[solved] luks on lvm encryption keymap issue

Similar Messages

• Wiki: Using multiple hard drives, LVM & encryption

  I have lately found myself with the issue of having multiple hard drives and wanting to do LVM stuff & encryption with while retaining maximum flexibility. After scanning through wikis, manpages and forum entries I came up with a solution for myself. The only thing I don't cover with it is mounting while booting as I don't need and can't test it.
  I want to share the knowledge I gained and help other people find a solution faster and so I wrote a Wiki entry (first on my user page). I would now like to hear the opinion of the community regarding the following questions:
  Do you see any security risks with my solution (especially the part on storing the unencrypted keyfile on a ramdisk)?
  Do you think this text is worthy for a wiki entry or should I keep it in the forums?
  Do you spot any errors (typing or else)?
  Would you improve this article anywhere?
  Of course, if you have further comments, I would like to here them as well. And now without further ado: Using multiple hard drives, LVM & encryption.
  Regards,
  javex
  P.S.: As a small side question: Is my user page a good playground for article creation or would you recommend some other area where to do this (since here noone else could improve the article while in this early stage)?

  mwmmartin wrote:
  I have a 1 TB hard drive; but I have a 500GB and 250GB usb external hard drives.
  Wouldn't it be cool if I could make the two external hard drives a RAID drive and use Time Machine to use all the 750GB of external memory to do my backups???
  You can, but I would +*strongly recommend against+* it. See +Concatenated RAID+ in the Help for Disk Utility.
  There are several potential problems:
  Depending on how much data is on your 1 TB drive, 750 GB may not be enough to back it up. See #1 in Time Machine - Frequently Asked Questions (or use the link in *User Tips* at the top of this forum).
  To set up a +Concatenated RAID+ set, both drives will be erased.
  When (not if) either drive fails, you'll lose all the data on both.
  Both drives must be connected any time you do a backup or want to browse your backups.
  Especially with USB, if one drive wakes from sleep, or spins up, quickly enough, but the other one doesn't, the backup may fail and/or your backups may be corrupted.
  For now, it looks like my only solution is to go buy a bigger external hard drive and spend more money,,,
  That's your best solution +*by far.+* Anything else is taking a large risk with your backups.

• LVM on LUKS on LVM

  Does anyone know if, on a system with LVM on LUKS on LVM, a logical volume created inside a LUKS container can be added to the same volume group that the LUKS container is in? Even if this is possible, is it this just a bad idea from a security perspective? Should the outer LVM and inner LVM each have their own physical devices, volume groups, and logical volumes?

  sda
  └─sda1
    └─Storage 254:0    0 XG  0 lvm
      ├─Storage-lrootvol                        254:1    0    XG  0 lvm   /
      └─luks 254:0    0 XG  0 crypt
        ├─Storage-lvarvol                         254:2    0    XG  0 lvm   /var
        ├─Storage-lhomevol                        254:3    0   XG  0 lvm   /home
        ├─Storage-ltmpvol                        254:4    0   XG  0 lvm   /tmp
        └─Storage-lswapvol                        254:5    0   XG  0 lvm   swap
  Yes, that's what I was thinking, except that it's all on sda2 because sda1 is my EFI System partion.
  Why don't you just encrypt the root partition as well? Any reason why that wouldn't work for you?
  This is on a laptop, so I was trying to avoid the performance/battery life penalty of encrypting the root partition.

• [solved]Booting a LVM logical volume spanned across two LUKS paritions

  I have two partitions formatted as LUKS that both physical LVM volumes for a logical LVM partition that holds my root filesystem.  I can't seem to figure out what the kernel line should be.  I tried specifying cryptdevice twice, but it seems to only want to take one of the cryptdevice= options.  What now?
  Last edited by synthead (2011-12-09 16:17:06)

  I found this: https://bbs.archlinux.org/viewtopic.php … 95#p827495
  Modifying /lib/initcpio/hooks/encrypt with the patch as recommended did the trick.  I'll file a feature request for this

• System encryption :: Luks on lvm or Lvm on Luks?

  Hello,
  I was reading up about lvm and luks and decided I want to encrypt my system. Until now I have been using truecrypt to encrypt a data partition which get mounted during boot. I recently bought myself a netbook and since then I've been pondering how to make the most use of HD space and keeping it secure should it get stolen.
  I have 3 Harddrives in my tower. One of the HDs is my backup drive. The other two are for OSs. What I would like to do is
  1) Create an encrypted volume group on HD 1 (has about 650 Gb).
  2) Create 2 LVs for /root /home on HD1
  3) Rsync /root and /home to the LVs  HD2 -> HD1
  4)  HD2 secure erase
  5) create VG on HD2 and add it to VG on HD1
  *** My Question ***
  While reading up on lvm and luks I came upon this article and I'm not quite sure which one is better suited for my situation. I don't know how easy it is to grow/add to an encrypted vg or lg.
  There are two ways of setting up an encrypted disk using LVM:
  1. Create the LVM and encrypt every volume separately
  2. Set up LVM on top of an encrypted partition
  source :: http://www.pindarsign.de/webblog/?p=767
  Update : Using badblocks on /dev/sda4 didn't work as intended. It completely wiped /dev/sda.  One way of going Windows free.
  Luckily enough windows 7 was still able to boot without a partition table (scratches head), so I was able to copy some saved games and the downloads folder.
  Last edited by whitethorn (2011-09-19 15:12:12)

  Dieter@be wrote:
  AFAIK you cannot resize luks/dm_crypt devices, so you lose a lot of the flexibility if you put luks on top. of lvm.
  personally i do full disk encryption with luks/dm_crypt, then lvm on top of that.
  btw the arch installer supports both scenarios out of the box.
  Sounds like what I'm doing right now. I encrypted my first HD then added lvm on top of that. It took a little while to get a seperate boot working and chroot to get all the files setup how I want. At the moment I'm randomizing a 2 Tb harddrive 10 hours 85%. Once it finishes encrypt the drive and add lvm on top. I'm not quite sure if I can grow my /home with the space from the 2nd drive and how to decrypt it during boot

• [SOLVED] Arch Linux on encrypted luks partition on USB key

  Hi
  I've installed Arch Linux on a USB key following this Wiki page: https://wiki.archlinux.org/index.php/In … _a_USB_key
  I also used dm-crypt as described in this Wiki page: https://wiki.archlinux.de/title/Festpla … iante_1.29
  I installed Arch Linux on the USB key using VirtualBox.
  To do that, I created a "rawvmdk":
  vboxmanage internalcommands createrawvmdk -filename ./usb.vmdk -rawdisk /dev/sdd
  Everything works fine when I'm trying to start the system within VirtualBox.
  Syslinux loads Arch using the following kernel command:
  APPEND cryptdevice=UUID=6aa73872-3755-4bdf-bee3-d1cd7a3fe0bf:main root=/dev/mapper/main-root rw
  /etc/mkinitcpio.conf holds the following "HOOKS" configuration:
  HOOKS="base udev autodetect modconf block keyboard keymap encrypt lvm2 filesystems fsch resume"
  As already mentioned the configuration works within VirtualBox. When I'm trying to boot from the USB key on my real computer, I'm getting an error. Syslinux works fine and loads Linux, but Linux is complaining. Here's the log:
  :: running hoock [encrypt]
  Waiting 10 seconds for device /dev/disk/by-uuid/6aa73872-3755-4bdf-bee3-d1cd7a3fe0bf ...
  ERROR: device '/dev/mapper/main-root' not found. Skipping fschk.
  ERROR: Unable to find root device '/dev/mapper/main-root'.
  You are being dropped to a recovery shell
  I'm not getting prompted for the passphrase since the cryptdevice can not be found. But why? It can be found when I'm booting within VirtualBox. What might be different? I successfully installed other Linux distributions (but without encryption and using GRUB as bootloader) previously within VirtualBox and was able to boot from the USB key on a real machine afterwards.
  Some additional information that might help:
  Here's the "lsblk -f output" for the stick:
  sdd
  ├─sdd1 ext4 usbboot bb45e84e-842e-4209-8c44-1af3c7933389
  └─sdd2 crypto_L 6aa73872-3755-4bdf-bee3-d1cd7a3fe0bf
  When I'm running "lsblk" or "blkid" from the recovery shell after the failure, I'm getting no output. "ls /dev/sd*" returns nothing as well. The directory /dev/disk does not even exists in the recovery shell. (I'm not sure if this is normal or not.)
  Thanks for helping.
  Last edited by The Infinity (2014-08-14 20:26:06)

  I still haven't solved the problem:
  When starting the system on a machine with NVIDIA GTX 560Ti graphics card:
  - X doesn't start using startx or xinit and there are no log entries in /var/log/Xorg.*.log (as I haven't tried to start X).
  - I'm getting the message "Waiting for X server to begin accepting connections .. .. .. ..".
  - I already tried to uninstall xf86-video-nouveau and nouveau-dri with no effect.
  - Additionally: The "default terminals tty1/2/3/..." (which I'm using to start X) from have a poor resolution (I think 640x480 pixel).
  When starting the system on a virtual machine or a machine with an ATI Radeon (mobile) graphics card:
  - X starts and runs without any trouble the XFCE desktop environment.
  - Additionally: The default terminals have a proper resolution (I think the maximal resolution of the display).

