2.3 KiB
Prepare Volumes
Please take a look at the Arch Wiki page Preparing the logical volumes
to create / and /home directory/partitions. In short you do this (without swap).
The filesystem ext4 is used.
pvcreate /dev/mapper/cryptlvm
vgcreate MyVolGroup /dev/mapper/cryptlvm
lvcreate -L 30G MyVolGroup -n root
lvcreate -l 100%FREE MyVolGroup -n home
mkfs.ext4 /dev/MyVolGroup/root
mkfs.ext4 /dev/MyVolGroup/home
mount /dev/MyVolGroup/root /mnt
mkdir /mnt/home
mount /dev/MyVolGroup/home /mnt/home
Encrypted /boot partition
The last volume is /boot which should also be encrypted. We can not use a YubiKey here, but it is protected with a password.
The Arch Wiki page Preparing the boot partition
describes this in more detail. The efi partition will be mounted to /boot/efi.
Be aware, GRUB boot loader uses US keyboad layout. Consider this for your password!
Execute the following commands and replace [device 3rd partition] with the 3rd partition of your device e.g. nvme0n1p3
and replace [device 2nd partition] with the 2nd partition of your device e.g. nvme0n1p2.
cryptsetup luksFormat /dev/[device 3rd partition]
cryptsetup open /dev/[device 3rd partition] cryptboot
ls /dev/mapper
mkfs.ext4 /dev/mapper/cryptboot
mkdir /mnt/boot
mount /dev/mapper/cryptboot /mnt/boot
mkdir /mnt/boot/efi
mount /dev/[device 2nd partition] /mnt/boot/efi
Keyfile for initramfs
With a keyfile embedded in the initramfs
we don't have to unlock the /boot partition twice. The /boot partition will be mounted if the system starts, so updates can be performed.
Create a randomized generated key file with the following lines and add this keyfile to the 3rd LUKS partition (replace [device 3rd partition] with e.g. nvme0n1p3).
dd bs=512 count=4 if=/dev/urandom of=/mnt/crypto_keyfile.bin
chmod 000 /mnt/crypto_keyfile.bin
cryptsetup luksAddKey /dev/[device 3rd partition] /mnt/crypto_keyfile.bin