WARNING: THIS IS INCOMPLETE! USE AT YOUR OWN RISK!

Installing Parabola GNU/Linux-libre With Full Disk Encryption on UEFI With GRUB

Note: Many parts of this tutorial are taken from the ArchWiki.

1. The Base Install

Setup the Partitions

Note: It is assumed that /dev/sda is your harddrive.

+---------------+----------------+----------------+----------------+----------------+
|ESP partition: |Boot partition: |Volume 1:       |Volume 2:       |Volume 3:       |
|               |                |                |                |                |
|/boot/efi      |/boot           |root            |swap            |home            |
|               |                |                |                |                |
|               |                |/dev/store/root |/dev/store/swap |/dev/store/home |
|/dev/sdaX      |/dev/sdaY       +----------------+----------------+----------------+
|unencrypted    |LUKS encrypted  |/dev/sdaZ encrypted using LVM on LUKS             |
+---------------+----------------+--------------------------------------------------+

Create the Partitions

I'll use the tool gdisk for this:

# gdisk /dev/sda

Note that an empty space after a command below means that you just press enter immediately to accept the default.

Create a 512MB partition, /dev/sdaX, with the type code EF00.

Command (? for help): n
Partition number (1-128, default 1):
First sector (1-2047, default = 1) or {+-}size{KMGTP}:
Last sector (1-2047, default = 2047) or {+-}size{KMGTP}: 512M
Current type is 'Linux filesystem'
Hex code or GUID (L to show codes, Enter = 8300): EF00
Changed type of partition to 'EFI System'

Create a 512MB partition, /dev/sdaY, with the type code 8300.

Command (? for help): n
Partition number (2-128, default 2):
First sector (513-2047, default = 513) or {+-}size{KMGTP}:
Last sector (513-2047, default = 2047) or {+-}size{KMGTP}: 512M
Current type is 'Linux filesystem'
Hex code or GUID (L to show codes, Enter = 8300):
Changed type of partition to 'EFI System'

Create a partition filling the rest of the space, /dev/sdaZ, with the type code 8E00.

Command (? for help): n
Partition number (3-128, default 3):
First sector (1025-2047, default = 1025) or {+-}size{KMGTP}:
Last sector (1025-2047, default = 2047) or {+-}size{KMGTP}:
Current type is 'Linux filesystem'
Hex code or GUID (L to show codes, Enter = 8300): 8E00
Changed type of partition to 'Linux LVM'

Encrypt the /dev/sdaZ partition:

# cryptsetup luksFormat /dev/sdaX

Format /dev/sdaX:

# mkfs.vfat -F32 /dev/sdaX

Setup the Logical Volumes

Open /dev/sdaZ:

# cryptsetup open --type luks /dev/sdaZ lvm

The decrypted container is now available at /dev/mapper/lvm.

Create a physical volume on top of the opened LUKS container:

# pvcreate /dev/mapper/lvm

Create the volume group named MyVol (or whatever you want), adding the previously created physical volume to it:

# vgcreate MyVol /dev/mapper/lvm

Create your logical volumes in this volume group:

# lvcreate -L 8G MyVol -n swap
# lvcreate -L 15G MyVol -n Parabola
# lvcreate -l 100%FREE MyVol -n Home

In this example, we create an 8GB swap partition, a 15GB root partition and a home partition filling up the rest of the space.

Format you filesystems:

# mkfs.ext4 /dev/mapper/MyVol-Parabola
# mkfs.ext4 /dev/mapper/MyVol-Home
# mkswap /dev/mapper/MyVol-swap

Setup the boot partition

Encrypt the /boot partition:

# cryptsetup luksFormat /dev/sdaY

Open this partition:

# cryptsetup open --type luks /dev/sdaY cryptboot

Create a filesystem on the partition (any filesystem that can be read by the bootloader is eligible; in this case EXT2 is used):

# mkfs.ext2 /dev/mapper/cryptboot

Mount the partition to /mnt/boot:

# mount /dev/mapper/cryptboot /mnt/boot

Create a mountpoint for the EFI System Partition (/dev/sdaX) and mount it:

# mkdir /mnt/boot/efi
# mount /dev/sdaX /mnt/boot/efi

At this point, follow the normal installation guide (https://wiki.parabola.nu/Installation_Guide) or the Beginner's Guide (https://wiki.parabola.nu/Beginners%27_guide) up to the mkinitcpio step.

Configuring mkinitcpio

Add the encrypt and lvm2 hooks to mkinitcpio.conf. Note that I also added keymap and consolefont in order to support different keymaps and fonts during boot:

/etc/mkinitcpio.conf

HOOKS="... keymap consolefont encrypt lvm2 ... filesystems ..."

Regenerate the linux image:

# mkinitcpio -p linux-libre

Configuring the boot loader

Configure GRUB to recognize the LUKS encrypted /boot partition and unlock the encrypted root partition at boot:

/etc/default/grub
--------------------------------------------------------------------------------------
GRUB_CMDLINE_LINUX="... cryptdevice=/dev/sdaZ:lvm root=/dev/mapper/MyVol-Parabola ..."
GRUB_ENABLE_CRYPTODISK=y

Generate GRUB's configuration file and install to the mounted ESP:

# grub-mkconfig -o /boot/grub/grub.cfg
# grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck

If this finished without errors, GRUB should prompt for the passphrase to unlock the /boot partition after the next reboot.

Configuring crypttab

This section deals with extra configuration to let the system mount the encrypted /boot.

While GRUB asks for a passphrase to unlock the encrypted /boot after above instructions, the partition unlock is not passed on to the initramfs. Hence, /boot will not be available after the system has re-/booted, because the encrypt hook only unlocks the system's root.

If you used the genfstab script during installation, it will have generated /etc/fstab entries for the /boot and /boot/efi mount points already, but the system will fail to find the generated device mapper for the boot partition. To make it available, add it to crypttab. For example:

/etc/crypttab
------------------------------------------
cryptboot  /dev/sdaY      none        luks

Now you should be able to boot into you new encrypted installation of Parabola GNU/Linux-libre.

Note: You need to give your decryption password three times during boot. This is normal and there are ways to get around it, but they are beyond the scope of this article.

2. Making a Usable System

Sound

Install alsa-utils:

# pacman -S alsa-utils

Configure the sound card by editing /etc/asound.conf:

/etc/asound.conf
----------------
pcm.!default {
    type hw
    card 1
}

ctl.!default {
    type hw
    card 1
}

Note: when using the audio plugin in the XFCE panel, right-click on it and click on properties, then change the sound card there, so that it also uses this sound card.