• [Solved] Ipython Notebook Setup - zmq Dependency Issue

  I'm posting both the problem and the solution here in case this helps anyone else who is working with IPython
  I just ran into  an issue trying to run the ipython notebook on a fresh install of Arch Linux. After installation Ipython works correctly from a shell/terminal prompt, but fails to start when you try to run it in notebook mode (via the' $ ipython notebook --pylab' command ).
  This fails with an error that the incorrect version of pyzmq is installed - it's looking for version 2.1.4 (which apparently is not installed with the IPython install. FWIW I reinstalled ipython just to verify that I was not imagining things<g>)!.  You can see some more info on this link:
  http://ipython.org/ipython-doc/dev/inst … python-zmq
  To reinstall/upgrade to the correct version use the following command:
  $ sudo pip2 install ipython[zmq]
  Notes:  1) This is the appropriate syntax to install subcomponents within a package (did not know this before as I normally install the entire pkg))
              2) I use pip2 here as I have both py2.7 and 3.3 installed and I'm trying to develop with py 3.3.
              3) AFAIK pip install is recommended over pacman for python components.
  Hope this helps someone as it's frustrating trying to solve these install dependency issues - especially if the focus is on finishing some other task. Perhaps someone could confirm where this needs to be fixed as the problem is probably due to an upstream dependency.

  ziv667 wrote:HOOKS="base udev autodetect modconf encrypt lvm2 block filesystems keyboard fsck"
  Where's the keymap hook?
  HOOKS="base udev autodetect modconf keymap encrypt lvm2 block filesystems keyboard fsck"

• [Solved] System asks for encryption password multiple times

  Hey guys,
  I have following problem:
  I am using dmcrypt for encryption of my hard drive but it seems like I have made a mistake when I installed it. But for the most time I ignored it.
  When I start my system it ask for the encryption password normally. The strange thing is that it also asks for the Password when services start.
  If I issue a command with systemctl start XXX I also get following message:
  Please enter passphrase for disk Crucial_CTXXXXXSSD1 (lukslvm)
  There is no problem if I just press Enter and go on actually but this still bugs me.
  I wonder what I did wrong at that time.
  Edit:
  /etc/crypttab:
  lukslvm UUID=xxxxxxxxxxx------xxxxxxxxxx none luks
  lvm pvscan:
  PV /dev/mapper/vgarch   VG vgarch   lvm2 [223,38 GiB / 0    free]
    Total: 1 [223,38 GiB] / in use: 1 [223,38 GiB] / in no VG: 0 [0   ]
  Last edited by Erhan (2014-12-17 12:45:53)

  Fixed by removing the entry in /etc/crypttab
  I don't even remember adding it there but it has been already some years.

• [SOLVED] luks-passphrase not working after update

  SOLVED: Hard drive was damaged. new hard drive ''fixed'' issue
  Hello,
  i updated my arch on 2015-06-05. After restarting my cryptsetup does not accept my password anymore.
  No key available with this passphrase.
  Searching the forum i found a couple of simular topics, nevertheless none of them offered a solution to the problem:
  https://bbs.archlinux.org/viewtopic.php?id=169408
  https://bbs.archlinux.org/viewtopic.php?id=175737
  https://bbs.archlinux.org/viewtopic.php?id=148562
  So the solutions that did not work so far:
  1. Downgrading cryptsetup package
  2. Downgrading kbd package
  3. Checked that my keyboard works just fine (both in grub and in live system)
  4. Manualy loading the aes modules in live system to ensure correct decryption (found that issue somewhere...)
  Unfortunatly i did not backup the luks header file.
  So i don't know if there is some other way to check if the header is broken or how to find out why it will not decrypt my disk.
  I am happy for any solutions or ideas
  Regards,
  Some outputs from cryptsetup:
  cryptsetup -v isLuks /dev/sda2
  Command successful.
  cryptsetup -v luksDump /dev/sda2
  LUKS header information for /dev/sda2
  Version: 1
  Cipher name: aes
  Cipher mode: xts-plain64
  Hash spec: sha512
  Payload offset: 4096
  MK bits: 512
  MK digest: 66 00 4c 66 17 ec 2c 82 68 b3 26 2e 58 df 76 cf 3b f5 18 ef
  MK salt: b8 e0 5d 4d 5c bb 23 6a fc fc 86 d8 5d b6 3f 1f
  28 b6 0e 49 33 9a 8b e6 a2 55 f5 42 32 92 95 db
  MK iterations: 51000
  UUID: dbe69743-7753-4a54-a221-a662042c0444
  Key Slot 0: ENABLED
  Iterations: 204146
  Salt: fa 22 ec 71 49 2c af 9f 64 10 b3 8e f4 76 31 c0
  02 16 dd 2c 72 7e 2f 4b 0b 08 2f 02 03 dd 52 dc
  Key material offset: 8
  AF stripes: 4000
  Key Slot 1: DISABLED
  Key Slot 2: DISABLED
  Key Slot 3: DISABLED
  Key Slot 4: DISABLED
  Key Slot 5: DISABLED
  Key Slot 6: DISABLED
  Key Slot 7: DISABLED
  Command successful.
  Last edited by Fleeep (2015-06-14 12:09:24)

  losetup --read-only /dev/loop7 /dev/sda2
  dmsetup create foobar --table '0 2048 crypt aes-xts-plain64 4ec1a210c7c44208ca132559cda338d7651471abd47b619b1d3a15d273ab69875cdd2bcb7c2750f6cab9e6b2e19f487fb4766bb7826819c8b2de898fe3c0b999 0 7:7 4096'
  file -s -L /dev/mapper/foobar
  hexdump -C /dev/mapper/foobar
  Gives me the master key for the decrypted partition (denoted as forum_key_kex).
  Do i need to convert this to binary or something to use it...?
  Assume Filesystem/dev_sda2 is the partition to decrypt.
  So to decrypt the partition directly with master key i have to do one of the following, wasn't sure which hash to take...:
  echo "0 `blockdev --getsz Filesystem/dev_sda2` crypt aes-cbc-essiv:sha256 `echo SomeEncrypt | sha256sum | head -c 64` 0 Filesystem/dev_sda2 4096" | dmsetup create luks_volume
  echo "0 `blockdev --getsz Filesystem/dev_sda2` crypt aes-cbc-essiv:sha256 `sha256sum forum_key_hex | head -c 64` 0 Filesystem/dev_sda2 4096" | dmsetup create luks_volume
  as i found on:
  http://unix.stackexchange.com/questions … master-key
  (approved by you in the comment as it seems)
  But both give me an error:
  device-mapper: resume ioctl on luks_volume failed: Invalid argument
  Command failed
  Did i even do this right?
  Also when i copied the partition to an external device dd_rescue observed 6 errors in blocks. So those might just be the cause of failure all the time.

