One thing that always bothered me was that I had never bothered to setup full disk encryption the last time I reinstalled Arch on my laptop. I was looking for something simple and just did plain ext4.
This time I'm following LUKS on a partition with TPM2 and Secure Boot.
Full disk encryption primarily protects the data on disk when the computer is off. Binding the encryption to the TPM and secure boot should mean that you can't take the drive out and attack it in a different system? I'm keeping both password and fido2 keys though, so what it practically gets me is a shorter pin on boot vs a full length password to type.
We start with an Arch iso, from Downloads. Verifying it with:
1pacman-key -v archlinux.iso.sig
Writing it to a usb with:
1dd bs=4M if=path/to/archlinux.iso of=/dev/sda conv=fsync oflag=direct status=progress
Next we reboot, going into bios to reset the secure boot settings (putting it in setup mode).
We start with clearing the disk (grab a backup first for package lists, /etc, /home/$user, /var/lib/iwd).
My disk didn't support --secure, so --zeroout will have to do:
1blkdiscard --force --zeroout /dev/nvme0n1
Set the time
1timedatectl set-timezone Europe/London
and make sure internet works (ip reachable, dns resolvable)
1ping 8.8.8.8
2ping dns.google
Next, disk partitioning with GPT and 1 efi partition and 1 main partition:
1gdisk /dev/nvme0n1
2n .. EF00 # efi partition, 1G
3n ... 8304 # linux main partition, remainder
Create the efi filesystem, and the main partition on luks:
1mkfs.fat -F 32 /dev/nvme0n1p1
2
3cryptsetup luksFormat /dev/nvme0n1p2
4cryptsetup open /dev/nvme0n1p2 root
5mkfs.ext4 -i 1024 /dev/mapper/root
6mount /dev/mapper/root /mnt
7mount --mkdir /dev/nvme0n1p1 /mnt/efi
Update the mirrorlist for fast mirrors, I took the list from my previous install. Then it's time to install the base system, organized roughly as: system core, system management, desktop, dev:
1pacstrap -K /mnt base linux linux-firmware intel-ucode \
2 efibootmgr exfat-utils htop iftop iotop man-db man-pages powertop sbctl terminus-font \
3 bluez bluez-utils brightnessctl fprintd grim i3status kitty mako noto-fonts noto-fonts-cjk noto-fonts-emoji pam-u2f \
4 pipewire pipewire-pulse playerctl pulsemixer slurp sway swaybg swayidle wf-recorder wl-clipboard wofi xdg-desktop-portal-wlr \
5 age aria2 base-devel eza fzf git git-delta go go-yq jq mkcert neovim openssh ripgrep rsync tailscale unrar unzip vim xsv zsh zsh-completions
Next we setup the newly created disk:
1arch-chroot /mnt
2
3hwclock --systohc
4ln -s /usr/share/zoneinfo/Europe/London /etc/localtime
5
6nvim /etc/locale.gen
7locale-gen
8echo 'LANG=en_US.UTF-8' > /etc/locale.conf
9
10echo hwaryun > /etc/hostname
11vim /etc/hosts # 127.0.0.1 localhost
12# copy /etc/systemd/network/* for device / DHCP
13
14ln -s /usr/lib/systemd/resolv.conf /etc/resolv.conf
15systemctl enable systemd-networkd systemd-resolved systemd-timesyncd iwd pcscd.socket bluetooth tailscale
16
17chsh
18passwd
19# change default shell
20vim /etc/default/useradd
21
22# netdev for iwd
23groupadd adm docker netdev sudo
24# create user, add to above groups
25echo '%sudo ALL=(ALL:ALL) ALL' > /etc/sudoers.d/sudo
26
27echo 'quiet bgrt_disable rd.luks.options=password-echo=no,tpm2-device=auto,fido2-device=auto' > /etc/kernel/cmdline
28
29vim /etc/mkinitcpio.conf # change hooks
30vim /etc/mkinitcpio.d/linux.preset # uncoment _uki settings
31
32# clear efi variables if any still remain
33efibootmgr -B -b 0000
34
35# bootloader
36bootctl install
37
38sbctl create-keys
39sbctl enroll-keys -m
40
41# create uki
42mkinitcpio -P
43
44sbctl verify
45
46reboot
Turn on secure boot in the bios Now we can use the tpm:
1systemd-cryptenroll --password /dev/nvme0n1p2
2systemd-cryptenroll --fido2-device auto /dev/nvme0n1p2
3systemd-cryptenroll --tpm2-device auto --tpm2-with-pin true /dev/nvme0n1p2
Finally we can work with our new user:
fprintd-encroll -f left-index-finger user/etc/pam.d/system-local-login and /etc/pam.d/system-auth with auth sufficient pam_fprintd.so max-tries=2 timeout=15sudo pamu2fcfg -u user -o pam://hwaryun -i pam://hwaryun | sudo tee -a /etc/u2f_keys
pamu2fcfg -n -o pam://hwaryun -i pam://hwaryun | sudo tee -a /etc/u2f_keysauth sufficient pam_u2f.so cue origin=pam://hwaryun appid=pam://hwaryun authfile=/etc/u2f_keys [cue_prompt=touche]Install paru (use a prebuilt bin, reinstall itself) And finally desktop setiup (clone dotssh, dotconfig), download and install tools and repos.