Dual Boot Installation of Arch Linux with Preinstalled Windows 10 with Encryption

Posted by:

Dual Boot Installation of Arch Linux with Preinstalled Windows 10 with Encryption

Notes About Some Basics

  1. General instruction from Arch wiki.

    Dual boot with Windows – ArchWikiDual boot with Windows – ArchWiki Mind that there is no need to create an additional EFI System Partition, since it already exists (see above): when required, mount this to /boot, install your bootloader to it and save the entry in /etc/fstab. read more.

  2. Partitioning

    Size and tools go to – here

  3. Partition table types

    If you are installing alongside an existing installation (i.e. dual-booting), a partition table will already be in use. If the devices are not partitioned, or the current partitions table or scheme needs to be changed, you will first have to determine the partition tables (one for each device) in use or to be used.

    There are two types of partition table:

    • GPT -gpt
    • MBR -msdos

    Any existing partition table can be identified with the following command for each device:


    For GPT, you are looking for “Partition Table: GPT”. For EFI, you are looking for a small (512 MiB or less) partition with a vfat file system and the boot flag enabled. On it, there should be a directory named “EFI”. If these criteria are met, this is your ESP. Make note of the partition number. You will need to know which one it is, so you can mount it later on while installing GRUB to it.

  4. Partitioning tools

    For each device to be partitioned, a proper tool must be chosen according to the partition table to be used. Several partitioning tools are provided by the Arch installation medium, including:

    parted GPT and MBR
    fdisk, cfdisk, sfdisk GPT and MBR
    gdisk, cgdisk, sgdisk GPT
  5. INSTALL ARCHLINUX ON IDEAPAD Y700 some notes on ideapad Y700, http://mkeswani.blogspot.com/2015/12/install-archlinux-on-ideapad-y700.html
  6. Yet another tutorial with preinstalled windows 8 https://gist.github.com/miguelfrde/5dde43aa08b076106b9e
  7. Partition Type ID https://en.wikipedia.org/wiki/Partition_type#PID_83h 0x83 native to Linux

  8. The best way to detect windows boot mode Most of the linux bootloaders installed for one firmware type cannot launch or chainload bootloaders of other firmware type.

    http://www.eightforums.com/tutorials/29504-bios-mode-see-if-windows-boot-uefi-legacy-mode.html

    • Boot into Windows
    • Press Win key and ’R’ to start the Run dialog
    • In the Run dialog type “msinfo32” and press Enter
    • In the System Information windows, select System Summary on the left and check the value of BIOS mode item on the right
    • If the value is UEFI, Windows boots in UEFI-GPT mode. If the value is Legacy, Windows boots in BIOS-MBR mode.

Prepare Preinstalled Windows

Shrink some space for Linux in Windows

  1. Make some space for Arch Linux in Windows

  2. Win+R and type diskmgmt.msc and hit enter shrink one of the partitions. I also delete the two partitions for reserved for recovery. Want to put a new SSD HD in, I do not have the connecting cable and bracket for the moment.

    lenova-hd.JPG

  3. Make a bootable installation media for Arch Linux

  4. This laptop doesn’t have any CD/DVD drive so the first thing is to make a bootable USB drive.

    Boot into Windows 10. In Windows, download archlinux iso from the following website

    www.archlinux.org/download

    Use the mirror which is closest to you and download the dual iso. archlinux-2015.12.01-dual.iso

    Download Rufus from the following location https://rufus.akeo.ie/

    Plugin any usb drive/pendrive in your usb port. Make sure that you backup data from this usb drive

    rufus_en.png

  5. Attach it to your computer

Turn off Windows fast boot and secure boot

  1. Shutdown Windows after disabling fast start following instruction here or here. And use the command shutdown -s -t 0 to do so.

  2. Restart windows by clicking on Power -> Restart. Make sure that when hitting restart, you are press down Shift key Windows will give you options for Troubleshoot/Adanced Options/UEFI Firmware/

    lenova-1.JPG

    lenovo-1.JPG

    lenovo-3.JPG

    1. Once you restart your machine you should be able to see the BIOS settings.

      Under Configuration you should disable Intel Fast boot, disable SecureBoot (more here). Make sure you change the settings for Graphics from Switchable to Internal. This is needed only to install, you can then modify it later. Save the changes and exit.

