Skip to main content

Full Disk Encryption with GRUB and Including /boot: Step-by-Step Guide

··567 words·3 mins
LUKS Linux Arch Linux
UmmIt
Author
UmmIt
Loves to write about technology, and cybersecurity related topics :)
Table of Contents

Introduction
#

Since systemd-boot doesn’t support encrypted /boot, grub does. There are not so good points though, like only luks1 and argon2id are not supported. However, in this short guide I will teach you how to encrypt your /boot to be fully encrypted with our disk.

Step 1: Encrypt the Disk
#

To begin, encrypt your disk using the LUKS format. However, note that GRUB only supports LUKS1, so avoid using certain options:

cryptsetup luksFormat --type luks1 --cipher aes-xts-plain64 --hash sha256 --iter-time 10000 --key-size 256 --use-urandom --verify-passphrase /dev/sda2

Ensure you answer YES when prompted. GRUB doesn’t support the --pbkdf argon2id option, so it’s crucial to stick to LUKS1 for compatibility.

Step 2: Open LUKS Device and Set Up Logical Volumes
#

After formatting, open the LUKS device and set up logical volumes using LVM (Logical Volume Manager):

cryptsetup open /dev/sda2 crypt # Decrypting disk and create mapper named 'crypt'
pvcreate /dev/mapper/crypt # Create physical volume named 'crypt'
vgcreate vol /dev/mapper/crypt # Create volume group named 'vol'
lvcreate -l 3%FREE vol -n swap # Create logcial volume and set this size uses 3% of this partition and named to swap.
lvcreate -l 50%FREE vol -n root # Create logcial volume and set this size uses 50% of this partition and named to root.
lvcreate -l 100%FREE vol -n home # Create logcial volume and set this size uses 100% of this partition and named to home.

Format the root and home volumes:

mkfs.btrfs /dev/vol/root
mkfs.btrfs /dev/vol/home

Create swap space:

mkswap /dev/vol/swap
swapon /dev/vol/swap

Mount the volumes:

mount /dev/vol/root /mnt
mkdir /mnt/home
mount /dev/vol/home /mnt/home

Step 3: Prepare for GRUB Installation
#

Since GRUB supports EFI systems, mount the EFI system partition:

mount /dev/sda1 --mkdir /mnt/boot/efi

Now, proceed with the essential package installations:

pacstrap -i /mnt base base-devel linux linux-firmware linux-headers lvm2 neovim dhcpcd networkmanager pipewire

Generate the /etc/fstab file:

genfstab -U /mnt >> /mnt/etc/fstab

The process of installing Arch Linux is the same as that of ArchLinux. If you are unfamiliar with the process, please refer to this article: Complete Guide to Installing Arch Linux with LUKS Encryption and GNOME Desktop Environment.

Step 4: Configure mkinitcpio.conf
#

Edit the /etc/mkinitcpio.conf file, ensuring that the HOOKS line includes lvm2 and encrypt. It should look like this:

HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block lvm2 encrypt filesystems fsck)

Save the changes and regenerate the configuration:

mkinitcpio -P

Step 5: Install and Configure GRUB
#

Install GRUB and efibootmgr:

pacman -S grub efibootmgr

Configure the GRUB file:

nvim /etc/default/grub

Edit GRUB_CMDLINE_LINUX_DEFAULT:

cryptdevice=/dev/nvme0n1p2:crypt root=/dev/mapper/vol-root

Note: Do not use a UUID, the disc may not be found.

and set GRUB_ENABLE_CRYPTODISK to “y”.

Install GRUB:

grub-install --recheck /dev/sda1

Generate the GRUB configuration:

grub-mkconfig -o /boot/grub/grub.cfg

Step 6: Reboot and Decrypt
#

Reboot your system. You’ll notice that GRUB prompts you to enter the passphrase or password for decryption. After successfully decrypting, you’ll encounter another decryption prompt for your volume disk.

Note: The decryption process may take some time, and entering the wrong passphrase will lead to a GRUB rescue mode. you need to reboot and try again.

Conclusion
#

Congratulations! Your system is now fully encrypted with GRUB, providing enhanced security for your Arch Linux installation.

References
#

Related

Encrypt and Decrypt Your Internal Disk with an Existing Decrypted Filesystem Inside Keyfile
·1085 words·6 mins
LUKS
Mounting Your Internal Disk on your Linux System
··619 words·3 mins
Harddisk Linux
Enabling Secure Boot with Your Self-Certified Keys (Linux): A Step-by-Step Guide
·779 words·4 mins
Linux UEFI Secure-Boot
Oh my zsh: Installing Powerlevel10k Theme
·696 words·4 mins
Linux Zsh Powerlevel10k
Comprehensive Guide to Installing Gentoo Linux with OpenRC
··7057 words·34 mins
Open-RC Gentoo Linux