Most secure partition setup for Linux

I am trying to figure out how to install Arch Linux and I got stuck at trying to figure out are the most secure ways to:

  1. Wipe the whole disk securely (sata hhd) before installing Arch Linux
  2. Encrypting whole disk and encrypting all partitions (root, home, etc.) inside it

I can’t understand the guides on the Arch Linux site cause there are so many decisions to make.

Is dm-crypt with LUKS possibly the best setup for me? I look for:

  1. option to change the password afterwards
  2. option to a security key
  3. setup strong enough against government attacks and most attacks
  4. a friendly guide for starters on how to do that

Thanks.

1 Like

Arch Linux isn’t the easiest way to install Linux.

Full-disk encryption doesn’t protect against “most attacks.” It provides encryption for “data at rest,” meaning if you don’t use your device, its data is encrypted. The concrete security depends on the keys you use. As soon as you use your device, this protection is temporarily gone.

Here is a guide for configuring LUKS with a YubiKey: https://infosec-handbook.eu/blog/yubikey-luks/
Of course, you need to slightly modify some commands on Arch Linux.

I never said I was looking for the easiest way to install linux, I’m switching to arch linux after I’ve been in linux a while.
I’ll take a look at what you sent, thanks

If you want an Arch based distro, why not go for Manjaro instead? Its got none of the pains of Arch but with nearly all (if not all) of the benefits. If you want more control on the install process than your standard ISO install, Manjaro Architect may be the one for you.

I’m personally a fan of this method: Btrfs subvolumes with swap.

You only need two partitions, an EFI System Partition (that one has to remain unencrypted, it will contain your kernel and ntldr bootloader ie in /boot/EFI/.. (the Windows bootloader will only be there if you dual boot with Windows).

The other one can be a single partition. You can use btrfs subvolumes to simulate partitions this means you can cut out using LVM altogether. Btrfs is a newer filesystem than the conventional EXT4, but it is stable enough for regular use (as long as you’re not using RAID5/6). You can even use a swap file on a partition.

This would be optimal for a system that has a a disk non-raided that you wish to install Linux on. The Ubuntu installer uses the LVM approach.

Now seeing as you asked about “most secure” way, i would consider also looking at the Secure Boot article, specifically the using your own keys. I’m a fan of the sbctl for signing your own kernels etc.

I’ve been looking into using TPM as well, in order to prevent “evil made” attacks, that is where someone gets access to your computer and tampers with the kernel in some way. TPM can be used to do certain things such as taking measurements (verifying boot process). Some more about it here: https://mjg59.dreamwidth.org/48897.html

1 Like