Arch Linux encrypted drive (including /boot)

These instructions are adapted from Pavel Kogan’s blog post for an encrypted hard drive. The main difference between that post
and this one is the different options. I will be setting this on a system with 32GB RAM, and I prefer a GPT partition table. Everything else should be the same. The usual Arch installation guide should be followed.

Don’t forget to do the initial steps before partitioning disks! Things like connecting to the network, and updating the system clock.

# BIOS partition, since all of the systems I'll be installing this in the immediate future are all BIOS, not EFI/UEFI
parted -s /dev/sda mklabel gpt mkpart bios 2048s 4096s
parted -s /dev/sda set 1 bios_grub on
parted -s /dev/sda mkpart lvm # Fill the rest of the disk
cryptsetup luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 lvm
pvcreate /dev/mapper/lvm
vgcreate vg /dev/mapper/lvm
lvcreate -L 16G vg -n swap
lvcreate -L 50G vg -n root
lvcreate -l +100%FREE vg -n home
mkswap -L swap /dev/mapper/vg-swap
mkfs.ext4 /dev/mapper/vg-root
mkfs.ext4 /dev/mapper/vg-home
mount /dev/mapper/vg-root /mnt
mkdir /mnt/home
mount /dev/mapper/vg-home /mnt/home
mkswap /dev/mapper/vg-swap
swapon /dev/mapper/vg-swap

…then continue with the usual Arch installation. Don’t forget to add the “lvm2” and “encrypt” hooks to /etc/mkinitcpio.conf when you get to that part! And definitely don’t forget to add the following lines to /etc/default/grub:

GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:lvm"

Then, run:

grub-mkconfig -o /boot/grub/grub.cfg
grub-install /dev/sda

I’ll post again once I’ve gone through this process, which I won’t be able to do for about a week. I will be going through it, modified, three times over the coming weeks, so I’ll really be able to stress it out and update any deficiencies.

Thoughts on this method

It works like a charm! The only hiccup is when booting GRUB prompts for the encrypted disk password, then the kernel asks for the same password when booting. The trouble with GRUB asking for it, if I mistype the password GRUB doesn’t prompt me a second time, and I’m dropped into the GRUB rescue shell (which isn’t self documenting). I will try this reddit thread which may be useful. The only other option is to reboot, and try again.

I guess the other problem is my BIOS is so slow! The RAID BIOS takes several seconds to boot. Also, decrypting GRUB and the disk takes a little longer than I’d like. Neither of these are problems with the method. None of these problems are showstoppers, since the only way to correct this is to replace the whole system. In any case, once the kernel begins to boot it takes less than two seconds before I’m at the GDM prompt! The power of dual-Xeon (8 cores), 32GB RAM, and an SSD (probably the biggest speed gain of all)!

I can already envision system replacing my NAS. I can attach up to 5 HDDs to the Marvell RAID controller, then leave them as discrete disks (JBOD) for use with Btrfs. Hopefully that filesystem will have matured enough to make it feasible (and reliable).

Further thoughts on this method

After a few weeks of using this, I ran into a major drawback to this scenario: if I am away from my house for an extended period, and my computer shuts down, I have to wait until I go back home before I can rectify it. As it stands, my power went out when I was away for the holidays, and it was nearly a week before I could go back and boot it up. It is unclear whether my Debian-based router would have booted back up fully, but that’s something entirely different. Thus, on my primary, fixed workstation, I have removed the encryption since I have at least one scenario where it would need to boot unattended.

I’ve kept this encryption method on my personal laptop, since that one always travels with me and is much easier to lose.

Initial Thoughts on Arch Linux

About a month or so ago, I decided to give Arch Linux a whirl. Debian hadn’t let me down, but I’ve been using Debian as my primary workstation OS for about six years, so I was looking for something different. I first installed Mint, though oddly enough not the Debian Edition. That lasted about a week, mainly because it used the same repositories as Ubuntu, and I just couldn’t stand for that.

So next I try Arch. From the get go, it felt very much like installing Gentoo for the first time, only this time I didn’t have another computer to rely on (for whatever reason I didn’t want to use the MacBook Pro issued to me by work). It was a maddening experience, I appreciate the installer Debian provides much more now, as with Arch everything needs to be done by hand, from the partitioning of the drive, to the bootstrapping and installation of the system software.

This would have been fine, only I elected to encrypt the root and home directories, with LVM inside the encrypted drive. Unfortunately the Arch installation documentation doesn’t contain all of the information to install in this fashion in one place, I had to bounce between at least three different wiki articles using elinks2 to get the right magic to get it installed.

