Comprehensive Guide to BTRFS, LUKS Encryption, and SWAP Setup

Welcome to revWhiteShadow’s kts personal blog, where we delve into advanced system configurations. In this guide, we will provide a detailed, step-by-step approach to installing a system using BTRFS, LUKS full-disk encryption, and a SWAP partition. This setup offers benefits such as data integrity, security, and efficient memory management. It’s designed for advanced users comfortable with command-line operations and system partitioning.

I. Preparation and Booting into the Installation Medium

Before commencing, ensure you have:

  • A bootable installation medium (USB drive or DVD) containing the operating system of your choice (e.g., Arch Linux, Manjaro, Fedora).
  • A stable internet connection for downloading packages during the installation process.
  • A basic understanding of command-line operations and partitioning tools (e.g., fdisk, parted).
  • Backups of all critical data on your system. Data loss is possible during partitioning, so this step is crucial.

  1. Boot from the Installation Medium: Insert the bootable USB drive or DVD into your computer and restart it. Configure your BIOS or UEFI settings to boot from the selected medium. Typically, pressing keys like F2, F12, Delete, or Esc during startup will allow you to access the boot menu.

  2. Access the Command Line: Once the installation medium boots, you should be presented with a command-line interface or a graphical installer. We will focus on the command-line method as it provides greater control over the partitioning and encryption process. If you’re in a graphical environment, open a terminal emulator.

  3. Verify Boot Mode: Determine whether you are booting in UEFI or BIOS (Legacy) mode. This is crucial for setting up the bootloader correctly. Run the command:

    ls /sys/firmware/efi/efivars

    If the directory /sys/firmware/efi/efivars exists, you are in UEFI mode. If it doesn’t, you are in BIOS mode.

II. Partitioning the Disk

We will use fdisk for partitioning. Adapt drive names as needed (e.g., /dev/sda, /dev/nvme0n1).

  1. Identify the Target Disk: List available disks:

    fdisk -l

    Identify the disk you want to install the system on. Note its device name (e.g., /dev/sda).

  2. Launch fdisk:

    fdisk /dev/sda (replace /dev/sda with the appropriate device name)

  3. Create Partitions:

    • Create a GPT Partition Table: If the disk is new or you’re starting fresh, create a GPT partition table:

      • Type g (create a new empty GPT partition table)

    • Create the EFI Partition (for UEFI systems):

      • Type n (add a new partition)
      • Partition number: 1 (usually the first partition)
      • First sector: Accept the default.
      • Last sector: +512M (allocates 512MB for the EFI partition). This should be sufficient.
      • Type: EF00 (EFI System Partition)

    • Create the Boot Partition (unencrypted /boot):

      • Type n (add a new partition)
      • Partition number: 2 (or the next available)
      • First sector: Accept the default.
      • Last sector: +2G (allocates 2GB for the /boot partition). This is large enough for multiple kernels.
      • Type: 8300 (Linux filesystem)

    • Create the LUKS Partition:

      • Type n (add a new partition)
      • Partition number: 3 (or the next available)
      • First sector: Accept the default.
      • Last sector: Accept the default (use the remaining space for the LUKS partition).
      • Type: 8300 (Linux filesystem)

    • Create the Swap Partition (Optional):

      • Type n (add a new partition)
      • Partition number: 4 (or the next available)
      • First sector: Accept the default.
      • Last sector: +8G (allocates 8GB for the swap partition. Adjust this based on your RAM). If you have ample RAM (32GB+), a swap file might be more convenient.
      • Type: 8200 (Linux swap / Solaris)

  4. Write Changes to Disk: After creating the partitions, type w to write the changes to the disk and exit fdisk. Be absolutely certain that these are the changes you want to make, as they will overwrite existing data.

III. Formatting and Encrypting the Partitions

  1. Format the EFI Partition:

    mkfs.fat -F32 /dev/sda1 (replace /dev/sda1 with the correct device name)

  2. Format the Boot Partition:

    mkfs.ext4 /dev/sda2 (replace /dev/sda2 with the correct device name)

  3. Encrypt the LUKS Partition:

    cryptsetup luksFormat /dev/sda3 (replace /dev/sda3 with the correct device name)

    You will be prompted to confirm the operation and set a strong passphrase. This passphrase is essential for decrypting the drive during boot.

