Add prepare volumes and install Arch chapters

README.md

@@ -17,6 +17,11 @@ It took me several days to figure out how to set up a fully encrypted machine wi
 others to get it done in minutes (hopefully). There exists a plenty bunch of tutorials but no one contains a step-by-step 
 guide to get the above things done.
 
+## Prerequisites
+You should be familiar with linux and should be able to edit files with `vi` [Vi Cheat Sheet](http://www.lagmonster.org/docs/vi.html).
+You need an USB stick for the Linux Live environment and a second computer would be useful for look ups and to read this guide while
+preparing your fully encrypted Linux.
+
 ## Documentation
 
 For the latest online documentation visit [http://sandrokeil.github.io/yubikey-full-disk-encryption-secure-boot-uefi/](http://sandrokeil.github.io/yubikey-full-disk-encryption-secure-boot-uefi/ "Latest yubikey-full-disk-encryption-secure-boot-uefi documentation").

book/arch/01-getting-started.md

@@ -1,19 +1,19 @@
 # Getting Started
 
-For common stuff, the Arch Wiki is a good starting point. We need a bootable Arch Linux medium. Please take a look
+For common stuff, the Arch Wiki is a good starting point. You need a bootable Arch Linux medium. Please take a look
-at the Arch Installtion Guide [en](https://wiki.archlinux.org/index.php/installation_guide#Pre-installation "Download and boot the installation medium") / [de](https://wiki.archlinux.de/title/Anleitung_für_Einsteiger#Das_neueste_ISO-Abbild_beziehen "Das neueste ISO-Abbild beziehen"). 
+at the Arch installation guide [en](https://wiki.archlinux.org/index.php/installation_guide#Pre-installation "Download and boot the installation medium") / [de](https://wiki.archlinux.de/title/Anleitung_für_Einsteiger#Das_neueste_ISO-Abbild_beziehen "Das neueste ISO-Abbild beziehen"). 
 
 Ok, you've create a bootable Arch Linux medium, now it's time to boot into the Arch Linux UEFI system.
 
 German users should execute `loadkeys de` (QWERTZ keyboard layout) in the tty prompt first.
 
-Let's install minimal packages to get started with our full disk encryption with YubiKey.
+Let's install minimal packages to get started of full disk encryption with YubiKey.
 
 ```
 pacman -Sy yubikey-manager yubikey-personalization pcsc-tools libu2f-host make json-c cryptsetup
 ```
 
-Now we must start the [smartcard service](https://wiki.archlinux.org/index.php/Smartcards "Smartcards")
+Now start the [smartcard service](https://wiki.archlinux.org/index.php/Smartcards "Smartcards")
 
 ```
 systemctl start pcscd.service

book/arch/02-prepare-disk.md

@@ -10,7 +10,7 @@ List your disks with `lsblk` and run `gdisk /dev/[your disk]` e.g. `gdisk /dev/n
 > It's crucial to use `gdisk` because GPT is needed for UEFI boot.
 
 Please create 4 partition like described in the Arch Wiki above with `gdisk`. Use the codes for the partition type.
-Don't format the partitions at this time, we will do it later with the YubiKey. It should look similar like this.
+Don't format the partitions at this time, you will do it later with the YubiKey. It should look similar like this.
 
 ```
 Number  Start (sector)    End (sector)  Size       Code  Name
@@ -23,7 +23,7 @@ Number  Start (sector)    End (sector)  Size       Code  Name
 The second partition contains the EFI System and must be of type FAT32. Format the second partition e.g. `/dev/nvme0n1p2` with: 
 
 ```
-mkfs.fat -F32 /dev/[disk 2nd partition]
+mkfs.fat -F32 /dev/[device 2nd partition]
 ```
 
 The next chapter describes how to prepare the YubiKey.

book/arch/03-prepare-yubikey.md

@@ -3,19 +3,23 @@
 Download or mount [yubikey-full-disk-encryption](https://github.com/agherzan/yubikey-full-disk-encryption) and install it
 in your Arch Linux Live environment. This is needed because we will format the 4rd partition with YubiKey.
 
