Installing encrypted Arch Linux on an SSD

Posted on by

This article will document the decisions and process of my building an Arch Linux desktop. Arch Linux is a rolling release distro. There are no specific releases as there are with Fedora, Ubuntu, etc. Due to this I will not be posting a step by step procedure. That is covered very thoroughly in the Beginners’ guide located on the Arch wiki. I will be discussing the choices that I make and why I make them.

I am re-purposing some hardware that I had laying around for this build.

  • AMD FX-6300
  • GA-78LMT-USB3
  • 2 x 8GB DDR3 1333
  • Kingston SVP100S2B 512GB SSD

Once you boot from your installation medium you will see the following screen.

boot-screen

Since I have a 64 bit system I select the x86_64 prompt.  After a short time you should be greeted with a root prompt.

boot-prompt

Arch is now running in memory.  Time to connect to the network.  The integrated Realtek NIC appears to be going bad as it would not connect to the network.  I had problems with it previously but assumed that was a driver issue.  I installed an Intel PCI GigE NIC and was able to connect with no problems.

Because this is a test machine I am not bothering to securely wipe the disk beforehand.  The wiki has more information about how to prepare your drive.  I am using LUKS for the encryption and will be using the most basic setup.  Since my motherboard does not support UEFI I am running BIOS.  Which means that I will be using MBR partition tables.  Using GParted I create two partitions.  One 500 MB partition for /boot and the remainder of the drive for /.  I am not using a swap partition.  Following the instructions for the simple partition layout I encrypt the root partition.  I am not modifying any of the LUKS options at this point.  The creation and formatting of the partition went quickly.  How much of that is attributable to the SSD I am not sure.  The boot partition is even quicker as it is not encrypted.

After configuring mkinitcpio we perform the install.  I leave the default mirrors for the base install.  It is not enough of a download for me to worry about.  After configuring the system it is time to install a bootloader.  I will be using GRUB for this system.  One thing to note is that Arch does not come installed with anything other than what is required to run the base system.  As such you will have to install the GRUB package before configuring it.  Once GRUB is installed you add the cryptdevice to GRUB_CMDLINE_LINUX.

Rebooting gives us the GRUB menu.

grub-boot

Selecting Arch Linux or letting the timer run out will boot the system and provide us with our encrypted key entry.

encrypt-pass

Which brings us back to the command prompt.  Only this is now an installed system.

login-prompt

Here are some key points to keep in mind when setting up the system.  Make sure that you add the encrypt hook before the filesystems hook in mkinitcpio.conf.  Mine got removed somehow and this led to some frustrating troubleshooting.  Also, after modifying mkinitcpio.conf make sure to run mkinitcpio.  One of the most frustrating things is to make a change to a configuration file but not have it take effect because you did not run the utility.  The same goes for GRUB.  After modifying /etc/default/grub you must run grub-mkconfig.

As I mentioned earlier, I did not securely wipe the disk because it is only a test system.  On an actual system I would recommend going through the process and wiping the drive.  Because this install is on an SSD we have the option of enabling TRIM.  TRIM allows the OS to notify the SSD of unused blocks.  This allows the SSD to clean up and thereby improve speed but can cause data leakage on an encrypted drive.  Therefore the default for dm-crypt is to not allow TRIM.  If your primary reason for encrypting is theft then I would recommend that you enable TRIM support.  Most thieves are only concerned with the hardware.  If they can make an easy buck from your data they will, but they are not going to do the deep analysis to attempt to break the encryption.  If you concern is corporations or governments then I would not enable TRIM.  They have the resources to attempt to exploit any data leakage.

I will be enabling TRIM on this system.  Now that it is installed we verify that the SSD supports TRIM.  This requires installing the hdparm package.

hdparm-trim

Now that we have verified the SSD supports TRIM we modify the fstab to add the discard flag.  This enables TRIM to take effect every time we delete a file.  Another option is to periodically run fstrim in order to move any cleanup delay to a time when the machine is not being used.  I have not noticed any delay from using discard so I do not bother with setting up fstrim.  And lastly, we modify our grub config to allow discards.  Make sure to run grub-mkconfig after the change in order for it to take effect.

Because I installed on actual hardware and not a virtual machine I was not able to take screenshots as in my other articles. My solution was to install a video card that supported S-Video. Hooking that up to an analog capture card I was able to take still frame screen captures. The only difficulty I had was when the KMS loaded the S-Video output would stop working.  I had to add nomodeset as a kernel parameter in order to prevent this.

Leave a Reply

Your email address will not be published. Required fields are marked *