Void Linux Install Guide
Full-Disk Encryption with LUKS, automated Keys, partitions
You will mostly likely (know your architecture) need the x86_64 arch and the MUSL libc. Don't pick one of the ones with a desktop environment unless you feel like waiting 90 days for XFace Cinnabun. Notice this link is for the United States mirrors: these US mirrors will result in faster software downloads, faster synchronizing, and faster verification. Using the German mirrors was a serious problem with my last Void installation. Remember, you can always install your preferred software later.
Follow this guide to ensure your entire hard drive is encrypted. Like it says, you will have to use "luksFormat" with your cryptsetup command. This is the exact order the various commands appear in the link to the documentation. Please be careful to do these commands in the correct order, and replace "yourname" with a meaningful name. Once a name is selected, be consistent with it through the rest of the commands.
You will be executing these commands after you've successfully booted from the Void Linux flash drive. The entire drive will be formatted and erased. It looks like you'll have to set a password that you must type every single time you boot your laptop, so PLEASE write it down somewhere.
The initial commands with cryptsetup MUST use /dev/sda2 instead of sda1, if the hardware, laptop, computer, whatever, uses a UEFI bootloader. However, if the laptop is not a UEFI bootloader, then it does not need a separate unencrypted boot partition: so use sda1, and GRUB will take care of the rest. The example commands below use sda2. You should decide if you're going to be using sda1 or sda2 for encryption, and then stick with it for the rest of the process. You can run cfdisk with no arguments, or you can use /dev/sda as the first and only argument. You can read more about the open-source program cryptsetup, here.
# cfdisk # fdisk -l /dev/sda # cryptsetup luksFormat --type luks1 /dev/sda2 WARNING This will overwrite data!!!! ....... ==================== Enter passphrase: Verify passphrase:
Remember this passphrase! Write it down! Sticky notes, fridge magnets, I Mean it! This is the one time you set it, and you will have to remember it later in the installation. In these next commands, you will set your computer's hostname, so pick something and stick with it.
# cryptsetup luksOpen /dev/sda2 yourname Enter passphrase for /dev/sda2: # vgcreate yourname /dev/mapper/yourname Volume group "yourname" successfully created # lvcreate --name root -L 20G yourname Logical volume "root" created. # lvcreate --name swap -L 2G yourname Logical volume "swap" created. # lvcreate --name home -l 100%FREE yourname Logical volume "home" created.
We've made the various partitions of the hard drive. Now we have to actually make the filesystems. You can use something that's not ext4 if you want, that's just what I like. The official Void Linux guide uses XFS.
# mkfs.ext4 -L root /dev/yourname/root mke2fs 1.43.4 Creating filesystem with 3831578 4k blocks and 948574 inodes # mkfs.ext4 -L home /dev/yourname/home mke2fs 1.43.4 Creating filesystem with 3185728 4k blocks and 29175 inodes # mkswap /dev/yourname/swap Setting up swapspace version 1... # mount /dev/yourname/root /mnt # for dir in dev proc sys run; do mkdir -p /mnt/$dir ; mount --rbind /$dir /mnt/$dir ; mount --make-rslave /mnt/$dir ; done # mkdir -p /mnt/home # mount /dev/yourname/home /mnt/home
And then, only if it's an EFI bootloader, and you've used sda2 for the cryptsetup, do these steps. Reminder: Run this first command on sda1, only if you used sda2 in the previous commands. If you haven't been using sda2, then ignore this next block of code.
# mkfs.vfat /dev/sda1 # mkdir -p /mnt/boot/efi # mount /dev/sda1 /mnt/boot/efi
This is the actual installation. If you have confirmed the laptop has a UEFI bootloader, and have been running the appropriate commands, you MUST use "grub-x86_64-efi". If not, (if you did not mount to /mnt/boot/efi) use "grub". The other commands involve setting a root password, setting the hostname, and choosing a language. I personally prefer the musl version. If you want regular glibc, then remove the /musl from the end of the repository URL in the next command.