• System encryption using LUKS and GPG encrypted keys for arch linux

  Update: As of 2012-03-28, arch changed from gnupg 1.4 to 2.x which uses pinentry for the password dialog. The "etwo" hook described here doesn't work with gnupg 2. Either use the openssl hook below or use a statically compiled version of gnupg 1.4.
  Update: As of 2012-12-19, the mkinitcpio is not called during boot, unless the "install" file for the hook contains "add_runscript". This resulted in an unbootable system for me. Also, the method name was changed from install () to build ().
  Update: 2013-01-13: Updated the hook files using the corrections by Deth.
  Note: This guide is a bit dated now, in particular the arch installation might be different now. But essentially, the approach stays the same. Please also take a look at the posts further down, specifically the alternative hooks that use openssl.
  I always wanted to set up a fully encrypted arch linux server that uses gpg encrypted keyfiles on an external usb stick and luks for root filesystem encryption. I already did it once in gentoo using this guide. For arch, I had to play alot with initcpio hooks and after one day of experimentation, I finally got it working. I wrote a little guide for myself which I'm going to share here for anyone that might be interested. There might be better or easier ways, like I said this is just how I did it. I hope it might help someone else. Constructive feedback is always welcome
  Intro
  Using arch linux mkinitcpio's encrypt hook, one can easily use encrypted root partitions with LUKS. It's also possible to use key files stored on an external drive, like an usb stick. However, if someone steals your usb stick, he can just copy the key and potentially access the system. I wanted to have a little extra security by additionally encrypting the key file with gpg using a symmetric cipher and a passphrase.
  Since the encrypt hook doesn't support this scenario, I created a modifed hook called “etwo” (silly name I know, it was the first thing that came to my mind). It will simply look if the key file has the extension .gpg and, if yes, use gpg to decrypt it, then pipe the result into cryptsetup.
  Conventions
  In this short guide, I use the following disk/partition names:
  /dev/sda: is the hard disk that will contain an encrypted swap (/dev/sda1), /var (/dev/sda2) and root (/dev/sda3) partition.
  /dev/sdb is the usb stick that will contain the gpg encrypted luks keys, the kernel and grub. It will have one partition /dev/sdb1 formatted with ext2.
  /dev/mapper/root, /dev/mapper/swap and /dev/mapper/var will be the encrypted devices.
  Credits
  Thanks to the authors of SECURITY_System_Encryption_DM-Crypt_with_LUKS (gentoo wiki), System Encryption with LUKS (arch wiki), mkinitcpio (arch wiki) and Early Userspace in Arch Linux (/dev/brain0 blog)!
  Guide
  1. Boot the arch live cd
  I had to use a newer testing version, because the 2010.05 cd came with a broken gpg. You can download one here: http://releng.archlinux.org/isos/. I chose the “core“ version. Go ahead and boot the live cd, but don't start the setup yet.
  2. Set keymap
  Use km to set your keymap. This is important for non-qwerty keyboards to avoid suprises with passphrases...
  3. Wipe your discs
  ATTENTION: this will DELETE everything on /dev/sda and /dev/sdb forever! Do not blame me for any lost data!
  Before encrypting the hard disc, it has to be completely wiped and overwritten with random data. I used shred for this. Others use badblocks or dd with /dev/urandom. Either way, this will take a long time, depending on the size of your disc. I also wiped my usb stick just to be sure.
  shred -v /dev/sda
  shred -v /dev/sdb
  4. Partitioning
  Fire up fdisk and create the following partitions:
  /dev/sda1, type linux swap.
  /dev/sda2: type linux
  /dev/sda3: type linux
  /dev/sdb1, type linux
  Of course you can choose a different layout, this is just how I did it. Keep in mind that only the root filesystem will be decrypted by the initcpio. The rest will be decypted during normal init boot using /etc/crypttab, the keys being somewhere on the root filesystem.
  5. Format  and mount the usb stick
  Create an ext2 filesystem on /dev/sdb1:
  mkfs.ext2 /dev/sdb1
  mkdir /root/usb
  mount /dev/sdb1 /root/usb
  cd /root/usb # this will be our working directory for now.
  Do not mount anything to /mnt, because the arch installer will use that directory later to mount the encrypted root filesystem.
  6. Configure the network (if not already done automatically)
  ifconfig eth0 192.168.0.2 netmask 255.255.255.0
  route add default gw 192.168.0.1
  echo "nameserver 192.168.0.1" >> /etc/resolv.conf
  (this is just an example, your mileage may vary)
  7. Install gnupg
  pacman -Sy
  pacman -S gnupg
  Verify that gnupg works by launching gpg.
  8. Create the keys
  Just to be sure, make sure swap is off:
  cat /proc/swaps
  should return no entries.
  Create gpg encrypted keys (remember, we're still in our working dir /root/usb):
  dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > root.gpg
  dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > var.gpg
  Choose a strong password!!
  Don't do this in two steps, e.g don't do dd to a file and then gpg on that file. The key should never be stored in plain text on an unencrypted device, except if that device is wiped on system restart (ramfs)!
  Note that the default cipher for gpg is cast5, I just chose to use a different one.
  9. Create the encrypted devices with cryptsetup
  Create encrypted swap:
  cryptsetup -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -d /dev/urandom create swap /dev/sda1
  You should see /dev/mapper/swap now. Don't format nor turn it on for now. This will be done by the arch installer.
  Important: From the Cryptsetup 1.1.2 Release notes:
  Cryptsetup can accept passphrase on stdin (standard input). Handling of new line (\n) character is defined by input specification:
      if keyfile is specified as "-" (using --key-file=- or by positional argument in luksFormat and luksAddKey, like cat file | cryptsetup --key-file=- <action> ), input is processed
        as normal binary file and no new line is interpreted.
      if there is no key file specification (with default input from stdin pipe like echo passphrase | cryptsetup <action> ) input is processed as input from terminal, reading will
        stop after new line is detected.
  If I understand this correctly, since the randomly generated key can contain a newline early on, piping the key into cryptsetup without specifying --key-file=- could result in a big part of the key to be ignored by cryptsetup. Example: if the random key was "foo\nandsomemorebaratheendofthekey", piping it directly into cryptsetup without --key-file=- would result in cryptsetup using only "foo" as key which would have big security implications. We should therefor ALWAYS pipe the key into cryptsetup using --key-file=- which ignores newlines.
  gpg -q -d root.gpg 2>/dev/null | cryptsetup -v -–key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool luksFormat /dev/sda3
  gpg -q -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -v luksFormat /dev/sda2
  Check for any errors.
  10. Open the luks devices
  gpg -d root.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda3 root
  gpg -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda2 var
  If you see /dev/mapper/root and /dev/mapper/var now, everything is ok.
  11. Start the installer /arch/setup
  Follow steps 1 to 3.
  At step 4 (Prepare hard drive(s), select “3 – Manually Configure block devices, filesystems and mountpoints. Choose /dev/sdb1 (the usb stick) as /boot, /dev/mapper/swap for swap, /dev/mapper/root for / and /dev/mapper/var for /var.
  Format all drives (choose “yes” when asked “do you want to have this filesystem (re)created”) EXCEPT for /dev/sdb1, choose “no”. Choose the correct filesystem for /dev/sdb1, ext2 in my case. Use swap for /dev/mapper/swap. For the rest, I chose ext4.