  3. Once the machine restarts press and hold F12 key.

    This will give you option to boot from various available devices and your USB drive would be one of them

    lenovo-4.JPG

  4. Select your USB drive to boot

  5. Select the UEFI boot mode when you see the ArchLinux boot screen.

    lenovo-5.JPG

    Once the usb has booted you will see the root prompt.

Partition HD with Live CD

Load keyboard layout

$ loadkeys la-latin1

Connect to the internet (Wi-Fi)


Creat Partitions for boot, swap and root

  1. Boot into Arch Linux Installation media in UEFI Mode.

  2. Create three partitions in that empty space: (a) boot 200MB (b) Swap 8GB (c) Root Partition


    The final partition table in my case:


Encrypt the root partition with LUKS Link

Preparing the disk

chech the info about dm-crypt module


dm-cryptwipe on an empty disk or partition

First, create a temporary encrypted container on the partition (sdXY) or the full disk (sdX) you want to encrypt, e.g. using default encryption parameters and a random key via the –key-file /dev/{u}random option (see also Random number generation):


Second, check it exists


Finally, wipe it with pseudorandom (because encrypted) data. A use of if=/dev/urandom is not required as the encryption cipher is used for randomness.


Preparing non-boot partitions

The following commands create and mount the encrypted root partition. They correspond to the procedure described in detail in Dm-crypt/Encrypting a non-root file system#Partition (which, despite the title, can be applied to root partitions, as long as mkinitcpio and the boot loader are correctly configured). If you want to use particular non-default encryption options (e.g. cipher, key length), see the encryption options before executing the first command:


Type gdisk -l /dev/sda to find out the partition number of the newly created partition and EFI partition.

Check the mapping works as intended:


If you created separate partitions (e.g. /home), these steps have to be adapted and repeated for all of them, except for /boot. See Dm-crypt/Encrypting a non-root file system#Automated unlocking and mounting on how to handle additional partitions at boot.

Note that each blockdevice requires its own passphrase. This may be inconvenient, because it results in a separate passphrase to be input during boot. An alternative is to use a keyfile stored in the system partition to unlock the separate partition via crypttab. See Dm-crypt/Device encryption#Using LUKS to Format Partitions with a Keyfile for instructions.

Prepare Swap partition


Preparing the boot partition

What you do have to setup is a non-encrypted /boot partition, which is needed for a crypted root. For a standard MBR/non-EFI /boot partition, for example, execute:


Find and mount the efi partition to /mnt/boot/efi


If you want to encrypt boot partition (with GRUB), see here; I did not do it.

Format the partition into filesystems.

  1. Mount the partition in which Arch Linux files will be present to /mnt


  2. Use pacstrap to initialize the Arch Installation If you are behind a proxy server, type: export http_proxy=http://proxy_ip_or_domain:proxy_port


  3. mount EFI partition


  4. Generate the fstab, so that required partitions are mounted on reboot.


  5. Make sure that /boot and /boot/efi are listed; add them manually if not.


    use the following to retrieve UUID:


How to change LUKS passphrase

The followings are adapted from here.

In LUKS scheme, you have 8 “slots” for passwords or key files. First, check, which of them are used:


Then you can add, change or delete chosen keys:


As for deleting keys, you have 2 options:

  1. delete any key that matches your entered password:


  2. delete a key in specified slot:


Arch and Grub Installation after chroot in.

  1. chroot into the arch installation (from live CD).


  2. Configure timezone, generate initial RAM disk. #Chang password for root user


  3. Install the bootloader – grub.

    Install the packages grub and efibootmgr. GRUB is the bootloader, efibootmgr creates bootable .efi stub entries used by the GRUB installation script.


Generate the main configuration file

  1. Make sure all partitions are mounted, i.e. / /boot /boot/efi


  2. Intial Ramdisk Environment


    Add the encrypt hook to mkinitcpio.conf: link here


  3. update /etc/default/grub


  4. install os-prober, only detect the correct Windows boot after boot into Linux, not from chroot with live CD.

