April 15, 2018

Install Arch Linux with encryption, secure boot and manual tweaking

   Today I will share my guide that I used for Arch installation. Obviously, there are a lot of resources, where you can find installation instructions, but here I would like to share my tips. Obviously, all related links will be included in this post. 
   
Our goal: 
  • UEFI Arch installation on encrypted volume + /boot also should be encrypted
  • enable and use secure boot with own keys on laptop
  • do post installation hardening
  • installation steps for Gnome without unneeded software

 

Installation


   All installation instructions can be found in official Arch Linux wiki (https://wiki.archlinux.org/index.php/installation_guide). The only thing is that you need to go through each wiki article to compile your own installation guide. I used this guide as a starting point (https://grez911.github.io/cryptoarch.html). I don't see any value in copy-pasting someone's guide here fully. The only difference I had is that I don't have partition for swap, as my laptop has 16 GB of RAM. Also I installed /boot on ext3 filesystem. 
  Another guide to consider is https://headcrash.industries/reference/fully-encrypted-archlinux-with-secure-boot-on-yoga-920/. There you can find specifics about btrfs and Yoga 920 installation.

Secure Boot 

 

   You can start reading about secure boot from wiki - https://wiki.archlinux.org/index.php/Secure_Boot. If you really want to understand what is going on in system I highly recommend go through this article https://bentley.link/secureboot/ and manually create everything. However, for automation you can use tool from github (https://github.com/xmikos/cryptboot) which is described in "Secure Boot" section from second installation guide on Yoga. After finish you can check whether secure boot is active by using this command: od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX. To get right value of XX, just use tab completion. Last digit should be 1.

Post installation hardening

 

  After installation finished I went through hardening. I will advise to go through wiki page - https://wiki.archlinux.org/index.php/Security. When I read about kernel hardening, I decided to install linux-hardened package, using this guide - https://thacoon.gitlab.io/articles/2017-07/arch-linux-hardened-kernel.html. It broke system for me as there were no kernel module for fat to proceed with boot. I found that I was not alone with my problems - https://flameeyes.blog/2011/09/12/hardened-and-efi-aren-t-buddies/. As for now I just wait for new releases. After all hardening I used tool called Lynis for audit (https://cisofy.com/lynis/). I found this sufficient enough to have a better level of security.


Post installation tips

 

   Well, now you can install anything you want in your new system. Pretty good list can be found in official wiki - https://wiki.archlinux.org/index.php/list_of_applications For decent terminal fonts I used this package - https://www.archlinux.org/packages/community/any/awesome-terminal-fonts/.
   As a desktop environment I prefer gnome, but I don't like loads of software which will be installed together with gnome. I found this conversation in reddit helpful, especially comment about what name stands for what software - https://www.reddit.com/r/archlinux/comments/3q98sf/gnome_without_the_bloat_what_is_neccesary/cwd8rj8/?st=jg194hew&sh=c96834de