  4. Open the LUKS Partition:

    cryptsetup luksOpen /dev/sda3 luksroot (replace /dev/sda3 with the correct device name. luksroot is the name we are assigning to the mapped device)

    Enter the passphrase you set during luksFormat.

  5. Format the BTRFS Filesystem:

    mkfs.btrfs /dev/mapper/luksroot

  6. Format the Swap Partition (Optional):

    mkswap /dev/sda4 (replace /dev/sda4 with the correct device name)

    swapon /dev/sda4

IV. Mounting the Filesystems

  1. Create Mount Points:

    mount /dev/mapper/luksroot /mnt

    mkdir -p /mnt/boot

    mount /dev/sda2 /mnt/boot

    mkdir -p /mnt/boot/efi

    mount /dev/sda1 /mnt/boot/efi

  2. Create BTRFS Subvolumes: We’ll create subvolumes for root (/), home (/home), and potentially others like /var, /tmp, or /snapshots for easier management and snapshots. This step enhances organization and simplifies tasks like restoring to a previous system state.

    • btrfs subvolume create /mnt/@ (for root)
    • btrfs subvolume create /mnt/@home (for home)
    • btrfs subvolume create /mnt/@snapshots (optional, for snapshots)
    • btrfs subvolume create /mnt/@var (optional, for /var)
    • btrfs subvolume create /mnt/@tmp (optional, for /tmp)

  3. Unmount the Root Filesystem:

    umount /mnt

  4. Mount the Subvolumes: Now, mount the subvolumes to their respective mount points.

    • mount -o subvol=@ /dev/mapper/luksroot /mnt
    • mkdir /mnt/{home,var,tmp,.snapshots}
    • mount -o subvol=@home /dev/mapper/luksroot /mnt/home
    • mount -o subvol=@var /dev/mapper/luksroot /mnt/var (if you created it)
    • mount -o subvol=@tmp /dev/mapper/luksroot /mnt/tmp (if you created it)
    • mount -o subvol=@snapshots /dev/mapper/luksroot /mnt/.snapshots (if you created it)

V. Installing the Base System

This step varies depending on the distribution. We’ll use Arch Linux as an example.

  1. Install the Base Packages:

    pacstrap /mnt base linux linux-firmware nano vim btrfs-progs dhcpcd (adjust packages as needed)

    This installs the base system, the kernel, firmware, a text editor, and network tools.

  2. Generate the fstab File:

    genfstab -U /mnt >> /mnt/etc/fstab

    This generates the file system table, which defines how partitions are mounted on boot. Carefully review /mnt/etc/fstab to ensure the UUIDs and mount options are correct. For BTRFS, add defaults,noatime,compress=zstd to the mount options. Remove or comment out the line for the swap partition if you’re using a swap file.

  3. Chroot into the New System:

    arch-chroot /mnt

VI. Configuring the System

  1. Set the Time Zone:

    ln -sf /usr/share/zoneinfo/YourRegion/YourCity /etc/localtime (replace YourRegion/YourCity with your actual time zone)

    hwclock --systohc

  2. Set the Locale:

    • Edit /etc/locale.gen and uncomment your desired locale (e.g., en_US.UTF-8 UTF-8).

    • Run locale-gen.

    • Create /etc/locale.conf and set the LANG variable:

      echo "LANG=en_US.UTF-8" > /etc/locale.conf (replace en_US.UTF-8 with your chosen locale)

  3. Set the Hostname:

    echo "yourhostname" > /etc/hostname (replace yourhostname with your desired hostname)

    Add the hostname to /etc/hosts:

    127.0.0.1   localhost
::1         localhost
127.0.1.1   yourhostname.localdomain   yourhostname

  4. Set the Root Password:

    passwd

    Enter a strong password for the root user.