  5. configure grub

    The following steps install the GRUB UEFI application to $esp/EFI/grub, install its modules to /boot/grub/x86_64-efi, and place the bootable grubx64.efi stub in $esp/EFI/grub.

    First, tell GRUB to use UEFI, set the boot directory and set the bootloader ID. Mount the ESP partition to e.g. /boot or /boot/efi and in the following change $esp to that mount point (usually /boot):


    The –bootloader-id is what appears in the boot options to identify the GRUB EFI boot option; make sure this is something you will recognize later. The install will create a directory of the same name under $esp/EFI/ where the EFI binary bootloader will be placed.


    Now, let’s add Windows to the GRUB menu. Edit /boot/efi/EFI/grub/grub.cfg and add the following menuentry after the Arch Linux menuentries [Note: grub boot loader does not locate Windows OS, but this is necessary for grub to load Arch Linux in my case. After I boot into arch linux, I ran sudo os-prober and update grub config.] See here for details.


    and update the string with following output:

    $latex hints_string with the output of $ grub-probe target=fs_uuid /boot/efi/EFI/Microsoft/Boot/bootmgfw.efi $latex fs_uuid with the output of $ grub-probe target=hints_string /boot/efi/EFI/Microsoft/Boot/bootmgfw.efi

Unmount and Reboot


Finish Up Arch Linux Installation

  1. Install the desktop environment, display manager, and vim and xterm. packman -Syu gnome-desktop xterm vim gnome-display-manager systemctl enable gdm #Start gdm on boot
  2. Create a new user and add him to the group wheel. useradd -G wheel -s /bin/bash -m -c “Nehal J Wani” wani passwd wani
  3. Reboot into Arch Linux

  4. Install os-prober. Regenerate grub configuration. Reboot.


    Done! Now you can choose between Windows and Arch Linux at the start. Yay!

Install Arch Linux

  1. Retrieve package list from another system To create a list of all official repository installed packages do:


    To create a list of all local installed packages do (includes packages installed from the AUR):


  2. install package in new system To reinstall packages using the backup package list:


  3. Restore configuration with instruction here (use rsync with -a to mantain symlinks).

  4. install python modules


  5. install node.js modules


  6. The new system

    archer-screen.png

Some further tweaks

Wifi fix


Next is to make sure that we unblock hw killed wifi due to the above module


/etc/modprobe.d/blacklist.conf


Customize Grub

install grub-customizer with pacman, and customize grub loader

grub-customizer-gui.png

starfield theme is chosen here.

grub-customizer-gui1.png

lenovo-7.JPG

Encrypting a non-root file system

You can encrypt a secondary filesystem from a partition to protect only sensitive data. The following shows how to create a common partition for all user’s /home directories.

  1. First, make sure the partition is empty (has no file system attached to it). Delete the partition and create an empty one if it has a file system.

    Create the partition which will contain the encrypted container.

  2. Then setup the LUKS header with the following:


    Replace device with the previously created partition.

    To gain access to the encrypted partition, unlock it with the device mapper, using:


    After unlocking the partition, it will be available at /dev/mapper/name. Now create a file system of your choice with:


  3. Mount the file system to /home, or if it should be accessible to only one user to /home/username Tip: Unmount and mount once to verify that the mapping is working as intended.

  4. To mount the partition manually:


  5. To unmount it manually:


Mount at boot automatically

  1. generate key file


  2. create crypttab If the keyfile for a secondary file system is itself stored inside an encrypted root, it is safe while the system is powered off and can be sourced to automatically unlock the mount during with boot via crypttab. For example, unlock a crypt specified by UUID:


  3. then add it to fstab Then use the device mapper’s name (defined in /etc/crypttab) to make an entry in /etc/fstab:


2
MAR
4

Comments

  1. Axighi  December 30, 2016

    I can’t find graphics setting in bios setup on my Alienware 15 R3

    reply
  2. Tommy  December 20, 2018

    Hi

    I followed your instruction but having some problem with GRUB on Ideapad 720s

    After several times of reboot, GRUB disappears from UEFI setting and only available one is the Windows boot manager, which will boot Windows directly.

    Do you have similar problem? How you make GRUB persistent?

    reply
Subscribe to Comments

Add a Comment