-Open the yubikey-full-disk-encryption folder and run `make`.
+## Installation
+Open the *yubikey-full-disk-encryption* folder and run `make`.
 
 ```
 cd yubikey-full-disk-encryption
 make install
 ```
 
+
+## Prepare 2nd slot
 Now it's time prepare the second slot of our YubiKey for the challenge response authentication. Touch will be also enabled.
 
 ```
 ykpersonalize -v -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig -oserial-api-visible
 ```
 
+## Configure ykfde
 Open `/etc/ykfde.conf` and set `YKFDE_CHALLENGE_SLOT=2` because we want to use the second slot. 
 Set `YKFDE_CHALLENGE_PASSWORD_NEEDED=1` so it asks for the password (2FA). Feel free to modify it tou your needs 
 e.g. enable TRIM (but be warned, there are potential security implications) support.
@@ -63,19 +67,14 @@ YKFDE_CHALLENGE_SLOT="2"
 #DBG="1"
 ```
 
-Next step is to format the 4rd partition. You can modify the arguments if you know what you are doing. 
+## Encrypt 4th partition
-Ensure that you use the 4rd partition e.g. `nvme0n1p4`
+Next step is to format the 4th partition. You can modify the arguments if you know what you are doing. 
+
+> Ensure that you use the 4th partition, replace `[device 4rd partition]` with e.g. `nvme0n1p4`
 
