discursions

After my power went out here while I was on an extended vacation, I realized the folly in having a completely encrypted drive that could only be unlocked via a locally entered password. Ideally GRUB and the kernel could be configured to probe the network to develop a fingerprint of its devices, and unlock automatically without any further keys if all devices are present. Otherwise, unlock via entered password. This is a task for another day.

My current task is to install a plain, unencrypted Arch Linux installation to my old workstation (lithium). I have a new SSD, and I want to document the process of installation (mainly so I can follow it again). It is adapted from my Encrypted Disk instructions.

# BIOS partition, since all of the systems I'll be installing this in the immediate future are all BIOS, not EFI/UEFI
parted -s /dev/sda mklabel gpt mkpart bios 2048s 4096s
parted -s /dev/sda set 1 bios_grub on
parted -s /dev/sda mkpart primary ext2 6144 100%  # Fill the rest of the disk
parted -s /dev/sda set 2 lvm on
pvcreate /dev/sda2
vgcreate vg /dev/mapper/lvm
lvcreate -L 16G vg -n swap
lvcreate -L 50G vg -n root
lvcreate -l +100%FREE vg -n home
mkswap -L swap /dev/mapper/vg-swap
mkfs.ext4 /dev/mapper/vg-root
mkfs.ext4 /dev/mapper/vg-home
mount /dev/mapper/vg-root /mnt
mkdir /mnt/home
mount /dev/mapper/vg-home /mnt/home
swapon /dev/mapper/vg-swap
pacman -Syu reflector
reflector --country US --verbose -l 10 --sort rate --save /etc/pacman.d/mirrorlist

These instructions are adapted from Pavel Kogan’s blog post for an encrypted hard drive. The main difference between that post
and this one is the different options. I will be setting this on a system with 32GB RAM, and I prefer a GPT partition table. Everything else should be the same. The usual Arch installation guide should be followed.

Don’t forget to do the initial steps before partitioning disks! Things like connecting to the network, and updating the system clock.

# BIOS partition, since all of the systems I'll be installing this in the immediate future are all BIOS, not EFI/UEFI
parted -s /dev/sda mklabel gpt mkpart bios 2048s 4096s
parted -s /dev/sda set 1 bios_grub on
parted -s /dev/sda mkpart lvm # Fill the rest of the disk
cryptsetup luksFormat /dev/sda2
cryptsetup luksOpen /dev/sda2 lvm
pvcreate /dev/mapper/lvm
vgcreate vg /dev/mapper/lvm
lvcreate -L 16G vg -n swap
lvcreate -L 50G vg -n root
lvcreate -l +100%FREE vg -n home
mkswap -L swap /dev/mapper/vg-swap
mkfs.ext4 /dev/mapper/vg-root
mkfs.ext4 /dev/mapper/vg-home
mount /dev/mapper/vg-root /mnt
mkdir /mnt/home
mount /dev/mapper/vg-home /mnt/home
mkswap /dev/mapper/vg-swap
swapon /dev/mapper/vg-swap

…then continue with the usual Arch installation. Don’t forget to add the “lvm2” and “encrypt” hooks to /etc/mkinitcpio.conf when you get to that part! And definitely don’t forget to add the following lines to /etc/default/grub:

GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:lvm"

Then, run:

grub-mkconfig -o /boot/grub/grub.cfg
grub-install /dev/sda

I’ll post again once I’ve gone through this process, which I won’t be able to do for about a week. I will be going through it, modified, three times over the coming weeks, so I’ll really be able to stress it out and update any deficiencies.

Thoughts on this method

It works like a charm! The only hiccup is when booting GRUB prompts for the encrypted disk password, then the kernel asks for the same password when booting. The trouble with GRUB asking for it, if I mistype the password GRUB doesn’t prompt me a second time, and I’m dropped into the GRUB rescue shell (which isn’t self documenting). I will try this reddit thread which may be useful. The only other option is to reboot, and try again.

I guess the other problem is my BIOS is so slow! The RAID BIOS takes several seconds to boot. Also, decrypting GRUB and the disk takes a little longer than I’d like. Neither of these are problems with the method. None of these problems are showstoppers, since the only way to correct this is to replace the whole system. In any case, once the kernel begins to boot it takes less than two seconds before I’m at the GDM prompt! The power of dual-Xeon (8 cores), 32GB RAM, and an SSD (probably the biggest speed gain of all)!

I can already envision system replacing my NAS. I can attach up to 5 HDDs to the Marvell RAID controller, then leave them as discrete disks (JBOD) for use with Btrfs. Hopefully that filesystem will have matured enough to make it feasible (and reliable).

Further thoughts on this method

After a few weeks of using this, I ran into a major drawback to this scenario: if I am away from my house for an extended period, and my computer shuts down, I have to wait until I go back home before I can rectify it. As it stands, my power went out when I was away for the holidays, and it was nearly a week before I could go back and boot it up. It is unclear whether my Debian-based router would have booted back up fully, but that’s something entirely different. Thus, on my primary, fixed workstation, I have removed the encryption since I have at least one scenario where it would need to boot unattended.

I’ve kept this encryption method on my personal laptop, since that one always travels with me and is much easier to lose.

About a month or so ago, I decided to give Arch Linux a whirl. Debian hadn’t let me down, but I’ve been using Debian as my primary workstation OS for about six years, so I was looking for something different. I first installed Mint, though oddly enough not the Debian Edition. That lasted about a week, mainly because it used the same repositories as Ubuntu, and I just couldn’t stand for that.

So next I try Arch. From the get go, it felt very much like installing Gentoo for the first time, only this time I didn’t have another computer to rely on (for whatever reason I didn’t want to use the MacBook Pro issued to me by work). It was a maddening experience, I appreciate the installer Debian provides much more now, as with Arch everything needs to be done by hand, from the partitioning of the drive, to the bootstrapping and installation of the system software.

This would have been fine, only I elected to encrypt the root and home directories, with LVM inside the encrypted drive. Unfortunately the Arch installation documentation doesn’t contain all of the information to install in this fashion in one place, I had to bounce between at least three different wiki articles using elinks2 to get the right magic to get it installed.

I can’t say that it has been smooth sailing. Practically on a daily basis I find some package which isn’t installed (because nothing except the bare minimum of packages is installed by default). Things like the display manager, X.org, desktop environments… all need to be installed manually, through pacman (“PACkage MANager”). This is not a problem for me, but there have been things that I assumed would be installed by default, that aren’t. Reminds me of my Gentoo days negatively. Maybe I just don’t remember installing that stuff on Debian, since this workstation went through the Squeeze->Wheezy->Jessie cycle before I put Arch on.

That being said, having up-to-date, stable packages on my system has been nice. No more waiting for the Debian team to make available the version of the package that has the feature or the non-essential bugfix I’m looking for. No scouring the backports repository (which always seemed to give suboptimal results). Pacman is fast, and I haven’t had too many issues installing things from it. AUR is another story entirely.

I like Arch well enough to have put it on the used laptop I got for a steal from my employer. Once I got it configured right, hibernation with the laptop has been awesome, albeit a bit slow to recover. Power management has been pretty good too, for an old laptop. I ended up replacing the battery, and it looks like I get about three hours and 15 minutes out of a full charge, which I don’t think is too shabby.

I still use Debian on my router, and my VPS (where this blog is stored). That will continue for the foreseeable future, as I want to keep my Debian skills up to date.