{{tag>[hardware apu arch linux encrypted]}}
=====PC Engines APU - Arch Linux with LUKS encryption=====
====Set-up====
* Host PC user (on Fedora) needs to be member of ''dialout'' and ''disk'' group to access serial port and be able to write to the USB drive. Or use sudo.
* Connect to the PC Engines APU's serial port.
screen /dev/ttyUSB0 115200 # to select: boot from USB
screen /dev/ttyUSB0 38400 # to continue Arch Linux installation
* Connect the APU to Ethernet / internet for updates and access to the repo's.
====Bootable USB drive====
* Download the latest image from [[https://www.archlinux.org/download/]].
* Verify the download:
SHA1: 91a195bf1395694151fc3f7f766e9d1233e2aed9
$ sha1sum archlinux-2017.05.01-x86_64.iso
91a195bf1395694151fc3f7f766e9d1233e2aed9 archlinux-2017.05.01-x86_64.iso
* Copy image to USB:
sudo dd bs=4M if=archlinux-2017.05.01-x86_64.iso of=/dev/sdx status=progress && sync
====Boot Arch Linux from USB====
* Boot the APU en press F12, select USB boot.
* Switch console to 38400 baud. Press 'ctrl-l' to redraw the screen.
* Select the ''Boot Arch Linux'' option and press ''TAB''.
* Add ''console=ttyS0,38400'' to the kernel line and press ''enter'' {{:private:screenshot_from_2017-05-26_19-14-16.png?nolink|}}
* Log in with user ''root'' (no password).
* If you connected the network cable after booting, request an IP-address # dhclient enp1s0
* Install and run SSHd to complete the installation over SSH:
select nearby mirror in: /etc/pacman.d/mirrorlist
# pacman -Sy
# pacman -S openssh
# passwd root
# systemctl start sshd
====Install Arch Linux====
The next steps will install Arch Linux on a encrypted root filesystem.
===Partitions and filesystems===
* Secure erase SSD
* Check that device is not frozen:# hdparm -I /dev/sdX
Security:
Master password revision code = 65534
supported
not enabled
not locked
not frozen
not expired: security count
supported: enhanced erase
2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
* Set password, any password will do, it will be reset to NULL after erasing.
# hdparm --user-master u --security-set-pass Meu3lieY43 /dev/sdX
security_password: "Meu3lieY43"
/dev/sda:
Issuing SECURITY_SET_PASS command, password="Meu3lieY43", user=user, mode=high
* Check that password is ''enabled'':
# hdparm -I /dev/sdX
Security:
Master password revision code = 65534
supported
enabled
* Secure erase SSD:# hdparm --user-master u --security-erase Meu3lieY43 /dev/sdX
security_password: "Meu3lieY43"
/dev/sda:
Issuing SECURITY_ERASE command, password="Meu3lieY43", user=user
* Check that master password is supported, but not enabled:
# hdparm -I /dev/sdX
Security:
Master password revision code = 65534
supported
* Partition the SSD:
(
echo o # Create a new empty DOS partition table
echo n # Add a new partition
echo p # Primary partition
echo 1 # Partition number
echo # First sector (Accept default: 1)
echo +256M # Last sector (Accept default: varies)
echo n # Add a new partition
echo p # Primary partition
echo 2 # Partition number
echo # First sector (Accept default)
echo # Last sector (Accept default, rest of the drive)
echo w # Write changes
) | sudo fdisk /dev/sdX
* You might reboot if you cannot use the new partitions yet:
# partprobe /dev/sda :(
Error: Partition(s) 2 on /dev/sda have been written, but we have been unable to inform the kernel of the change, probably because it/they are in use. As a result, the old partition(s) will remain in use. You should reboot now before making further changes.
* Create the /boot and root filesystems:
# cryptsetup -y -v luksFormat /dev/sdX2
# cryptsetup open /dev/sdX2 cryptroot
# mkfs.ext4 /dev/mapper/cryptroot
# mount /dev/mapper/cryptroot /mnt
# mkfs.ext4 /dev/sdX1
# mkdir /mnt/boot
# mount /dev/sdX1 /mnt/boot
===Install Arch Linux===
* Copy Arch Linux to the new filesystems:# pacstrap /mnt base
* Generate a fstab:# genfstab -L /mnt >> /mnt/etc/fstab
* Chroot into the new system:# arch-chroot /mnt
* Set root password:# passwd root
* Setup system clock:
# ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime
# hwclock --systohc --utc
* Set the hostname:# echo MYHOSTNAME > /etc/hostname
* Update locale:# vi /etc/locale.gen
# locale-gen
* Add encryption hook:# vi /etc/mkinitcpio.conf
HOOKS="base udev autodetect modconf keyboard keymap block encrypt filesystems keyboard fsck"
* Generate new initramfs:# mkinitcpio -p linux
* Install bootloader:# pacman -S grub
# grub-install /dev/sda
# grub-mkconfig -o /boot/grub/grub.cfg
* Modify kernel options for decrypting the root filesystem:
# vi /etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=UUID=:cryptroot"
* Configure serial port:
# vi /etc/default/grub # add options below
GRUB_CMDLINE_LINUX_DEFAULT="console=tty0 console=ttyS0,115200n8"
* Configure grub and serial:
# vi /etc/default/grub # add options below
## Serial console
GRUB_TERMINAL=serial
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"
* Make new grub config:# grub-mkconfig -o /boot/grub/grub.cfg
* Reboot and connect with 115200 baud.
====Post install====
* Configure network:
# cp /etc/netctl/examples/ethernet-static /etc/netctl
# vi /etc/netctl/ethernet-static
# netctl list
# netctl start ethernet-static
# netctl enable ethernet-static
* Add users
* Enable SSH:
# pacman -S openssh
# systemctl enable sshd
# systemctl start sshd
* Configure simple firewall:
# pacman -S ufw
# ufw default deny
# ufw allow SSH
# ufw enable
* Configure timekeeping:
vi /etc/systemd/timesyncd.conf
# timedatectl set-ntp true