  Select DONE to start formatting.
  At step 5 (Select packages), select grub as boot loader. Select the base group. Add mkinitcpio.
  Start step 6 (Install packages).
  Go to step 7 (Configure System).
  By sure to set the correct KEYMAP, LOCALE and TIMEZONE in /etc/rc.conf.
  Edit /etc/fstab:
  /dev/mapper/root / ext4 defaults 0 1
  /dev/mapper/swap swap swap defaults 0 0
  /dev/mapper/var /var ext4 defaults 0 1
  # /dev/sdb1 /boot ext2 defaults 0 1
  Configure the rest normally. When you're done, setup will launch mkinitcpio. We'll manually launch this again later.
  Go to step 8 (install boot loader).
  Be sure to change the kernel line in menu.lst:
  kernel /vmlinuz26 root=/dev/mapper/root cryptdevice=/dev/sda3:root cryptkey=/dev/sdb1:ext2:/root.gpg
  Don't forget the :root suffix in cryptdevice!
  Also, my root line was set to (hd1,0). Had to change that to
  root (hd0,0)
  Install grub to /dev/sdb (the usb stick).
  Now, we can exit the installer.
  12. Install mkinitcpio with the etwo hook.
  Create /mnt/lib/initcpio/hooks/etwo:
  #!/usr/bin/ash
  run_hook() {
  /sbin/modprobe -a -q dm-crypt >/dev/null 2>&1
  if [ -e "/sys/class/misc/device-mapper" ]; then
  if [ ! -e "/dev/mapper/control" ]; then
  /bin/mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |')
  fi
  [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
  # Get keyfile if specified
  ckeyfile="/crypto_keyfile"
  usegpg="n"
  if [ "x${cryptkey}" != "x" ]; then
  ckdev="$(echo "${cryptkey}" | cut -d: -f1)"
  ckarg1="$(echo "${cryptkey}" | cut -d: -f2)"
  ckarg2="$(echo "${cryptkey}" | cut -d: -f3)"
  if poll_device "${ckdev}" ${rootdelay}; then
  case ${ckarg1} in
  *[!0-9]*)
  # Use a file on the device
  # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
  if [ "${ckarg2#*.}" = "gpg" ]; then
  ckeyfile="${ckeyfile}.gpg"
  usegpg="y"
  fi
  mkdir /ckey
  mount -r -t ${ckarg1} ${ckdev} /ckey
  dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1
  umount /ckey
  # Read raw data from the block device
  # ckarg1 is numeric: ckarg1=offset, ckarg2=length
  dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1
  esac
  fi
  [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
  fi
  if [ -n "${cryptdevice}" ]; then
  DEPRECATED_CRYPT=0
  cryptdev="$(echo "${cryptdevice}" | cut -d: -f1)"
  cryptname="$(echo "${cryptdevice}" | cut -d: -f2)"
  else
  DEPRECATED_CRYPT=1
  cryptdev="${root}"
  cryptname="root"
  fi
  warn_deprecated() {
  echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
  echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
  if poll_device "${cryptdev}" ${rootdelay}; then
  if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
  [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
  dopassphrase=1
  # If keyfile exists, try to use that
  if [ -f ${ckeyfile} ]; then
  if [ "${usegpg}" = "y" ]; then
  # gpg tty fixup
  if [ -e /dev/tty ]; then mv /dev/tty /dev/tty.backup; fi
  cp -a /dev/console /dev/tty
  while [ ! -e /dev/mapper/${cryptname} ];
  do
  sleep 2
  /usr/bin/gpg -d "${ckeyfile}" 2>/dev/null | cryptsetup --key-file=- luksOpen ${cryptdev} ${cryptname} ${CSQUIET}
  dopassphrase=0
  done
  rm /dev/tty
  if [ -e /dev/tty.backup ]; then mv /dev/tty.backup /dev/tty; fi
  else
  if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then
  dopassphrase=0
  else
  echo "Invalid keyfile. Reverting to passphrase."
  fi
  fi
  fi
  # Ask for a passphrase
  if [ ${dopassphrase} -gt 0 ]; then
  echo ""
  echo "A password is required to access the ${cryptname} volume:"
  #loop until we get a real password
  while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do
  sleep 2;
  done
  fi
  if [ -e "/dev/mapper/${cryptname}" ]; then
  if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
  export root="/dev/mapper/root"
  fi
  else
  err "Password succeeded, but ${cryptname} creation failed, aborting..."
  exit 1
  fi
  elif [ -n "${crypto}" ]; then
  [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
  msg "Non-LUKS encrypted device found..."
  if [ $# -ne 5 ]; then
  err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
  err "Non-LUKS decryption not attempted..."
  return 1
  fi
  exe="/sbin/cryptsetup create ${cryptname} ${cryptdev}"
  tmp=$(echo "${crypto}" | cut -d: -f1)
  [ -n "${tmp}" ] && exe="${exe} --hash \"${tmp}\""
  tmp=$(echo "${crypto}" | cut -d: -f2)
  [ -n "${tmp}" ] && exe="${exe} --cipher \"${tmp}\""
  tmp=$(echo "${crypto}" | cut -d: -f3)
  [ -n "${tmp}" ] && exe="${exe} --key-size \"${tmp}\""
  tmp=$(echo "${crypto}" | cut -d: -f4)
  [ -n "${tmp}" ] && exe="${exe} --offset \"${tmp}\""
  tmp=$(echo "${crypto}" | cut -d: -f5)
  [ -n "${tmp}" ] && exe="${exe} --skip \"${tmp}\""
  if [ -f ${ckeyfile} ]; then
  exe="${exe} --key-file ${ckeyfile}"
  else
  exe="${exe} --verify-passphrase"
  echo ""
  echo "A password is required to access the ${cryptname} volume:"
  fi
  eval "${exe} ${CSQUIET}"
  if [ $? -ne 0 ]; then
  err "Non-LUKS device decryption failed. verify format: "
  err " crypto=hash:cipher:keysize:offset:skip"
  exit 1
  fi
  if [ -e "/dev/mapper/${cryptname}" ]; then
  if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
  export root="/dev/mapper/root"
  fi
  else
  err "Password succeeded, but ${cryptname} creation failed, aborting..."
  exit 1
  fi
  else
  err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
  fi
  fi
  rm -f ${ckeyfile}
  fi
  Create /mnt/lib/initcpio/install/etwo:
  #!/bin/bash
  build() {
  local mod
  add_module dm-crypt
  if [[ $CRYPTO_MODULES ]]; then
  for mod in $CRYPTO_MODULES; do
  add_module "$mod"
  done
  else
  add_all_modules '/crypto/'
  fi
  add_dir "/dev/mapper"
  add_binary "cryptsetup"
  add_binary "dmsetup"
  add_binary "/usr/bin/gpg"
  add_file "/usr/lib/udev/rules.d/10-dm.rules"
  add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
  add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
  add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
  add_runscript
  help ()
  cat<<HELPEOF
  This hook allows for an encrypted root device with support for gpg encrypted key files.
  To use gpg, the key file must have the extension .gpg and you have to install gpg and add /usr/bin/gpg
  to your BINARIES var in /etc/mkinitcpio.conf.
  HELPEOF
  Edit /mnt/etc/mkinitcpio.conf (only relevant sections displayed):
  MODULES=”ext2 ext4” # not sure if this is really nessecary.
  BINARIES=”/usr/bin/gpg” # this could probably be done in install/etwo...
  HOOKS=”base udev usbinput keymap autodetect pata scsi sata usb etwo filesystems” # (usbinput is only needed if you have an usb keyboard)
  Copy the initcpio stuff over to the live cd:
  cp /mnt/lib/initcpio/hooks/etwo /lib/initcpio/hooks/
  cp /mnt/lib/initcpio/install/etwo /lib/initcpio/install/
  cp /mnt/etc/mkinitcpio.conf /etc/
  Verify your LOCALE, KEYMAP and TIMEZONE in /etc/rc.conf!
  Now reinstall the initcpio:
  mkinitcpio -g /mnt/boot/kernel26.img
  Make sure there were no errors and that all hooks were included.
  13. Decrypt the "var" key to the encrypted root
  mkdir /mnt/keys
  chmod 500 /mnt/keys
  gpg –output /mnt/keys/var -d /mnt/boot/var.gpg
  chmod 400 /mnt/keys/var
  14. Setup crypttab
  Edit /mnt/etc/crypttab:
  swap /dev/sda1 SWAP -c aes-cbc-essiv:sha256 -s 256 -h whirlpool
  var /dev/sda2 /keys/var
  15. Reboot
  We're done, you may reboot. Make sure you select the usb stick as the boot device in your bios and hope for the best. . If it didn't work, play with grub's settings or boot from the live cd, mount your encrypted devices and check all settings. You might also have less trouble by using uuid's instead of device names.  I chose device names to keep things as simple as possible, even though it's not the optimal way to do it.
  Make backups of your data and your usb stick and do not forget your password(s)! Or you can say goodbye to your data forever...
  Last edited by fabriceb (2013-01-15 22:36:23)

