#[solved] Installing Arch again - help setting up partitions securely -- archinstall

I have heard a lot of different things about partition schemes, such as encrypting your home folder or having /home/ on a separate partition, having /var/ on a separate partition, and other stuff. I've never really messed with custom partition schemes. I have installed arch manually before but not without help.

I want to have some additional security by setting up my partitions in a secure way. I found this: https://www.reddit.com/r/linux/comments/9galhz/creating_a_hardened_arch_linux_installation_with/, looks very detailed, I'm not looking to go this deep yet but I would like to do something like this eventually. For now, I just want to know how I should set up my partitions in a non-default way to provide additional security. For simplicity I want to use archinstall, I'm pretty sure it allows you to do a custom partition scheme.

I'll probably use btrfs.

Hi, this is not a direct answer to your question. But I do hope you will consider learning how to use a virtual machine and how to install, configure and harden arch on it, proficiently and profoundly before you do the hardening, which could be harsh and hazardous if done incorrectly on the physical hardware.

Using a VM is good practice tbh

The most commonly used virtulazation suit on Linux is libvirt + QEMU/KVM. You can take snapshots of your changes to the whole system and revert to them at any time, like git commits, so you can learn by trial and error.

For simplicity I want to use archinstall
The guide from reddit was written in an era before Archinstall, which also hides some mechanisms like a black box. So a manual installation is recommended if this is your first attempt to follow this guide.

Yes I have done this, I tested and hardened arch on virt-manager a few times before.

i've already done this as stated

Please also take into consideration what your actual threat model is and whether this type of setup is truly necessary.

just fyi,

I have used from about november to february this year, installed it around 15 times total, about 3-4 times manually (with help), I have installed on virtual machine a bunch of times, tested hardened kernel, apparmor, and a bunch of other stuff.

I am well aware of what my threat model is.

I have thorough documentation of what my threat model is.

Please state this in the original post.

I stated in my original post,

I have installed arch manually before but not without help.

I figured that would be enough.

Do I really need to specify exactly what I've done?

I could say "I'm not a beginner" but some may argue with that.

Anyway, still looking for help on this. I'm about to install right now.

Actually, I don't think you need to post this in support at all, since you already know what you're doing. It would confuse other people.

No, I don't. I'm not proficient enough with custom partition schemes. When I did manual installs, I got help, and I didn't really understand what I was doing with partitions.

I can run archinstall no problem.

I want to run archinstall in a more secure way than the default.

In other words, I want to progress to a slightly more advanced setup with archinstall.

good to know

Maybe I could get help with this: https://wiki.archlinux.org/title/Security#Mount_options

Not many people would use that hardening setup, and even fewer would customise it the way you do. Since you already have the knowledge, experience and motivation, why don't you try to find out for yourself?

I could, what setup exactly are you referring to?

a separate home and var partitions?

If I use LUKS to encrypt the disk, can you encrypt home separately?

I'd just try to copy the partition scheme that archinstall uses or even Fedora or other well built distribution. From there try to figure out what other modifications could be made like in that reddit guide.

okay then

I guess the reason I posted this was because I didn't want to waste time installing it the way I normally do, then later on realize I should have done it a different way and reinstall.

I'll figure it out myself. Thanks.

I guess the reason I posted this was because I didn't want to waste time installing it the way I normally do, then later on realize I should have done it a different way and reinstall

Archinstall's documentation is currently poor (e.g. the Luks section of the doc doesn't even contain anything) and it would take a considerable amount of time to read the source. I'd say it's a draw in terms of time "wasted".

okay

Well I have read the arch wiki many times and I understand precisely 0 of it.