# xbps-install -Sy -R https://alpha.us.repo.voidlinux.org/current/musl -r /mnt base-system lvm2 cryptsetup grub-x86_64-efi .... Do you want to import this public key? [Y/n] .... # chroot /mnt # chown root:root / # chmod 755 / # passwd root # echo yourname > /etc/hostname # echo "LANG=en_US.UTF-8" > /etc/locale.conf # echo "en_US.UTF-8 UTF-8" >> /etc/default/libc-locales # xbps-reconfigure -f glibc-locales
At this point, edit /etc/fstab. This is an easy way to add the long random UUID of the new Void installation, to an important file system registry.
# blkid /dev/sda2 >> /etc/fstab # nano /etc/fstab
Use the nano (or Vim if available) editor to adjust the last line of /etc/fstab. Make sure the new fstab entry looks like the others. Confirmed UEFI bootloaders should have an fstab entry for /boot/efi.
After that, add the line of text "GRUB_ENABLE_CRYPTODISK=y" to the end of /etc/default/grub. Then, find the UUID of the "sda1" branch of the tree with this command.
# lsblk -l -o NAME,UUID NAME UUID sda1 D048-F74A sda2 bfbc8381c7-372c-7e7b-38f09ca720a9b # # just an example, yours will be different
You will have to add this exact UUID, for sda1, to the file /etc/default/grub, on the line "GRUB_CMDLINE_LINUX_DEFAULT=". This option is a list, and you need to add something to the end of the list. You must add this sequence rd.lvm.vg=voidvm rd.luks.uuid=<UUID> to the end of the list, where <UUID> is the one discovered from the lsblk command above.
The next instructions involve generating a key and adding it to the boot partition, so you don't have to type in the same passphrase twice every time you boot your computer. Don't do this until after you've edited the GRUB file. REMEMBER: Use sda2 in the cryptsetup once again, if you have a UEFI bootloader. DO NOT MIX THIS UP! You could really ruin your system, if you're not careful. This example uses sda2.
# dd bs=512 count=4 if=/dev/urandom of=/boot/volume.key 4+0 records in 4+0 records out 2048 bytes copied # cryptsetup luksAddKey /dev/sda2 /boot/volume.key Enter any existing passphrase: # chmod 000 /boot/volume.key # chmod -R g-rwx,o-rwx /boot
Do you understand what is happening here? You are using the utility dd to create a unique 2048-digit string of random characters, with /dev/urandom as a seed. This is to ensure security and uniqueness in the key used to unlock the encrypted hard drive/solid state drive partition. You are lucky you only need 2 kilobytes from a dd and not an armored World Book Encyclopedia from GnuPG.
Then, you must edit the file /etc/crypttab to reference the new "volume.key". The contents of the file /etc/crypttab should look like this.
yourname /dev/sda2 /boot/volume.key
After that, you must create a new file at /etc/dracut.conf.d/10-crypt.conf with the following line. Create the dracut.conf.d directory if it does not already exist, and add the next single line to it.
install_items+=" /boot/volume.key /etc/crypttab "
Now we must install GRUB. Replace "X.X" with the confirmed installed kernel version. For example, it will probably look like "linux4.19".
# grub-install /dev/sda # xbps-reconfigure -f linuxX.X
Now all we have to do is exit, umount -R /mnt, and reboot. Take the flash drive out and boot into the new system. We are done! Let's see what we've accomplished:
- Partitioned the hard/solid state drive, with a sizeable /home directory, and 2 GB of swap.
- Encrypted the entire Void Linux partition with an arbitrary passphrase (that is NOT the password for root user) that only someone who is you can know
- Created a digital key to unlock the newly-encrypted and partitioned hard or solid state drive
- Installed the base Void Linux system and changed the root password
Please follow the fstrim / instruction, immediately after booting into the new installation. You can add this instruction to /etc/cron.daily/fstrim, and make it executable via chmod, if you wish to automate this task.
You should not use fstab discards if you've already encrypted with LUKS during installation. This has security implications and may lead to your SSD data being leaked.
This is important if you want to run Sublime Text, Steam, Soulseek, Spotify, or anything like that. Certain large binaries for big software companies were dynamically linked against glibc, and therefore will not run correctly in a musl system. This results in a glitch where when you try to run an executable, the shell will tell you "No such file or directory", even if the binary is right there in front of you.
Personally, I recommend using the directory /void-glibc as a chroot. This will require and remind you to primarily use the chroot as root, however using the environment as another user is also possible.