Comments on How to install Arch Linux with Full Disk Encryption

I will give Arch Linux a try and your tutorial will be really helpful in this case, thank you. Crossing my fingers that I won't screw up any of the above steps :)

Instead of the above, take a look at MSED:http://www.r0m30.com/msed

Hello Martin,

What you have been promoting is project that is one year old and still in beta and has only one developer, no contributors or whatsoever. If the person decides to abandon the project what are we going to do ? dm-crypt and LUKS became the de facto encryption and part of the kernel developement (citing the guy from the other tutorial) long time ago. If you don't trust the crypto api built-in the kernel, then don't try to invent your own crypto (that is rule number one). We all know that the kernel development is the biggest collaboration projects in existance. If one dev decides to step down he will be replaced pretty quickly. I don't have to mention that a lot huge companies are contributing and even hiring people to work on the kernel development as their products depend a lot on the kernel.

 

I don't have so much personal free time to read the different wiki's, that's why tutorials like this one are godsend.

Using chroot

Mount the temporary api filesystems:

# cd /mnt/arch # mount -t proc proc proc/ # mount --rbind /sys sys/ # mount --rbind /dev dev/

And optionally:

# mount --rbind /run run/

above copied from : https://wiki.archlinux.org/index.php/Change_root

it is a good idea to add them into the mounting section and the /run part, since it's needed for the command "grub-mkconfig" to run smoothly, issued later on, in the installation procedure.

 @anonymous

arch-chroot and chroot are two different ways to 'chroot' your file system(s), and it has been well described in the link provided by you.

Even in Gentoo you have the same options, you can use arch-chroot or chroot, the choice is up to you.

Hi,

I've been looking for a good tutorial for setting up full disk encrytion for a while so thanks for this. I'm making an Arch server so I have a whole bunch of partitions rather than just the 2 mentioned above:

 

(parted) mkpart primary ext4 1MiB 200MiB

(parted) set 1 boot on

(parted) mkpart primary ext4 200MiB 40GiB

(parted) mkpart primary linux-swap 40GiB 50GiB

(parted) mkpart primary ext4 50GiB 150GiB

(parted) mkpart primary ext4 150GiB 100%

 

So my question is how do I need to modify the "cryptsetup open --type luks /dev/sda2 cryptroot" command to cover all of my partitions?

 

Cheers

 

Picto

This worked perfectly! The only thing I had to do was add the "lvm2" hook since I am using lvm partitions for my system, on top of a LUKS partition.

 

Thank you very much for posting this!

Thanks a lot! :)

Hi,

It is not full disc encryption. Boot part is not encrypted. This art should be fixed, it is possible to make boot partition also encrypted. Dedicated GRUB2 module for luks can be used to prepare real full disc encryption solution.

Maybe you'd be kind of enough to write a tutorial explaining those additional steps for the rest of us. 

I don't know if these steps no longer apply to modern Arch (in which case perhaps it's time to pull this article?) however, none of the partitioning steps match reality for the menus given:

 

"New-> Partition Size: 100M -> primary -> Bootable"

 

Where can I select primary? Bootable? There are no options for that.

I just wanted to point out that overwriting your SSD with random data 15 times will serve no purpose except for reducing its life. SSDs are not HDs, if you just write random data once, it's just as good, even if you just write zeroes once it's just as good. But you can go with random if you are paranoid. In fact, I'm not aware of any instances where a single random pass would make it possible to recover data on HDs. Writing predictable patterns is problematic because they are not digital and some expensive equipment might be used to see if it's closer to 0 or 1, then take into account the pattern, then conclude what bit it likely was.

Hi,

I have full disk encryption working - however AES_NI was disabled in my BIOS for the setup. Is there a way to use AES_NI to decrypt to speed up the boot time?

Cheers,

D

This is NOT full disk encryption. You clearly do not encrypt the boot partition at all.

Hello, good article design, is this up to date 13/07/2019 ?

> pacstrap -i /mnt base base-devel

Additionally the `linux` and `linux-firmware` will need to be installed. See https://wiki.archlinux.org/title/Installation_guide#Install_essential_packages.