  I'm trying to run my install script that is based on https://bbs.archlinux.org/viewtopic.php?id=129885
  Decrypting the gpg key after grub works, but then "Devce root already exists." appears every second.
  any idea ?
  #!/bin/bash
  # This script is designed to be run in conjunction with a UEFI boot using Archboot intall media.
  # prereqs:
  # EFI "BIOS" set to boot *only* from EFI
  # successful EFI boot of Archboot USB
  # mount /dev/sdb1 /src
  set -o nounset
  #set -o errexit
  # Host specific configuration
  # this whole script needs to be customized, particularly disk partitions
  # and configuration, but this section contains global variables that
  # are used during the system configuration phase for convenience
  HOSTNAME=daniel
  USERNAME=user
  # Globals
  # We don't need to set these here but they are used repeatedly throughout
  # so it makes sense to reuse them and allow an easy, one-time change if we
  # need to alter values such as the install target mount point.
  INSTALL_TARGET="/install"
  HR="--------------------------------------------------------------------------------"
  PACMAN="pacman --noconfirm --config /tmp/pacman.conf"
  TARGET_PACMAN="pacman --noconfirm --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
  CHROOT_PACMAN="pacman --noconfirm --cachedir /var/cache/pacman/pkg --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
  FILE_URL="file:///packages/core-$(uname -m)/pkg"
  FTP_URL='ftp://mirrors.kernel.org/archlinux/$repo/os/$arch'
  HTTP_URL='http://mirrors.kernel.org/archlinux/$repo/os/$arch'
  # Functions
  # I've avoided using functions in this script as they aren't required and
  # I think it's more of a learning tool if you see the step-by-step
  # procedures even with minor duplciations along the way, but I feel that
  # these functions clarify the particular steps of setting values in config
  # files.
  SetValue () {
  # EXAMPLE: SetValue VARIABLENAME '\"Quoted Value\"' /file/path
  VALUENAME="$1" NEWVALUE="$2" FILEPATH="$3"
  sed -i "s+^#\?\(${VALUENAME}\)=.*$+\1=${NEWVALUE}+" "${FILEPATH}"
  CommentOutValue () {
  VALUENAME="$1" FILEPATH="$2"
  sed -i "s/^\(${VALUENAME}.*\)$/#\1/" "${FILEPATH}"
  UncommentValue () {
  VALUENAME="$1" FILEPATH="$2"
  sed -i "s/^#\(${VALUENAME}.*\)$/\1/" "${FILEPATH}"
  # Initialize
  # Warn the user about impending doom, set up the network on eth0, mount
  # the squashfs images (Archboot does this normally, we're just filling in
  # the gaps resulting from the fact that we're doing a simple scripted
  # install). We also create a temporary pacman.conf that looks for packages
  # locally first before sourcing them from the network. It would be better
  # to do either *all* local or *all* network but we can't for two reasons.
  # 1. The Archboot installation image might have an out of date kernel
  # (currently the case) which results in problems when chrooting
  # into the install mount point to modprobe efivars. So we use the
  # package snapshot on the Archboot media to ensure our kernel is
  # the same as the one we booted with.
  # 2. Ideally we'd source all local then, but some critical items,
  # notably grub2-efi variants, aren't yet on the Archboot media.
  # Warn
  timer=9
  echo -e "\n\nMAC WARNING: This script is not designed for APPLE MAC installs and will potentially misconfigure boot to your existing OS X installation. STOP NOW IF YOU ARE ON A MAC.\n\n"
  echo -n "GENERAL WARNING: This procedure will completely format /dev/sda. Please cancel with ctrl-c to cancel within $timer seconds..."
  while [[ $timer -gt 0 ]]
  do
  sleep 1
  let timer-=1
  echo -en "$timer seconds..."
  done
  echo "STARTING"
  # Get Network
  echo -n "Waiting for network address.."
  #dhclient eth0
  dhcpcd -p eth0
  echo -n "Network address acquired."
  # Mount packages squashfs images
  umount "/packages/core-$(uname -m)"
  umount "/packages/core-any"
  rm -rf "/packages/core-$(uname -m)"
  rm -rf "/packages/core-any"
  mkdir -p "/packages/core-$(uname -m)"
  mkdir -p "/packages/core-any"
  modprobe -q loop
  modprobe -q squashfs
  mount -o ro,loop -t squashfs "/src/packages/archboot_packages_$(uname -m).squashfs" "/packages/core-$(uname -m)"
  mount -o ro,loop -t squashfs "/src/packages/archboot_packages_any.squashfs" "/packages/core-any"
  # Create temporary pacman.conf file
  cat << PACMANEOF > /tmp/pacman.conf
  [options]
  Architecture = auto
  CacheDir = ${INSTALL_TARGET}/var/cache/pacman/pkg
  CacheDir = /packages/core-$(uname -m)/pkg
  CacheDir = /packages/core-any/pkg
  [core]
  Server = ${FILE_URL}
  Server = ${FTP_URL}
  Server = ${HTTP_URL}
  [extra]
  Server = ${FILE_URL}
  Server = ${FTP_URL}
  Server = ${HTTP_URL}
  #Uncomment to enable pacman -Sy yaourt
  [archlinuxfr]
  Server = http://repo.archlinux.fr/\$arch
  PACMANEOF
  # Prepare pacman
  [[ ! -d "${INSTALL_TARGET}/var/cache/pacman/pkg" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/cache/pacman/pkg"
  [[ ! -d "${INSTALL_TARGET}/var/lib/pacman" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/lib/pacman"
  ${PACMAN} -Sy
  ${TARGET_PACMAN} -Sy
  # Install prereqs from network (not on archboot media)
  echo -e "\nInstalling prereqs...\n$HR"
  #sed -i "s/^#S/S/" /etc/pacman.d/mirrorlist # Uncomment all Server lines
  UncommentValue S /etc/pacman.d/mirrorlist # Uncomment all Server lines
  ${PACMAN} --noconfirm -Sy gptfdisk btrfs-progs-unstable libusb-compat gnupg
  # Configure Host
  # Here we create three partitions:
  # 1. efi and /boot (one partition does double duty)
  # 2. swap
  # 3. our encrypted root
  # Note that all of these are on a GUID partition table scheme. This proves
  # to be quite clean and simple since we're not doing anything with MBR
  # boot partitions and the like.
  echo -e "format\n"
  # shred -v /dev/sda
  # disk prep
  sgdisk -Z /dev/sda # zap all on disk
  #sgdisk -Z /dev/mmcb1k0 # zap all on sdcard
  sgdisk -a 2048 -o /dev/sda # new gpt disk 2048 alignment
  #sgdisk -a 2048 -o /dev/mmcb1k0
  # create partitions
  sgdisk -n 1:0:+200M /dev/sda # partition 1 (UEFI BOOT), default start block, 200MB
  sgdisk -n 2:0:+4G /dev/sda # partition 2 (SWAP), default start block, 200MB
  sgdisk -n 3:0:0 /dev/sda # partition 3, (LUKS), default start, remaining space
  #sgdisk -n 1:0:1800M /dev/mmcb1k0 # root.gpg
  # set partition types
  sgdisk -t 1:ef00 /dev/sda
  sgdisk -t 2:8200 /dev/sda
  sgdisk -t 3:8300 /dev/sda
  #sgdisk -t 1:0700 /dev/mmcb1k0
  # label partitions
  sgdisk -c 1:"UEFI Boot" /dev/sda
  sgdisk -c 2:"Swap" /dev/sda
  sgdisk -c 3:"LUKS" /dev/sda
  #sgdisk -c 1:"Key" /dev/mmcb1k0
  echo -e "create gpg file\n"
  # create gpg file
  dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > /root/root.gpg
  echo -e "format LUKS on root\n"
  # format LUKS on root
  gpg -q -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- -c aes-xts-plain -s 512 --hash sha512 luksFormat /dev/sda3
  echo -e "open LUKS on root\n"
  gpg -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- luksOpen /dev/sda3 root
  # NOTE: make sure to add dm_crypt and aes_i586 to MODULES in rc.conf
  # NOTE2: actually this isn't required since we're mounting an encrypted root and grub2/initramfs handles this before we even get to rc.conf
  # make filesystems
  # following swap related commands not used now that we're encrypting our swap partition
  #mkswap /dev/sda2
  #swapon /dev/sda2
  #mkfs.ext4 /dev/sda3 # this is where we'd create an unencrypted root partition, but we're using luks instead
  echo -e "\nCreating Filesystems...\n$HR"
  # make filesystems
  mkfs.ext4 /dev/mapper/root
  mkfs.vfat -F32 /dev/sda1
  #mkfs.vfat -F32 /dev/mmcb1k0p1
  echo -e "mount targets\n"
  # mount target
  #mount /dev/sda3 ${INSTALL_TARGET} # this is where we'd mount the unencrypted root partition
  mount /dev/mapper/root ${INSTALL_TARGET}
  # mount target
  mkdir ${INSTALL_TARGET}
  # mkdir ${INSTALL_TARGET}/key
  # mount -t vfat /dev/mmcb1k0p1 ${INSTALL_TARGET}/key
  mkdir ${INSTALL_TARGET}/boot
  mount -t vfat /dev/sda1 ${INSTALL_TARGET}/boot
  # Install base, necessary utilities
  mkdir -p ${INSTALL_TARGET}/var/lib/pacman
  ${TARGET_PACMAN} -Sy
  ${TARGET_PACMAN} -Su base
  # curl could be installed later but we want it ready for rankmirrors
  ${TARGET_PACMAN} -S curl
  ${TARGET_PACMAN} -S libusb-compat gnupg
  ${TARGET_PACMAN} -R grub
  rm -rf ${INSTALL_TARGET}/boot/grub
  ${TARGET_PACMAN} -S grub2-efi-x86_64
  # Configure new system
  SetValue HOSTNAME ${HOSTNAME} ${INSTALL_TARGET}/etc/rc.conf
  sed -i "s/^\(127\.0\.0\.1.*\)$/\1 ${HOSTNAME}/" ${INSTALL_TARGET}/etc/hosts
  SetValue CONSOLEFONT Lat2-Terminus16 ${INSTALL_TARGET}/etc/rc.conf
  #following replaced due to netcfg
  #SetValue interface eth0 ${INSTALL_TARGET}/etc/rc.conf
  # write fstab
  # You can use UUID's or whatever you want here, of course. This is just
  # the simplest approach and as long as your drives aren't changing values
  # randomly it should work fine.
  cat > ${INSTALL_TARGET}/etc/fstab <<FSTAB_EOF
  # /etc/fstab: static file system information
  # <file system> <dir> <type> <options> <dump> <pass>
  tmpfs /tmp tmpfs nodev,nosuid 0 0
  /dev/sda1 /boot vfat defaults 0 0
  /dev/mapper/cryptswap none swap defaults 0 0
  /dev/mapper/root / ext4 defaults,noatime 0 1
  FSTAB_EOF
  # write etwo
  mkdir -p /lib/initcpio/hooks/
  mkdir -p /lib/initcpio/install/
  cp /src/etwo_hooks /lib/initcpio/hooks/etwo
  cp /src/etwo_install /lib/initcpio/install/etwo
  mkdir -p ${INSTALL_TARGET}/lib/initcpio/hooks/
