General Notes
I know there is a 'better way' to encrypt swap partition. I've found it to be unreliable, this method is stable.
I know that GRUB 'supports' booting from encrypted boot. I've also found this to be unreliable.
If someone is aware of a way to encrypt the boot partition, and have it actually work, I'd appreciate your feedback. This is a fairly large hole.
This guide is not and end all be all to security. However, we are one step ahead by not using SystemD (which is probably why you're here)
We further are protected if you follow this guide as we remove sudo, as well as running XFCE rootless in a very easy way.
If your passwords are weak, then so is your system security.
This guide simply prepares you for making a secure system, it is not an end-all-be-all solution, and writing more security features after post-install is redundant due to availability of other guides/wikis.
*Read through this and make sure you understand it before following it*
***You will lose ALL data on partitions you work with, a backup of important data is recommended***
Lastly, I recommend doing this procedure from Artix Desktop Environment image, this will make copying and pasting UUID's much less burdensome. I've also assumed you've verified the image file after download, and have already partitioned your drives in the way you want them using gparted or cfdisk or fdisk or... you get the idea.
Let's Begin:
-- Wipe Drives
(not /boot *this is required if the drive started empty or not*)
1. Create temp container
Use lsblk to see your devices and their UUIDs, you will probably need this command a few times.
lsblk -o +UUID
cryptsetup open --type plain -d /dev/urandom /dev/<block-device> to_be_wiped
(root, home, swap, other partitions not boot)
2. Wipe Containers
dd bs=1M if=/dev/zero of=/dev/mapper/to_be_wiped status=progress
(this command can take A LONG TIME, be patient)
3. Close Containers
cryptsetup close /dev/mapper/to_be_wiped
(all containers you wiped)
-- Encrypt excryptable partitions
(*not /boot, but can work for swap, infact I recommend it on swap*)
4. Encrypt
cryptsetup -v --type luks2 -c aes-xts-plain64 -s 512 -h sha512 -i 5000 --use-random -y luksFormat /dev/<block-device>
5. Open containers
cryptsetup open /dev/<block-device> <target>
(all containers, except, you guessed it boot)
-- Get ready to install
6. Format Filesystems
mkfs.(filesystem) /dev/mapper/<target>
OR
mkswap /dev/mapper/<target-swap>
7. Mount Filesystems (example for UEFI)
swapon /dev/mapper/<target-swap>
AND
mount /dev/mapper/<target> /mnt/
--- OR ---
mount /dev/mapper/<target> /mnt/<target>
-- Install System
8. Use basestrap to install a minimal system
basestrap /mnt base base-devel openrc linux-hardened linux-firmware elogind-openrc networkmanager-openrc cryptsetup-openrc grub os-prober efibootmgr vim nano
9. Generate fstab
fstabgen -U /mnt >> /mnt/etc/fstab
#(cat /mnt/etc/fstab) check /fstab for errors, rare, but occassional errors occur, I find using UUID's a little irrelevent as they will be ID'd by UUID by dmcrypt.conf, however for /boot by UUID is excellent)
-- Configure System To Boot
10. chroot into new system
artools-chroot /mnt
11. set your time/zone
ln -sf /usr/share/zoneinfo/Region/City /etc/localtime
hwclock --systohc
12. Generate locale
Edit locale.gen and uncomment your locale
nano /etc/locale.gen
Then run locale-gen
locale-gen
Edit locale.conf and add the two lines below (change for your region)
nano /etc/locale.conf
13. Network Config
Edit hostname and add your hostname.
nano /etc/hostname
Edit hosts to read like below
nano /etc/hosts
14. Initcpio Config
nano /etc/mkinitcpio.conf
Add "encrypt" to hooks after udev
Then regenerate initcpio
mkinitcpio -p linux-hardened
15. Grub Config
Add "cryptdevice=device:dmname" to GRUB_CMDLINE_LINUX_DEFAULT
nano /etc/default/grub
16. Install Grub
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg
17. Generate Keys For Other partitions
#store keys on root partition only.
dd bs=512 count=4 if=/dev/random of=/path/to/key iflag=fullblock
chmod 600 /path/to/key
18. Configure non-root partitions to use keyfile
cryptsetup luksAddKey /dev/<block-device> /path/to/key
***do not do this to ROOT (most probably just do it on swap and home)***
19. Configure dmcrypt
nano /etc/conf.d/dmcrypt
Use encrypted container /dev/<device-block> UUID, NOT the /dev/mapper/<target> UUID
20. Configure fstab
If you overrode fstab or it had errors and set up fstab with /dev/mapper/<target>, instead of UUID, ensure /dev/mapper/<target> is the same as what you set above. Else just confirm that the UUID listed does indeed match like it should to /dev/mapper/<target>
21. Set rc-update services to run
rc-update add dmcrypt sysinit
rc-update add NetworkManager default
22. Remove sudo, add opendoas
# I suspect many fueds over the validity of this, so consider this, and following configuration of opendoas as optional. Many aurhelpers are built with sudo dependency. I don't care as I do not use the AUR often enough to require a helper. #
pacman -R sudo
pacman -S opendoas
You will use doas instead of sudo
23. Configure opendoas
nano /etc/doas.conf
24. Set root password and make admin/doas user
Replace NEWSUPERUSERNAME with your desired username.
passwd
useradd -m -G wheel NEWSUPERUSERNAME
passwd NEWSUPERUSERNAME
25. Reboot
exit
poweroff now
*Remove Boot Media*
*Turn on Computer*
-- First Boot
26. Everything Should Be Working Just Great.
Double check all drives are mounted, and swap is being used.
IF, AND ONLY IF IT ISN'T here is how you can troubleshoot it
Start by checking "ls /dev/mapper" and making sure the names correspond to /etc/fstab
If devices are NOT in /dev/mapper, then you need to edit /etc/conf.d/dmcrypt
27. Install a display environment.
I like xfce4, so that is what this guide will use.
I prefer to use a display manager.
All greeters launch X as root except GDM.
I could use Plasma or Gnome under wayland....
But, alas I dislike Gnome and Plasma is spyware, so...
doas pacman -Syu displaymanager-openrc elogind-openrc xfce4 gdm
doas rc-update add xdm default
doas nano /etc/conf.d/xdm
Edit xdm to gdm
doas shutdown -r now
-- Second Boot
When PC reboots you should be welcomed by GDM, make sure to select your desktop environment before logging in or you will be booted into Gnome.
28. Verify xorg is running as user
ps -o user $(pgrep Xorg)
If it says root, you lose. If it says user, you've followed my haphazard instructions well!
29. Now run through step by step the Arch Security Wiki, hardening your system
--Personal Notables
-CPU microcode & other CPU vulns
-Login lockout and timers
-Disable root login universally
-Mandatory access control such as SELinux
-Sandboxing (bubblewrap)
-Set up firewalls / possibru VPN/tor
-Default file permissions
-Make sure uefi has password
-Password protect grub entries
-Protect from usb
-Autologout
-DNS Security
30. Configure and use your system elsewhere as desired
--Personal Notables
-Bash Tab Completion
-Display driver
-Browser (firefox conigured properly or just Pale Moon)
-Fonts and Media Codecs
-vim plugins
-Theme xfce
99. Enjoy Your System
Topic: Artix Open-RC Encrypted Drives With XFCE and hardened-kernel UEFI Installation (Read 8294 times)
previous topic - next topic
