Dual booting Windows 8 and encrypted Arch Linux

Now that I have Windows 8 installed on my desktop, I will be installing encrypted Arch Linux and dual booting between the two.  I have added more memory to the machine and am reusing the SSD from my original encrypted install.  Because I am dual booting and this machine supports UEFI I am electing to reinstall from scratch.  The new specs are as follows.

  • Intel i7-3770
  • Asus Sabertooth Z77
  • 2 x Corsair Vengeance 8GB
  • EVGA GTX 770 SC
  • Corsair HX 850
  • Corsair Obsidian 650D
  • Western Digital Black 1TB 3.5″ HDD
  • Kingston SVP100S2B 512GB SSD

Much of the install will be similar.  I will clarify the differences as they come up.  The first step in the process is to securely wipe the drive.  My preferred tool for this is Darik’s Boot And Nuke.  While DBAN does not guarantee SSD data removal, it does implement the US DoD 5220.22-M standard.  According to this paper that results in less than a 4.1% chance of recovering any data.  But in this case I am using dm-crypt to erase the drive by creating an encrypted container and filling it.  This provides the benefit of obscuring the upcoming usage patterns of the drive.  Either option is a lengthy process and best run overnight.

Once the drive is securely wiped we insert the installation medium.  Ensure that you boot the medium using UEFI.  My motherboard did not default to this and I had to change it.  If you have Secure Boot enabled you will have to use the HashTool.  I chose to disable Secure Boot because I did not want to generate custom keys for my Arch install or chain off the Windows boot loader.  Disabling Secure Boot is somewhat counter intuitive on my motherboard.  The Secure Boot state is not selection dialog like the other items.  In order to turn it off you simply clear the existing keys.

Once you boot in UEFI mode you will be offered a choice of archiso or UEFI shell.  Selecting the archiso will proceed with the standard Arch startup, eventually leaving you at the same command prompt.

boot-prompt

Testing if we successfully booted into UEFI mode provides the expected variable output.  Pinging Google shows that the integrated wired NIC was able to get a successful network connection.  Because this is a modern system I will be formatting the drive using GPT.  Starting gdisk I create an EFI System Partition (ESP).  Once that has been created I create another partition taking up the remainder of the drive.  This will be the encrypted LVM partition.  After writing the partitions to the disk the EFI System Partition is formatted to FAT32.

After creating the LUKS container with modified encryption options I open it and prepare the logical volumes.  Because I am using UEFI, I mount the ESP as /boot.  As before, I leave the default mirrors.  I then install the base system.  The next step is to generate the fstab.

Now is the time to chroot and configure the system.  Because my desktop uses a wired connection only I choose not to use a network manager and configure dhpcd to run automatically.  Then the encryption and lvm hooks are added to the initcpio configuration file before creating the initial ramdisk.

While I used GRUB previously and it will support UEFI as well as BIOS I decided to give Gummiboot as try as it should easily pick up my Windows install and configure the system for dual boot.  Gummiboot is recommended for this reason in the Beginners’ Guide.  Once I have installed gummiboot and the required EUFI packages I run the gummiboot install command.  Unfortunately gummiboot did not see my Windows EFI configuration, most likely because I am using a separate drive for it.  I created a configuration entry for Arch.  <UUID> is the UUID of the LUKS partition, luks-<UUID> is the UUID of lvm and <luks-UUID> is the UUID of the root parition inside the lvm.  For some reason the linked example shows the ro option.  This is incorrect.  It should be rw so that the root partition may be mounted with write access.

Now I reboot and I am able to log into my encrypted Arch setup.  Once I log in I mount the Windows EFI System Partition and copy over \EFI\Microsoft\Boot\ to the Linux ESP.  Upon rebooting Gummiboot recognizes the files and provides me with a Windows Boot Manager which allows me to boot into Windows 8.  I could now delete the Windows ESP if I wanted but I am choosing to leave.  This allows me to boot the Windows drive directly if I ever need to.

The same considerations for TRIM still apply to this install.

hdparm-trim

Windows expects the hardware clock to be set to the local time while Linux expects it to be UTC.  Since I am only using Windows for playing games I am disabling the Windows NTP client and applying the UTC registry hack.  Then I install ntpd under Arch to maintain the time.  Because of the large initial difference in time I have to use the -g option with ntpd in order to get it to set the time.  I run hwclock -w -u in order to set the hardware clock.

Amazingly enough this machine idles at just a few watts more than the previous AMD system.  It clocks in at 78W while at the command prompt.

Leave a Reply

Your email address will not be published. Required fields are marked *