  mkdir -p ${INSTALL_TARGET}/lib/initcpio/install/
  cp /src/etwo_hooks ${INSTALL_TARGET}/lib/initcpio/hooks/etwo
  cp /src/etwo_install ${INSTALL_TARGET}/lib/initcpio/install/etwo
  # write crypttab
  # encrypted swap (random passphrase on boot)
  echo cryptswap /dev/sda2 SWAP "-c aes-xts-plain -h whirlpool -s 512" >> ${INSTALL_TARGET}/etc/crypttab
  # copy configs we want to carry over to target from install environment
  mv ${INSTALL_TARGET}/etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf.orig
  cp /etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf
  mkdir -p ${INSTALL_TARGET}/tmp
  cp /tmp/pacman.conf ${INSTALL_TARGET}/tmp/pacman.conf
  # mount proc, sys, dev in install root
  mount -t proc proc ${INSTALL_TARGET}/proc
  mount -t sysfs sys ${INSTALL_TARGET}/sys
  mount -o bind /dev ${INSTALL_TARGET}/dev
  echo -e "umount boot\n"
  # we have to remount /boot from inside the chroot
  umount ${INSTALL_TARGET}/boot
  # Create install_efi script (to be run *after* chroot /install)
  touch ${INSTALL_TARGET}/install_efi
  chmod a+x ${INSTALL_TARGET}/install_efi
  cat > ${INSTALL_TARGET}/install_efi <<EFI_EOF
  # functions (these could be a library, but why overcomplicate things
  SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?\(\${VALUENAME}\)=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
  CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^\(\${VALUENAME}.*\)\$/#\1/" "\${FILEPATH}"; }
  UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#\(\${VALUENAME}.*\)\$/\1/" "\${FILEPATH}"; }
  echo -e "mount boot\n"
  # remount here or grub et al gets confused
  mount -t vfat /dev/sda1 /boot
  # mkinitcpio
  # NOTE: intel_agp drm and i915 for intel graphics
  SetValue MODULES '\\"dm_mod dm_crypt aes_x86_64 ext2 ext4 vfat intel_agp drm i915\\"' /etc/mkinitcpio.conf
  SetValue HOOKS '\\"base udev pata scsi sata usb usbinput keymap consolefont etwo encrypt filesystems\\"' /etc/mkinitcpio.conf
  SetValue BINARIES '\\"/usr/bin/gpg\\"' /etc/mkinitcpio.conf
  mkinitcpio -p linux
  # kernel modules for EFI install
  modprobe efivars
  modprobe dm-mod
  # locale-gen
  UncommentValue de_AT /etc/locale.gen
  locale-gen
  # install and configure grub2
  # did this above
  #${CHROOT_PACMAN} -Sy
  #${CHROOT_PACMAN} -R grub
  #rm -rf /boot/grub
  #${CHROOT_PACMAN} -S grub2-efi-x86_64
  # you can be surprisingly sloppy with the root value you give grub2 as a kernel option and
  # even omit the cryptdevice altogether, though it will wag a finger at you for using
  # a deprecated syntax, so we're using the correct form here
  # NOTE: take out i915.modeset=1 unless you are on intel graphics
  SetValue GRUB_CMDLINE_LINUX '\\"cryptdevice=/dev/sda3:root cryptkey=/dev/sda1:vfat:/root.gpg add_efi_memmap i915.i915_enable_rc6=1 i915.i915_enable_fbc=1 i915.lvds_downclock=1 pcie_aspm=force quiet\\"' /etc/default/grub
  # set output to graphical
  SetValue GRUB_TERMINAL_OUTPUT gfxterm /etc/default/grub
  SetValue GRUB_GFXMODE 960x600x32,auto /etc/default/grub
  SetValue GRUB_GFXPAYLOAD_LINUX keep /etc/default/grub # comment out this value if text only mode
  # install the actual grub2. Note that despite our --boot-directory option we will still need to move
  # the grub directory to /boot/grub during grub-mkconfig operations until grub2 gets patched (see below)
  grub_efi_x86_64-install --bootloader-id=grub --no-floppy --recheck
  # create our EFI boot entry
  # bug in the HP bios firmware (F.08)
  efibootmgr --create --gpt --disk /dev/sda --part 1 --write-signature --label "ARCH LINUX" --loader "\\\\grub\\\\grub.efi"
  # copy font for grub2
  cp /usr/share/grub/unicode.pf2 /boot/grub
  # generate config file
  grub-mkconfig -o /boot/grub/grub.cfg
  exit
  EFI_EOF
  # Install EFI using script inside chroot
  chroot ${INSTALL_TARGET} /install_efi
  rm ${INSTALL_TARGET}/install_efi
  # Post install steps
  # anything you want to do post install. run the script automatically or
  # manually
  touch ${INSTALL_TARGET}/post_install
  chmod a+x ${INSTALL_TARGET}/post_install
  cat > ${INSTALL_TARGET}/post_install <<POST_EOF
  set -o errexit
  set -o nounset
  # functions (these could be a library, but why overcomplicate things
  SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?\(\${VALUENAME}\)=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
  CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^\(\${VALUENAME}.*\)\$/#\1/" "\${FILEPATH}"; }
  UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#\(\${VALUENAME}.*\)\$/\1/" "\${FILEPATH}"; }
  # root password
  echo -e "${HR}\\nNew root user password\\n${HR}"
  passwd
  # add user
  echo -e "${HR}\\nNew non-root user password (username:${USERNAME})\\n${HR}"
  groupadd sudo
  useradd -m -g users -G audio,lp,optical,storage,video,games,power,scanner,network,sudo,wheel -s /bin/bash ${USERNAME}
  passwd ${USERNAME}
  # mirror ranking
  echo -e "${HR}\\nRanking Mirrors (this will take a while)\\n${HR}"
  cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.orig
  mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.all
  sed -i "s/#S/S/" /etc/pacman.d/mirrorlist.all
  rankmirrors -n 5 /etc/pacman.d/mirrorlist.all > /etc/pacman.d/mirrorlist
  # temporary fix for locale.sh update conflict
  mv /etc/profile.d/locale.sh /etc/profile.d/locale.sh.preupdate || true
  # yaourt repo (add to target pacman, not tmp pacman.conf, for ongoing use)
  echo -e "\\n[archlinuxfr]\\nServer = http://repo.archlinux.fr/\\\$arch" >> /etc/pacman.conf
  echo -e "\\n[haskell]\\nServer = http://www.kiwilight.com/\\\$repo/\\\$arch" >> /etc/pacman.conf
  # additional groups and utilities
  pacman --noconfirm -Syu
  pacman --noconfirm -S base-devel
  pacman --noconfirm -S yaourt
  # sudo
  pacman --noconfirm -S sudo
  cp /etc/sudoers /tmp/sudoers.edit
  sed -i "s/#\s*\(%wheel\s*ALL=(ALL)\s*ALL.*$\)/\1/" /tmp/sudoers.edit
  sed -i "s/#\s*\(%sudo\s*ALL=(ALL)\s*ALL.*$\)/\1/" /tmp/sudoers.edit
  visudo -qcsf /tmp/sudoers.edit && cat /tmp/sudoers.edit > /etc/sudoers
  # power
  pacman --noconfirm -S acpi acpid acpitool cpufrequtils
  yaourt --noconfirm -S powertop2
  sed -i "/^DAEMONS/ s/)/ @acpid)/" /etc/rc.conf
  sed -i "/^MODULES/ s/)/ acpi-cpufreq cpufreq_ondemand cpufreq_powersave coretemp)/" /etc/rc.conf
  # following requires my acpi handler script
  echo "/etc/acpi/handler.sh boot" > /etc/rc.local
  # time
  pacman --noconfirm -S ntp
  sed -i "/^DAEMONS/ s/hwclock /!hwclock @ntpd /" /etc/rc.conf
  # wireless (wpa supplicant should already be installed)
  pacman --noconfirm -S iw wpa_supplicant rfkill
  pacman --noconfirm -S netcfg wpa_actiond ifplugd
  mv /etc/wpa_supplicant.conf /etc/wpa_supplicant.conf.orig
  echo -e "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=network\nupdate_config=1" > /etc/wpa_supplicant.conf
  # make sure to copy /etc/network.d/examples/wireless-wpa-config to /etc/network.d/home and edit
  sed -i "/^DAEMONS/ s/)/ @net-auto-wireless @net-auto-wired)/" /etc/rc.conf
  sed -i "/^DAEMONS/ s/ network / /" /etc/rc.conf
  echo -e "\nWIRELESS_INTERFACE=wlan0" >> /etc/rc.conf
  echo -e "WIRED_INTERFACE=eth0" >> /etc/rc.conf
  echo "options iwlagn led_mode=2" > /etc/modprobe.d/iwlagn.conf
  # sound
  pacman --noconfirm -S alsa-utils alsa-plugins
  sed -i "/^DAEMONS/ s/)/ @alsa)/" /etc/rc.conf
  mv /etc/asound.conf /etc/asound.conf.orig || true
  #if alsamixer isn't working, try alsamixer -Dhw and speaker-test -Dhw -c 2
  # video
  pacman --noconfirm -S base-devel mesa mesa-demos
  # x
  #pacman --noconfirm -S xorg xorg-xinit xorg-utils xorg-server-utils xdotool xorg-xlsfonts
  #yaourt --noconfirm -S xf86-input-wacom-git # NOT NEEDED? input-wacom-git
  #TODO: cut down the install size
  #pacman --noconfirm -S xorg-server xorg-xinit xorg-utils xorg-server-utils
  # TODO: wacom
  # environment/wm/etc.
  #pacman --noconfirm -S xfce4 compiz ccsm
  #pacman --noconfirm -S xcompmgr
  #yaourt --noconfirm -S physlock unclutter
  #pacman --noconfirm -S rxvt-unicode urxvt-url-select hsetroot
  #pacman --noconfirm -S gtk2 #gtk3 # for taffybar?
  #pacman --noconfirm -S ghc
  # note: try installing alex and happy from cabal instead
  #pacman --noconfirm -S haskell-platform haskell-hscolour
  #yaourt --noconfirm -S xmonad-darcs xmonad-contrib-darcs xcompmgr
  #yaourt --noconfirm -S xmobar-git
  # TODO: edit xfce to use compiz
  # TODO: xmonad, but deal with video tearing
  # TODO: xmonad-darcs fails to install from AUR. haskell dependency hell.
  # switching to cabal
  # fonts
  pacman --noconfirm -S terminus-font
  yaourt --noconfirm -S webcore-fonts
  yaourt --noconfirm -S fontforge libspiro
  yaourt --noconfirm -S freetype2-git-infinality
  # TODO: sed infinality and change to OSX or OSX2 mode
  # and create the sym link from /etc/fonts/conf.avail to conf.d
  # misc apps
  #pacman --noconfirm -S htop openssh keychain bash-completion git vim
  #pacman --noconfirm -S chromium flashplugin
  #pacman --noconfirm -S scrot mypaint bc
  #yaourt --noconfirm -S task-git stellarium googlecl
  # TODO: argyll
  POST_EOF
  # Post install in chroot
  #echo "chroot and run /post_install"
  chroot /install /post_install
  rm /install/post_install
  # copy grub.efi file to the default HP EFI boot manager path
  mkdir -p ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/
  mkdir -p ${INSTALL_TARGET}/boot/EFI/BOOT/
  cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/bootmgfw.efi
  cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/BOOT/BOOTX64.EFI
  cp /root/root.gpg ${INSTALL_TARGET}/boot/
  # NOTES/TODO