 ```
 ykfde-format --cipher aes-xts-plain64 --key-size 512 --hash sha256 --iter-time 5000 --type luks2 /dev/[device 4rd partition]
-ykfde-open -d /dev/[device 4rd partition] -n cryptlvm
+ykfde-open -d /dev/[device 4th partition] -n cryptlvm
 ```
 
-Display the crypt volume with `ls /dev/mapper`. Next step is to [preparing the logical volumes](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Preparing_the_logical_volumes "preparing the logical volumes")
+Display the crypt volume with `ls -la /dev/mapper/`. Next step is to prepare the logical volumes.
-for `/` and `/home` directory.
-
-```
-mount /dev/MyVolGroup/root /mnt
-mkdir /mnt/home
-mount /dev/MyVolGroup/home /mnt/home
-```

book/arch/04-prepare-volumes.md

@@ -1,3 +1,59 @@
 # Prepare Volumes
 
-TBD
+Please take a look at the Arch Wiki page [Preparing the logical volumes](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Preparing_the_logical_volumes "preparing the logical volumes")
+to create `/` and `/home` directory/partitions. In short you do this (without swap).
+
+> The filesystem *ext4* is used.
+
+```
+pvcreate /dev/mapper/cryptlvm
+vgcreate MyVolGroup /dev/mapper/cryptlvm
+
+lvcreate -L 30G MyVolGroup -n root
+lvcreate -l 100%FREE MyVolGroup -n home
+
+mkfs.ext4 /dev/MyVolGroup/root
+mkfs.ext4 /dev/MyVolGroup/home
+
+mount /dev/MyVolGroup/root /mnt
+mkdir /mnt/home
+mount /dev/MyVolGroup/home /mnt/home
+```
+
+## Encrypted `/boot` partition
+
+The last volume is `/boot` which should also be encrypted. We can not use a YubiKey here, but it is protected with a password.
+The Arch Wiki page [Preparing the boot partition](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Preparing_the_boot_partition_5 "Preparing the boot partition")
+describes this in more detail. The `efi` partition will be mounted to `/boot/efi`.
+
+> Be aware, GRUB boot loader uses US keyboad layout. Consider this for your password!
+
+Execute the following commands and replace `[device 3rd partition]` with the 3rd partition of your device e.g. `nvme0n1p3`
+and replace `[device 2nd partition]` with the 2nd partition of your device e.g. `nvme0n1p2`.
+
+```
+cryptsetup luksFormat /dev/[device 3rd partition]
+cryptsetup open /dev/[device 3rd partition] cryptboot
+
+ls /dev/mapper
+
+mkfs.ext4 /dev/mapper/cryptboot
+
+mkdir /mnt/boot
+mount /dev/mapper/cryptboot /mnt/boot
+
+mkdir /mnt/boot/efi
+mount /dev/[device 2nd partition] /mnt/boot/efi
+```
+
+## Keyfile for initramfs
+[With a keyfile embedded in the initramfs](https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#With_a_keyfile_embedded_in_the_initramfs "With a keyfile embedded in the initramfs")
+we don't have to unlock the `/boot` partition twice. The `/boot` partition will be mounted if the system starts, so updates can be performed.
+
+Create a randomized generated key file with the following lines and add this keyfile to the 3rd LUKS partition (replace `[device 3rd partition]` with e.g. `nvme0n1p3`).
+
+```
+dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
+chmod 000 /mnt/crypto_keyfile.bin
+cryptsetup luksAddKey /dev/[device 3rd partition] /mnt/crypto_keyfile.bin
+```

book/arch/05-install-arch.md

@@ -1,3 +1,154 @@
 # Install Arch Linux
 
-TBD
+This chapter describes how to install a minimal Arch Linux. You will find an appropriated page in the Arch Wiki
+[en](https://wiki.archlinux.org/index.php/installation_guide) / [de](https://wiki.archlinux.de/title/Anleitung_f%C3%BCr_Einsteiger).
+
+
+## Basic stuff
+The *base* package and some additional packages for the YubiKey and full disk encryption will be installed to the `/mnt` folder.
+If you want to know more about the individual package, please take a look at the [Arch package site](https://www.archlinux.org/packages/).
+
+```
+pacstrap /mnt base yubikey-manager yubikey-personalization pcsc-tools libu2f-host acpid dbus grub-efi-x86_64 efibootmgr lvm2
+```
+
+## Generate fstab
+The following command will generate the *fstab* entries of the currently mounted partitions.
+
+```
+genfstab -U -p /mnt >> /mnt/etc/fstab
+```
+
+Check it out with `cat /mnt/etc/fstab` and verify it.
+
+## YubiKey Full Disk Encryption
+Next step is to copy the [yubikey-full-disk-encryption](https://github.com/agherzan/yubikey-full-disk-encryption) folder
+to the `/mnt` folder because it will be installed later. The YubiKey challenge is stored in a file to make it
+available inside the new system. More on that later.
+
+```
+cp -r yubikey-full-disk-encryption /mnt/home/
+echo "export YKFDE_CHALLENGE=$YKFDE_CHALLENGE" > /mnt/home/challenge.txt
+```
+
+Copy `/etc/ykde.conf` to `/mnt/home` so you can use this file later in your new environment.  
+
+## Mount `/run`
+
+When running `grub-mkconfig` you will see the error `/run/lvm/lvmetad.socket: connect failed: No such file or directory`.
+That's why the host `/run` folder must be available inside the `chroot` environment. This is prepared with the following
+lines and finished later on.
+
+```
+mkdir /mnt/hostrun/
