Secure Drive Setup | Dans Dev Diary

Securing Arch Linux on External USB with LUKS & TPM2

This guide covers the steps to take to configure a encrypted root drive in Arch Linux using LUKS and TPM2.

WHY? Being a remote storage device it could be very prone to theft or loss, so encrypting the drive ensures that even if the physical device is compromised, the data remains secure. adding the TPM2 auto-unlock feature enhances usability by allowing the system to boot without manual password entry when connected to the enrolled TPM2 chip with Secure Boot enabled.

Prerequisites

Existing Arch Linux installation on an external USB drive (e.g., Samsung T7).
Arch Linux Live ISO for recovery and setup.
Basic familiarity with LUKS encryption, systemd-boot, and TPM2.

Backup & Encryption

Phase 1: Backup and Encryption

Boot into the Arch Linux Live ISO.
Create a backup of the existing system using rsync to a separate drive.
Mount your backup destination drive first (e.g., mount /dev/sdX /mnt/backup).
sudo rsync -aAXHvx --info=progress2 \ --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"} \ / /mnt/backup/arch_backup/
Flag Explanations:
- -a (archive mode): Preserves permissions, ownership, timestamps, and recursively copies directories
- -A: Preserves Access Control Lists (ACLs)
- -X: Preserves extended attributes (xattrs)
- -H: Preserves hard links
- -v: Verbose output to see what's being copied
- -x: Don't cross filesystem boundaries (stays on the source filesystem)
- --info=progress2: Shows overall progress with transfer speed and time remaining
Exclusions Explained:
- /dev/*, /proc/*, /sys/*: Virtual filesystems managed by the kernel
- /tmp/*, /run/*: Temporary runtime files
- /mnt/*, /media/*: Mount points (prevents copying the backup destination into itself)
- /lost+found: Filesystem recovery directory
This backup can take significant time depending on your system size. Ensure you have enough space on the backup drive.
Identify the target partition (Root) and formatted it with LUKS2 encryption.
Ensure you are targeting the correct partition (e.g., /dev/sdb2). Do not format the EFI partition (/dev/sdb1).
cryptsetup luksFormat /dev/sdb2
Open the new encrypted container.
cryptsetup open /dev/sdb2 cryptroot
Format the mapped device with your filesystem of choice (e.g., ext4) and mount the system.
mkfs.ext4 /dev/mapper/cryptroot mount /dev/mapper/cryptroot /mnt mkdir /mnt/boot mount /dev/sdb1 /mnt/boot
Restore the system backup to the new encrypted partition.
sudo rsync -aAXHv --info=progress2 /mnt/backup/arch_backup/ /mnt/
Ensure the trailing slash on the source path (/mnt/backup/arch_backup/) to copy the contents, not the directory itself. The restore uses fewer flags because we're copying to an empty destination and don't need to worry about crossing filesystems.

Boot Configuration

Phase 2: USB Boot Configuration (Critical)

Enter the system environment.
arch-chroot /mnt
Fix 1: Ensure USB drivers are present.
Edit /etc/mkinitcpio.conf. In the HOOKS array, remove autodetect and ensure sd-encrypt is present.
Removing autodetect prevents the installer from stripping USB drivers required to find the external drive at boot.
# /etc/mkinitcpio.conf HOOKS=(base systemd modconf keyboard block sd-encrypt filesystems fsck)
Regenerate the initramfs images.
mkinitcpio -P
Important: Failing to complete this step will result in a boot failure, as the system will be unable to locate the encrypted root partition on the USB drive.
Fix 2: Handle USB Timing.
Get the UUID of the encrypted partition (sdb2).
lsblk -f
Edit the bootloader config at /boot/loader/entries/arch.conf.
- Add the rd.luks.name parameter with the UUID.
- Add rootwait to the end of the options line to prevent timeouts while the USB drive spins up.
# /boot/loader/entries/arch.conf title Arch Linux linux /vmlinuz-linux initrd /amd-ucode.img initrd /initramfs-linux.img options rd.luks.name=YOUR-UUID-HERE=cryptroot root=/dev/mapper/cryptroot rw rootwait
To get YOUR-UUID run the following command (replace /dev/sdb2 with your root partition):
blkid /dev/sdb2
Exit chroot and reboot to test the password prompt.

TPM2 Auto-Unlock & Secure Boot

Phase 3: TPM2 Auto-Unlock & Secure Boot

Install TPM2 tools.
sudo pacman -S tpm2-tools
Enroll the TPM chip into the LUKS header. Bind it to PCR 7 (Secure Boot state).
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=7 /dev/sdb2
Verify the token was added.
sudo cryptsetup luksDump /dev/sdb2
Look for "systemd-tpm2" under the Tokens section.
Update the bootloader to actively check for the TPM device.
Edit /boot/loader/entries/arch.conf and add rd.luks.options=tpm2-device=auto.
# Final Options Line options rd.luks.name=YOUR-UUID-HERE=cryptroot rd.luks.options=tpm2-device=auto root=/dev/mapper/cryptroot rw rootwait
Reboot. The system should now boot without asking for a password, provided Secure Boot is active and the drive is connected to the enrolled motherboard.