• [solved] how to easy encrypt HOME\USER folder?

  Hi Amigos!
  Can somone give me easy step by step guide how to easy encrypt home directory in Linux Arch please?
  I spent all day to try encrypt home directory (how I did it before in Debian) I used encyptfs-migrate-home -u [myusername] but after all encyption finished I'm unable to login to KDE to complete encyptfs-unwrap-passphrase script. I got error when KDE runing from xserver: call to lnusertemp failed (temporary directories full?)
  Realy approciate your help.
  Sławek
  Last edited by infoslaw (2013-08-09 20:17:44)

  mellowmaroon wrote:
  Here are some links to Arch Linux's great documentation:
  dm-crypt with LUKS
  Disk Encryption
  I found those two to be immensely helpful in learning about encryption on Arch Linux.
  Although it looks like you might actually want this (ECryptfs ArchWiki).  I use the dm-crypt/LUKS method, but the ArchWiki for ECryptfs looks like it has a good amount of info.
  Just as a heads up, be sure to search the ArchWiki thoroughly and look up what you're trying to do in general (encryption) first when you're trying to solve a problem.  The ArchWiki is very detailed and helpful.
  Thank you! Can I encrypt by use dm-crypt/LUKS method whole particion in few steps? Do you know does posible to clone hdd after full encryption?
  Regards,
  Sławek

• [Solved] Xorg 1.8 / Trackpoint configuration issues.

