Full disk encryption (FDE) is one of the best security measures you can take to protect data in your device’s storage. As the name implies, FDE encrypts the contents (files, software) of a storage drive in its entirety, including the operating system itself. FDE can be activated in Linux, Windows, and macOS, as well as Android systems.
With FDE enabled on your device, you will need to provide an encryption key on each login attempt. Once you enter the correct encryption key, the disk is decrypted, and your device will boot as usual.
FDE should not be confused with File Level Encryption (FLE), as the latter only protects individual files that have been encrypted manually by the user.
It should also be noted that Full Disk Encryption only works as long as the user has logged out of the system. Once an authorized user logs into the system,
Though not adequate on its own, FDE serves as a great first step toward securing your data from unauthorized access.
In this tutorial, you will learn how to set up ArchLinux with Full Disk Encryption with UEFI firmware mode and in a GPT disk partition.
Step 1: Set Boot Mode to UEFI
To follow this guide, you will first need to set the boot mode to UEFI.
To check if your system is already in UEFI, issue the following command to summon the efivars directory:
If there is no error prompted before the directory, you can be sure that the system has booted in UEFI.
If the system has not booted in UEFI, restart and press the menu key on your keyboard (which key that is depends upon the specific model you are using; look it up). Open the firmware tab and set the system to boot in UEFI mode.
Step 2: Ensure System Clock Is Accurate
Check if your system clock is up-to-date by entering the following:
The following syntax will set the time:
Step 3: Separate Partitions in Storage
To use gdisk to create root and boot partitions, issue the following:
Next, delete pre-existing partitions by pressing o, and press n twice when asked for input. Then, press p to list the pre-existing partitions, press w to overwrite these partitions, and press y to confirm.
Step 4: Ready Root Partition
The next step is to set up a root partition. Do so by entering the following:
$ cryptsetup open /dev/sda2 cryptroot
$ mkfs.ext4 /dev/mapper/cryptroot
Then, mount the encrypted root partition:
Step 5: Configure the Boot Partition
Run the following command to create the boot partition:
$ mkdir /mnt/boot
Then, mount the partition by entering the following:
Step 6: Install Supporting Dependencies
Issue the following command to produce an fstab file:
Then, download the vim and dhcpcd packages by entering the following:
Step 7: Change Root Directory
Use the following command to change the root directory:
Step 8: Set Time Zones
Be sure that the time zone is accurate to your location:
$ hwclock --systohc
Step 9: Modify Relevant Locales
Run the following command to list the relevant locales:
$ localectl set-locale LANG=en_US.UTF-8
In particular, you will edit the /etc/locale.gen locale.
Step 10: Change to mkinitcpio
First, append the /etc/ hosts:
# ::1 localhost
Then, look up and modify /etc/mkinitcpio.conf.
Be sure to include the encrypt hooks and transfer the keyboard hooks so that the encrypt follows it.
Issue the following command to produce the boot images:
Step 11: Enter Encryption Key
Step 12: Install ucode Package
If you are using intel, type in the following command:
For AMD users, the command should be:
Step 13: Install and Set Up EFI Boot Manager
To install an EFI boot manager, run the following command:
Step 14: Run Reboot
Type exit, and then reboot.
Upon reboot, you will be prompted to enter a password.
That is it! That is how you install ArchLinux with Full Disk Encryption.
One of the best ways to protect your phone, computer, and laptop devices from unauthorized logins is Full Disk Encryption.
In this tutorial, you learned how to install ArchLinux with Full Disk Encryption. With FDE at your disposal, you no longer have to worry about other people intruding on your system.
Hopefully, you found this tutorial helpful and easy to follow. Stick around at linuxhint.com for more posts related to data security.