+mount --bind /run /mnt/hostrun
+```
+
+## chroot
+
+It's time to switch into your new system with `arch-chroot /mnt` and prepare some stuff. After successfully changed root to
+the new system, execute the following lines to make the hosts *lvm* available here for `grub-mkconfig`.
+
+```
+mkdir /run/lvm
+mount --bind /hostrun/lvm /run/lvm
+```
+
+Next step is to install the *yubikey-full-disk-encryption* helper scripts. If they are not already copied in your home
+folder, you can it download from the GitHub repository [yubikey-full-disk-encryption](https://github.com/agherzan/yubikey-full-disk-encryption).
+
+```
+cd /home/yubikey-full-disk-encryption
+make install
+```
+
+Copy `/home/ykde.conf` to  `/etc/ykde.conf` so you have your previous settings or configure the file as described 
+in [chapter 3 - Prepare YubiKey](03-prepare-yubikey.md). The YubiKey challenge will now be stored in the `ykde.conf` 
+file. The environment variable with the YubiKey challenge is loaded into the environment so it can be set 
+into the `ykde.conf` file with the command `sed`. 
+
+```
+source /home/challenge.txt
+sed -i "s/#YKFDE_CHALLENGE=/YKFDE_CHALLENGE=$YKFDE_CHALLENGE/g" /etc/ykde.conf
+```
+
+Check that the YubiKey challenge was successfully saved to `/etc/ykde.conf` with `cat /etc/ykde.conf`.
+
+## mkinitcpio
+The next step is to prepare the `mkinitcpio.conf` to encrypt the partition at boot. Open the file with 
+`vi /etc/mkinitcpio.conf` and replace the *HOOKS* line with the following content.
+
+> Don't add `encrypt` hook, because we ues ykfde !!!
+
+
+```
+HOOKS=(base udev autodetect consolefont modconf block keymap lvm2 filesystems fsck keyboard ykfde)
+```
+
+Additionally the *ext4* module is needed. Add *ext4* to the *MODULES*. It should look like this line:
+
+```
+MODULES=(ext4)
+```
+
+## GRUB
+The next part is a bit tricky, because you have to figure out the correct device UUIDs. First, get a list of your device
+IDs with `lsblk -f` it should look something like this:
+
+```
+NAME                  FSTYPE      LABEL UUID                                   MOUNTPOINT
+nvme0n1                                                                        
+├─nvme0n1p1                                                                    
+├─nvme0n1p2           vfat              AB24-1550                              /boot/efi
+├─nvme0n1p3           crypto_LUKS       434a512a-1b76-449e-8cb0-f93aee46e85c   
+│ └─cryptboot         ext4              5fe2b9c5-ac2b-4f6e-8f3e-5e45c45d0b02   /boot
+└─nvme0n1p4           crypto_LUKS       a86c6534-6643-4afa-b3ae-c78a0a5dc50f   
+  └─cryptlvm          LVM2_member       heTIE6-0pLH-8J8Y-67T7-1vPW-4f1V-SqHeOA 
+    ├─MyVolGroup-root ext4              49a833a2-4a3b-4a1b-a7d9-75ab50910a8e   /
+    └─MyVolGroup-home ext4              ec626537-c6a5-4df9-9ad9-3a344bc8c86f   /home
+```
+
+You will need the UUID from the *device 4th partition* (in this example *a86c6534-6643-4afa-b3ae-c78a0a5dc50f*) and the 
+UUID of *MyVolGroup-root* (in this example *49a833a2-4a3b-4a1b-a7d9-75ab50910a8e*). Open the GRUB config file with `vi /etc/default/grub`
+and add these two lines with your UUIDs.
+
+```
+GRUB_CMDLINE_LINUX="cryptdevice=UUID=[4th partition UUID]:cryptlvm root=UUID=[MyVolGroup-root UUID]"
+GRUB_ENABLE_CRYPTODISK=y
+```
+
+Finally the *GRUB_CMDLINE_LINUX* line should look like this line with your UUIDs.
+
+```
+GRUB_CMDLINE_LINUX="cryptdevice=UUID=a86c6534-6643-4afa-b3ae-c78a0a5dc50f:cryptlvm root=UUID=49a833a2-4a3b-4a1b-a7d9-75ab50910a8e"
+```
+
+## Generate initramfs
+The last step is to generate a new *initramfs* and the GRUB boot loader. The first one is done with `mkinitcpio -p linux`
+and the second one with the following lines (replace `[your device]` with your device e.g. `nvme0n1`):
+
+```
+grub-install --target=i386-pc --recheck /dev/[your device]
+grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --recheck
+grub-mkconfig -o /boot/grub/grub.cfg
+```
+
+Add the `crypto_keyfile.bin` to the *crypttab*, otherwise you have to unlock the boot partition twice. Open the file with
+`vi /etc/crypttab` and add the following line (replace `[UUID 3rd partition]` with the UUID of the 3rd partition e.g. `434a512a-1b76-449e-8cb0-f93aee46e85c `).
+
+```
+cryptboot      UUID=[UUID 3rd partition]    /crypto_keyfile.bin                    luks
+```
+
+It should look like this with your UUID of the 3rd partition.
+
+```
+cryptboot      UUID=434a512a-1b76-449e-8cb0-f93aee46e85c    /crypto_keyfile.bin                    luks
+```
+
+It's time to check you settings with a graceful reboot. If you have done all things right you will be asked for your 
+boot parition password to see the GRUB boot menu and after that the YubiKey password with YubiKey touch button to unlock 
+the root partition. 
+
+Good luck! Don't worry if something doesn't work, simply boot from the Arch Linux medium, install the necessary software 
+to mount your encrypted partitions and check the configs. Maybe an UUID is wrong.