  After upgrading to X.Org X Server 1.8.1.902 (1.8.2 RC 2) on a T400, I've been having a strange issue with scrolling and middle-mouse-button pasting and the new configuration system.
  After the initial upgrade, I had no keyboard or trackpoint whatsoever (though the touchpad has always mysteriously worked perfectly) -- after some configuration work, mostly from these forums -- I got most things working:
  The problem I still have, though, is that EmulateWheelTimeout seems to have no effect (I think). It's loaded (by default, I believe) -- but all the same, the mouse moves when I scroll, and more annoyingly, on middle-mouse click, everything is pasted twice.
  Edit: I though I'd add another piece of oddness that would help people figure out what is going on. When I restart X, I get no keyboard whatsoever, until I send the first mouse click. Then everything works as described.
  Edit 2: Setting Option "EmulateWheelTimeout" "1" took care of the double-pasting issue, though the behavior is strange (mouse still moves while scrolling, though less...). I'd be curious what happens with other small values (5, 10, etc.). Anyhow, I'm going to mark this as solved, though I wouldn't say it is.
  I've tried a number of different permutations of the configs below, and what's there works well except for this issue:
  Here is my xorg.conf.d/20-trackpoint.conf
  Section "InputClass"
  Identifier "Trackpoint Wheel Emulation"
  MatchProduct "TPPS/2 IBM TrackPoint"
  MatchIsPointer "on"
  Driver "evdev"
  Option "Device" "/dev/input/by-path/platform-i8042-serio-2-event-mouse"http://www.google.com/firefox
  Option "GrabDevice" "False"
  Option "EmulateWheel" "true"
  Option "EmulateWheelButton" "2"
  #Option "EmulateWheelTimeout" "200"
  Option "Emulate3Buttons" "false"
  Option "XAxisMapping" "6 7"
  Option "YAxisMapping" "4 5"
  EndSection
  Section "InputClass"
  Identifier "disabling synaptic second trackpoint found"
  MatchProduct "TPPS/2 IBM TrackPoint"
  MatchDevicePath "/dev/input/mouse1"
  Option "Ignore" "on"
  EndSection
  And here is my Xorg.0.log:
  [ 5421.714] (II) config/udev: Adding input device SynPS/2 Synaptics TouchPad (/dev/input/event10)
  [ 5421.714] (**) SynPS/2 Synaptics TouchPad: Applying InputClass "touchpad"
  [ 5421.714] (II) Synaptics touchpad driver version 1.2.2
  [ 5421.714] (**) Option "Device" "/dev/input/event10"
  [ 5421.753] (II) SynPS/2 Synaptics TouchPad: x-axis range 1472 - 5472
  [ 5421.753] (II) SynPS/2 Synaptics TouchPad: y-axis range 1408 - 4448
  [ 5421.753] (II) SynPS/2 Synaptics TouchPad: pressure range 0 - 255
  [ 5421.753] (II) SynPS/2 Synaptics TouchPad: finger width range 0 - 0
  [ 5421.753] (II) SynPS/2 Synaptics TouchPad: buttons: left right
  [ 5421.753] (**) Option "SHMConfig" "on"
  [ 5421.753] (**) Option "EmulateTwoFingerMinZ" "0"
  [ 5421.753] (**) Option "VertEdgeScroll" "on"
  [ 5421.753] (**) Option "HorizEdgeScroll" "on"
  [ 5421.753] (**) Option "VertTwoFingerScroll" "on"
  [ 5421.753] (**) Option "HorizTwoFingerScroll" "on"
  [ 5421.753] (**) Option "TapButton1" "1"
  [ 5421.753] (**) Option "TapButton2" "2"
  [ 5421.753] (**) Option "TapButton3" "3"
  [ 5421.753] (**) Option "CircularScrolling" "on"
  [ 5421.753] (**) Option "CircScrollTrigger" "2"
  [ 5421.779] (--) SynPS/2 Synaptics TouchPad: touchpad found
  [ 5421.780] (**) SynPS/2 Synaptics TouchPad: always reports core events
  [ 5421.793] (II) XINPUT: Adding extended input device "SynPS/2 Synaptics TouchPad" (type: TOUCHPAD)
  [ 5421.793] (**) SynPS/2 Synaptics TouchPad: (accel) keeping acceleration scheme 1
  [ 5421.793] (**) SynPS/2 Synaptics TouchPad: (accel) acceleration profile 0
  [ 5421.793] (**) SynPS/2 Synaptics TouchPad: (accel) acceleration factor: 2.000
  [ 5421.793] (**) SynPS/2 Synaptics TouchPad: (accel) acceleration threshold: 4
  [ 5421.819] (--) SynPS/2 Synaptics TouchPad: touchpad found
  [ 5421.820] (II) config/udev: Adding input device SynPS/2 Synaptics TouchPad (/dev/input/mouse0)
  [ 5421.820] (**) SynPS/2 Synaptics TouchPad: Ignoring device from InputClass "disabling synaptic second mouse found"
  [ 5421.820] (II) config/udev: Adding input device TPPS/2 IBM TrackPoint (/dev/input/event11)
  [ 5421.820] (**) TPPS/2 IBM TrackPoint: Applying InputClass "Trackpoint Wheel Emulation"
  [ 5421.820] (II) LoadModule: "evdev"
  [ 5421.820] (II) Loading /usr/lib/xorg/modules/input/evdev_drv.so
  [ 5421.820] (II) Module evdev: vendor="X.Org Foundation"
  [ 5421.820] compiled for 1.8.0, module version = 2.4.0
  [ 5421.820] Module class: X.Org XInput Driver
  [ 5421.820] ABI class: X.Org XInput driver, version 9.0
  [ 5421.820] (**) TPPS/2 IBM TrackPoint: always reports core events
  [ 5421.820] (**) TPPS/2 IBM TrackPoint: Device: "/dev/input/by-path/platform-i8042-serio-2-event-mouse"
  [ 5421.833] (II) TPPS/2 IBM TrackPoint: Found 3 mouse buttons
  [ 5421.833] (II) TPPS/2 IBM TrackPoint: Found relative axes
  [ 5421.833] (II) TPPS/2 IBM TrackPoint: Found x and y relative axes
  [ 5421.833] (II) TPPS/2 IBM TrackPoint: Configuring as mouse
  [ 5421.833] (**) Option "Emulate3Buttons" "false"
  [ 5421.833] (II) TPPS/2 IBM TrackPoint: Forcing middle mouse button emulation off.
  [ 5421.833] (**) Option "EmulateWheel" "true"
  [ 5421.833] (**) Option "EmulateWheelButton" "2"
  [ 5421.833] (**) Option "YAxisMapping" "4 5"
  [ 5421.833] (**) TPPS/2 IBM TrackPoint: YAxisMapping: buttons 4 and 5
  [ 5421.833] (**) Option "XAxisMapping" "6 7"
  [ 5421.833] (**) TPPS/2 IBM TrackPoint: XAxisMapping: buttons 6 and 7
  [ 5421.833] (**) TPPS/2 IBM TrackPoint: EmulateWheelButton: 2, EmulateWheelInertia: 10, EmulateWheelTimeout: 200
  [ 5421.833] (II) XINPUT: Adding extended input device "TPPS/2 IBM TrackPoint" (type: MOUSE)
  [ 5421.833] (**) TPPS/2 IBM TrackPoint: (accel) keeping acceleration scheme 1
  [ 5421.833] (**) TPPS/2 IBM TrackPoint: (accel) acceleration profile 0
  [ 5421.833] (**) TPPS/2 IBM TrackPoint: (accel) acceleration factor: 2.000
  [ 5421.833] (**) TPPS/2 IBM TrackPoint: (accel) acceleration threshold: 4
  [ 5421.833] (II) TPPS/2 IBM TrackPoint: initialized for relative axes.
  [ 5421.833] (II) config/udev: Adding input device TPPS/2 IBM TrackPoint (/dev/input/mouse1)
  [ 5421.833] (**) TPPS/2 IBM TrackPoint: Ignoring device from InputClass "disabling synaptic second trackpoint found"
  [ 5421.834] (II) config/udev: Adding input device ThinkPad Extra Buttons (/dev/input/event4)
  [ 5421.834] (II) No input driver/identifier specified (ignoring)
  [ 5424.706] (II) 3rd Button detected: disabling emulate3Button
  Last edited by sammermpc (2010-07-16 05:17:53)

  Nothing ?
  Switchng off hal deamon and cleaning ~/.kde* has no effect...
  So, after searching on google again an again, still nothing found.... even among the Ubuntu specific issue where post are terminated
  with "wait next version of the package", the windows-style answer.
  I will continue my attempts to fix this... but my conclusion about this is that hal was more precise in his behavior than udev...

• [SOLVED]LUKS error while booting

  This is more of an annoyance than a real problem; however it would be nice to know what is causing this. I have an unencrypted root (/dev/sda3) and two encrypted partitions. While booting I get the following message:
  ERROR:Failed to open encryption mapping: The device /dev/sda3 is not a LUKS volume and the crypto= parameter was not specified.
  However despite this the root is mounted correctly and the boot process follows normally. My two encrypted volumes also mount correctly. I checked my /etc/fstab and /boot/grub/grub.cfg and didn't see anything that might be giving it the idea that my root partition is encrypted. Am I missing something?
  Thanks,
  musashi.
  Last edited by musashi (2012-06-13 15:19:59)

  you probably have "encrypt" in your HOOKS array in /etc/mkinitcpio.conf .
  remove it and rebuilt your initramfs with "mkinitcpio -p linux"

• Apple TV Router 104bits encryption connection issues with laptop

  Hi, we have set up a wep-104 encrypted office Wifi (AppleTV with TimeCapsule router) N-band network, WPA2-PSK (AES encryption). Although I set it up as WPA2-PSK, on a wifi sniffer I ran its identified as wep-104 for some reason (104bits, that is).
  This wifi has a problem with one of our computers, which uses an external USB wifi adapter, TP-Link TL-WN7200ND USB adapter,  and driver version TL-WN7200ND_WHQL_100730 (I also tried TL-WN7200ND_100513). This computer connects to all other wifis I can throw at it, 64 bit and 128 bit with no prpblems, so I know the adapter is not the issue.  After inserting the password, the adapter just "thinks" for a while and then just goes back to showing "X" on its icon (the computer is using XP but that is irrelevat I think). The adapter has the latest firmware and drivers. Is it possible to switch AppleTV to a more often used 128bit security (it could be this adapter just can't work with 104bit).
  Thanks

  Update: if I choose an 8 character password for WEP Transitional security network instead of a 13 character one for WEP/WPA2 Personal, it works. Why is that? thanks

• TimeCapsule router104bits encryption connection issues with laptop

  Hi, we have set up a wep-104 encrypted office Wifi ( TimeCapsule router) N-band network, WPA2-PSK (AES encryption). Although I set it up as WPA2-PSK, on a wifi sniffer I ran its identified as wep-104 for some reason (104bits, that is).
  This wifi has a problem with one of our computers, which uses an external USB wifi adapter, TP-Link TL-WN7200ND USB adapter,  and driver version TL-WN7200ND_WHQL_100730 (I also tried TL-WN7200ND_100513). This computer connects to all other wifis I can throw at it, 64 bit and 128 bit with no prpblems, so I know the adapter is not the issue.  After inserting the password, the adapter just "thinks" for a while and then just goes back to showing "X" on its icon (the computer is using XP but that is irrelevat I think). The adapter has the latest firmware and drivers. Is it possible to switch AppleTV to a more often used 128bit security (it could be this adapter just can't work with 104bit).
  Thanks

  Update: if I choose an 8 character password for WEP Transitional security network instead of a 13 character one for WEP/WPA2 Personal, it works. Why is that? thanks