Size: 100M -> primary -> Bootable, type 8300
New-> Partition Size: all of the remaining GB -> primary, type 8E00 (lvm)

Set up crypt and open the partition where the system will be hosted, and create the usual partitions in it

# cryptsetup luksFormat /dev/sdaX

(with X your “system” (lvm) partition)

# cryptsetup open --type luks /dev/sdaX lvm

# pvcreate /dev/mapper/lvm
# vgcreate MyVol /dev/mapper/lvm
# lvcreate -L 3G MyVol -n swap
# lvcreate -L 20G MyVol -n root
# lvcreate -l 100%FREE MyVol -n home

# mkfs.ext4 /dev/mapper/MyVol-root
# mkfs.ext4 /dev/mapper/MyVol-home
# mkswap /dev/mapper/MyVol-swap

# mount /dev/mapper/MyVol-root /mnt
# mkdir /mnt/home
# mount /dev/mapper/MyVol-home /mnt/home
# swapon /dev/mapper/MyVol-swap

# mkfs.ext2 /dev/sdbY

with sdbY your boot partition
(check fdisk -l to identify /boot)

# mkdir /mnt/boot
# mount /dev/sdbY /mnt/boot

Get connected and install the base system, and grub

# wifi-menu

(or # dhcpcd eth0)

# pacstrap /mnt base base-devel

Fake root and install grub

# arch-chroot /mnt pacman -S grub-bios

Create fstab and adjust locale

(obviously you can use vi instead of echo)

# genfstab -p /mnt >> /mnt/etc/fstab
# arch-chroot /mnt
# echo "" > /etc/hostname
# ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime
# echo "LANG=\"en_US.UTF-8\"" > /etc/locale.conf
# echo "LC_COLLATE=\"C\"" >> /etc/locale.conf
# echo "LC_TIME=\"en_US.UTF-8\"" >> /etc/locale.conf
# sed 's/#en_US/en_US/g' -i /etc/locale.gen
# locale-gen

kernel and boot: Take into account your encryption

Need to add encrypt and lvm2 to mkinitcpio before compiling the kernel

# sed -i 's/filesystems/encrypt lvm2 filesystems/g' /etc/mkinitcpio.conf

Add flags to GRUB_CMDLINE to let grub know where system is, and the fact it’s encrypted as well:

# sed -i 's/GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="cryptdevice=\/dev\/sda2:cryptroot"/g' /etc/default/grub

(where sda2 is your “system” partition)

Compile the kernel:

# mkinitcpio -p linux
# grub-install --target=i386-pc --recheck --debug /dev/sda

(ignore any warnings relative to lvmetad; if you want to avoid seeing the problem,
set use_lvmetad = 0 in /etc/lvm/lvm.conf and then run grub-install but then you
must set it back to = 1)

grub locale and config

# mkdir -p /boot/grub/locale
# cp /usr/share/locale/en\@quot/LC_MESSAGES/grub.mo /boot/grub/locale/en.mo
# grub-mkconfig -o /boot/grub/grub.cfg

add a user

(which, by pure coincidence is “pau”):

# useradd -m -g users -G wheel,games,power,optical,storage,scanner,lp,audio,video -s /bin/bash pau
# passwd pau

Finished here… exit from the fake root, unmount in the right order (crucial), and reboot:

# exit
# umount /mnt/boot
# umount /mnt/home
# umount /mnt
# reboot

If you ever manage to f*ck up your system and have to chroot from removable media…

# cryptsetup open --type luks /dev/sda2 cryptroot
# mount -t ext4 /dev/mapper/cryptroot /mnt
# mount -t ext4 /dev/sda1 /mnt/boot
# arch-chroot /mnt

To unmount them:
# umount -R /mnt/boot
# umount -R /mnt
# cryptsetup close cryptroot

Install software

All Xorg-related software for my thinkpad x220

# pacman -S xorg-server xorg-xinit xorg-utils\
xorg-server-utils xf86-video-intel xf86-input-evdev\
xf86-input-synaptics

Pulse audio:

# pacman -S pavucontrol acpi

Enable yaourt and install it, for 3rd-party software

Add repo:

# cat >> /etc/pacman.conf <<-__EOF__
[archlinuxfr]
SigLevel = Never
Server = http://repo.archlinux.fr/$arch
__EOF__

Now install yaourt

# pacman -Sy
# pacman -S yaourt

And then all software you need

# yaourt --noconfirm -S\
acpi alsa-utils android-udev banshee chromium cups cups-pdf dialog\
djview easytag electronic-wechat-git enscript evince exo faenza-icon-theme\
fetchmail ffmpeg2theora firefox fortune-mod franz garcon gedit gimp git\
gnome-maps gnome-mplayer gnuplot go-mtpfs-git gparted grub gtk-xfce-engine\
gtkpod gvfs gvfs-afc gvfs-mtp i3lock i3lock-fancy-git ifuse inkscape\
kdegraphics-okular kdenlive libreoffice-fresh links meld mousepad mplayer\
mutt muttprint net-tools network-manager-applet networkmanager\
networkmanager-openconnect networkmanager-openvpn networkmanager-vpnc\
noto-fonts-cjk ntfs-3g numix-themes openconnect openssh orage otf-fira-mono\
otf-fira-sans pairing_tool paps pavucontrol pdfmod playonlinux procmail\
pulseaudio pulseaudio-alsa pulseaudio-equalizer pv pygmentize python-matplotlib\
qemu qiv qmmp qtox qupzilla-git ristretto rsync rubber ruby screen sddm\
sddm-config-editor-git sddm-numix-theme-git simple-mtpfs skype skype-call-recorder\
subdownloader teamspeak3 telegram-desktop-bin texlive-bibtexextra texlive-core\
texlive-fontsextra texlive-formatsextra texlive-games texlive-genericextra\
texlive-htmlxml texlive-humanities texlive-langextra texlive-langgreek\
texlive-latexextra texlive-music texlive-pictures texlive-plainextra\
texlive-pstricks texlive-publishers texlive-science thunar thunar-archive-plugin\
thunar-media-tags-plugin thunar-volman totem transmission-gtk ttf-fira-mono\
ttf-fira-sans ttf-liberation ttf-ubuntu-font-family tumbler ufw unoconv unzip\
vim vino vivaldi vlc wget wpa_supplicant xf86-input-evdev xf86-input-synaptics\
xf86-video-intel xfburn xfce4-appfinder xfce4-artwork xfce4-battery-plugin\
xfce4-clipman-plugin xfce4-cpufreq-plugin xfce4-cpugraph-plugin xfce4-datetime-plugin\
xfce4-dict xfce4-diskperf-plugin xfce4-eyes-plugin xfce4-fsguard-plugin xfce4-genmon-plugin\
xfce4-mailwatch-plugin xfce4-mixer xfce4-mount-plugin xfce4-mpc-plugin xfce4-netload-plugin\
xfce4-notes-plugin xfce4-notifyd xfce4-panel xfce4-power-manager xfce4-screenshooter\
xfce4-sensors-plugin xfce4-session xfce4-settings xfce4-smartbookmark-plugin\
xfce4-systemload-plugin xfce4-taskmanager xfce4-terminal xfce4-time-out-plugin\
xfce4-timer-plugin xfce4-verve-plugin xfce4-wavelan-plugin xfce4-weather-plugin\
xfce4-whiskermenu-plugin xfce4-xkb-plugin xfconf xfdesktop xfwm4 xfwm4-themes\
xorg-server xorg-server-utils xorg-utils xorg-xfontsel xorg-xkill xorg-xmessage\
xsel xterm yaourt youtube-dl zip zsh

We’ll need a graphic interface to start X:

# sddm --example-config > /etc/sddm.conf
# systemctl enable sddm
# systemctl start sddm

And change to graphical session

# systemctl set-default graphical.target

Set up a firewall, ufw

# ufw enable
# ufw deny ssh
# ufw default deny incoming
# ufw default allow outgoing

Screen locker

Let’s trick xfce into thinking that the locker is slock, while we use i3lock-fancy:

# yaourt -S i3lock-fancy
# cat > /usr/bin/slock <<-__EOF__
#!/bin/bash
i3lock-fancy -g -f Ubuntu-Bold
__EOF__
# chmod 755 /usr/bin/slock

Some small zshrc configuration for root with tow update functions for archlinux

# chsh
(and choose /usr/bin/zsh)

# cat > /root/.zshrc <<-__EOF__
export PATH="$PATH:/bin:/usr/bin:/usr/local/bin"
export LESS=-R
export HELPDIR=/usr/local/lib/zsh/help # directory for run-help function to find docs
export EDITOR=vim
export VISUAL=vim
export FCEDIT=vim
export PAGER=`which less`
autoload -U compinit compinit
zstyle ':completion:*' completer _complete _match _approximate
zstyle ':completion:*:match:*' original only
zstyle ':completion:*:approximate:*' max-errors 1 numeric
zstyle ':completion:*:*:kill:*' menu yes select
zstyle ':completion:*:kill:*' force-list always
zstyle ':completion:*:cd:*' ignore-parents parent pwd
setopt correctall
fignore=(.o .old .pro)
HISTSIZE=3000
setopt hist_ignore_all_dups
DIRSTACKSIZE=30
#### Functions up-pacman-yaourt, installed-pacman-yaourt
function up-pacman-yaourt(){
yaourt -Syy
yaourt -Su --noconfirm
yaourt -Su --aur --noconfirm
}
function installed-pacman-yaourt(){
pacman -Qei | awk '/^Name/ { name=$3 } /^Groups/ { if ( $3 != "base" && $3 != "base-devel" ) { print name } }'
}
__EOF__