  5. Install a Bootloader: We’ll use GRUB for UEFI and BIOS systems.

    • For UEFI:

      pacman -S grub efibootmgr dosfstools
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB

      Create /etc/default/grub and add GRUB_ENABLE_CRYPTODISK=y to enable LUKS support.

      Generate the GRUB configuration:

      grub-mkconfig -o /boot/grub/grub.cfg

    • For BIOS (Legacy):

      pacman -S grub
grub-install --target=i386-pc /dev/sda

      Create /etc/default/grub and add GRUB_ENABLE_CRYPTODISK=y to enable LUKS support.

      Generate the GRUB configuration:

      grub-mkconfig -o /boot/grub/grub.cfg

      Important for BIOS: The first 1MB of the drive (where GRUB installs its core image) must be outside of any partition. If you’re having issues booting, ensure there’s unpartitioned space at the beginning of the disk.

  6. Enable Network Manager (Optional):

    systemctl enable NetworkManager

  7. Configure the Initramfs: Edit /etc/mkinitcpio.conf and add encrypt btrfs lvm2 to the HOOKS line, before filesystems. The order matters; encrypt should come before filesystems to unlock the LUKS partition during boot. For example:

    HOOKS="base udev autodetect modconf block encrypt btrfs lvm2 filesystems keyboard fsck"

    Regenerate the initramfs:

    mkinitcpio -P

  8. (If not using Network Manager) Enable dhcpcd

    systemctl enable dhcpcd

VII. Exiting Chroot and Rebooting

  1. Exit Chroot:

    exit

  2. Unmount the Partitions:

    umount -R /mnt

  3. Reboot the System:

    reboot

    Remove the installation medium.

VIII. First Boot and Post-Installation

  1. Enter the LUKS Passphrase: During boot, you’ll be prompted to enter the LUKS passphrase to unlock the encrypted partition.

  2. Log in: Log in as the root user.

  3. Create a User Account:

    useradd -m -G wheel yourusername (replace yourusername with your desired username)

    passwd yourusername (set a password for the new user)

    Enable sudo access for the user by uncommenting the %wheel ALL=(ALL) ALL line in /etc/sudoers (using visudo).

  4. Install a Display Manager and Desktop Environment (Optional):

    pacman -S xorg
pacman -S sddm plasma
systemctl enable sddm

    This installs the Xorg display server, the SDDM display manager, and the Plasma desktop environment. Choose your preferred display manager and desktop environment accordingly.

IX. BTRFS Snapshots (Optional)

To enable automatic BTRFS snapshots, you can use tools like snapper or timeshift. We’ll briefly outline snapper.

  1. Install snapper:

    pacman -S snapper

  2. Configure snapper:

    snapper -c root create-config /

    Edit /etc/snapper/configs/root to adjust settings such as snapshot frequency, number of snapshots to keep, and other parameters.

  3. Enable snapper Timers:

    systemctl enable snapper-timeline.timer

    systemctl enable snapper-cleanup.timer

These timers will automatically create and clean up snapshots according to the configuration.

X. Troubleshooting

  • LUKS Not Recognized: Ensure the encrypt hook is correctly placed in /etc/mkinitcpio.conf and that the initramfs is regenerated after making changes. Double-check that GRUB_ENABLE_CRYPTODISK=y is set in /etc/default/grub and that GRUB is properly configured.
  • Boot Issues After Updates: When updating the kernel, remember to regenerate the GRUB configuration and the initramfs to reflect the changes.
  • File System Corruption: BTRFS provides checksumming to detect and correct errors. Regularly scrub the file system to check for and fix errors: btrfs scrub start /.

XI. Conclusion

This guide provides a detailed walkthrough for setting up a system with BTRFS, LUKS encryption, and a SWAP partition. While the process is intricate, the resulting system offers enhanced security, data integrity, and flexibility. Remember to adapt the commands and configurations to your specific needs and always back up your data before making significant system changes. This guide by revWhiteShadow aims to provide the most comprehensive instructions available on kts personal blog. Good luck!