I can’t say that it has been smooth sailing. Practically on a daily basis I find some package which isn’t installed (because nothing except the bare minimum of packages is installed by default). Things like the display manager, X.org, desktop environments… all need to be installed manually, through pacman (“PACkage MANager”). This is not a problem for me, but there have been things that I assumed would be installed by default, that aren’t. Reminds me of my Gentoo days negatively. Maybe I just don’t remember installing that stuff on Debian, since this workstation went through the Squeeze->Wheezy->Jessie cycle before I put Arch on.

That being said, having up-to-date, stable packages on my system has been nice. No more waiting for the Debian team to make available the version of the package that has the feature or the non-essential bugfix I’m looking for. No scouring the backports repository (which always seemed to give suboptimal results). Pacman is fast, and I haven’t had too many issues installing things from it. AUR is another story entirely.

I like Arch well enough to have put it on the used laptop I got for a steal from my employer. Once I got it configured right, hibernation with the laptop has been awesome, albeit a bit slow to recover. Power management has been pretty good too, for an old laptop. I ended up replacing the battery, and it looks like I get about three hours and 15 minutes out of a full charge, which I don’t think is too shabby.

I still use Debian on my router, and my VPS (where this blog is stored). That will continue for the foreseeable future, as I want to keep my Debian skills up to date.

Crawfish Recipe

Here I’ve transcribed my father’s crawfish recipe. The original link still exists (Dad’s Crawfish Recipe), but he hasn’t updated the site in almost a decade. This page will be my copy of it.

Boiled Crawfish

Tools

  • Rapid gas (propane) burner
  • 60+ quart boiling pot with matching lid
  • strainer/colander, fits inside the pot (pot and strainer usually bought as a single kit)
  • 3-4ft. wooden cooking or boat paddle

Ingredients

Seasoning Mix

  • Dad usually buys the dry seafood boil mix from a commercial supplier. Some local seafood shops also prepare their own. The alternative is the cloth bags of dried spices to which you add salt. As a last resort, you can buy the liquid spices, but this usually results in a rather bland boil, unless you really spice it up a with more cayenne and salt. I have recently been using the dry spice mix (includes the salt) from Louisiana Fish Fry Products in Baton Rouge, LA (1.800.356.2905). Zatarain’s makes good stuff too.

The rest of the Stuff!

This is for one sack (40-50lbs) of live crawfish (pictures forthcoming)

  • 6 medium sized lemons, halved
  • 3 whole onions, halved
  • 4-6 whole garlic heads, halved
  • 2 bags of small red potatoes
  • 8-10 ears of sweet corn
  • additional cayenne pepper
  • whole cloves

Optional items:

  • andouille (smoked sausage)
  • whole artichokes (the whole flower, not the canned hearts!)
  • whole mushrooms
  • Brussels sprouts (trust me, this is the one of the BEST ways to eat these!)

Crawfish Preparation

Obtain a sack of live crawfish and keep cool and wet until ready for the boil. Prior to boiling, empty the sack into a large container (washtub). Rinse thoroughly and drain. Do not leave the crawfish in water as they will die because of lack of oxygen. Some people add salt to the water to “purge” the crawfish. This is fine but do not leave them for an extended period in salt water and be sure to boil them immediately after purging since crawfish are freshwater animals. (Dad says he read of an LSU study [citation?] which says that purging crawfish is no longer necessary because they are now largely farm-raised, and hence aren’t full of mud like wild ones would be).

Set up for Boiling

Set up a large (60qt or greater) pot with strainer/colander well away from the house outside on a rapid gas burner. This is done because of heat, gas flame, and mostly the pungent aroma of the cayenne-spice mix. Fill 2/3rds with fresh water and start burner on medium to high heat. Add spice mix (and salt if necessary) and lemons. Additional cayenne pepper and cloves may be added at this time. Bring to full rolling boil. Add potatoes, garlic, and corn, stir. Return to a full rolling boil. Let corn and potatoes cook for about 5-10 minutes (depending on potato size).

Boiling the Bugs

When the pot reaches a rolling boil put half-full sack (20-25lbs) of the mudbugs in the boiling mix. Stir gently (Dad uses a wooden boat paddle, I use one specifically designed for cooking like this). The crawfish will sink at first. Put the heat on high, cover, and return to a rolling boil. Cook the crawfish for about five minutes. Be careful not to overcook! The way Dad tells is that when the crawfish are cooked they will begin to float and sometimes cause the pot to overflow (Dad sez,”Dat’s another reason why dem crawfish are cooked outside, yeah.”). When most of the crawfish are floating, it’s time to turn off the heat. Do not remove them from the heat just yet, because now comes the most important part: let the crawfish soak up the spices. After turning off the heat, leave the crawfish to cool in the pot, soaking up the spices. Dad leaves them in the pot for up to 30 minutes or until they start to sink again. When they sink again, they are ready to spread on the table to finish cooling.

Enjoy dem mudbugs, spicy corn, potatoes, and other veggies!