How to Set Up a Void Linux Box with Encrypted Drive on UEFI

1. Prepare Installation Media

Download the ISO from voidlinux.org.
Put the ISO onto a USB drive using dd. On Windows, you can use Rufus.

2. Boot and Initial Setup

Boot from the USB drive.
Login as root (password: voidlinux).
Sync the repositories and update the package manager:
```
# xbps-install -S
```
```
# xbps-install -u xbps
```
Install a text editor:
```
# xbps-install -S nano
```

Install any text editor you feel like using.

3. Partition the Disk

Identify your target drive (/dev/sda, /dev/nvme0, etc.).
Partition the drive using cfdisk. Create at least:
- An EFI partition
- A root partition

Optional: swap and home partitions depending on your preference.

4. Encrypt and Format Partitions

Encrypt the root partition:
```
# cryptsetup luksFormat --type luks1 /dev/sda2
```
Type YES in all caps and enter your passphrase.

Open the encrypted partition:

# cryptsetup luksOpen /dev/sda2 cryptroot

Create a volume group:

# vgcreate cryptroot /dev/mapper/cryptroot

Create a logical volume:

# lvcreate --name root -l 100%FREE cryptroot

If you created a home partition, you should allocate the remaining disk space accordingly.

Format the root filesystem:

# mkfs.ext4 -L root /dev/cryptroot/root

# mount /dev/cryptroot/root /mnt

The root is just a label.

Format the EFI partition and mount it:

# mkfs.vfat /dev/sda1

# mkdir -p /mnt/boot/efi

# mount /dev/sda1 /mnt/boot/efi

5. Copy RSA Keys

# mkdir -p /mnt/var/db/xbps/keys

Copying the RSA keys from the installer to the new system

# cp /var/db/xbps/keys/* /mnt/var/db/xbps/keys/

6. Install Base System

# xbps-install -Sy -R https://repo-default.voidlinux.org/current -r /mnt \
base-system lvm2 cryptsetup grub-x86_64-efi nano NetworkManager efibootmgr

After that, let’s generate the fstab.

# xgenfstab /mnt > /mnt/etc/fstab

7. Chroot into the New System

Using xchroot to enter the new system.

# xchroot /mnt

[xchroot /mnt] # chown root:root /

[xchroot /mnt] # chmod 755 /

Give the root user a password.

[xchroot /mnt] # passwd root

Set your hostname by replacing VOID with your desired name.

[xchroot /mnt] # echo VOID > /etc/hostname

For locale configuration (glibc only):

[xchroot /mnt] # echo "LANG=en_US.UTF-8" > /etc/locale.conf
[xchroot /mnt] # echo "en_US.UTF-8 UTF-8" >> /etc/default/libc-locales

Set the locale by replacing en_US.UTF-8 with your preferred language.

[xchroot /mnt] # xbps-reconfigure -f glibc-locales

Reconfigure the locales.

8. Configure GRUB for Encryption

This enables GRUB to recognize LUKS-encrypted partitions at boot, allowing you to enter the passphrase early.

[xchroot /mnt] # echo GRUB_ENABLE_CRYPTODISK=y >> /etc/default/grub

The next command outputs the UUID of your root partition.

[xchroot /mnt] # blkid -o value -s UUID /dev/sda2

Edit the grub config file and add the UUID:

[xchroot /mnt] # nano /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=4 rd.lvm.vg=cryptroot rd.luks.uuid=<uuid>"

Replace <uuid> with the value you got from (blkid -o value -s UUID /dev/sda2).

If you don’t know how to add the UUID to that GRUB line, you can run the following command:

[xchroot /mnt] # sed -i "s|^GRUB_CMDLINE_LINUX_DEFAULT=.*|GRUB_CMDLINE_LINUX_DEFAULT=\"loglevel=4 rd.lvm.vg=cryptroot rd.luks.uuid=$(blkid -o value -s UUID /dev/sda2)\"|" /etc/default/grub

This will automate the process for you, so you don’t have to open the GRUB config file manually. However, you can still open it if you want to double-check.

Replace sda2 with your own root partition.

9. Add a Keyfile

The following command is creating a random key file and saving it to /boot/volume.key.

[xchroot /mnt] # dd bs=1 count=64 if=/dev/urandom of=/boot/volume.key

Adding the key.

[xchroot /mnt] # cryptsetup luksAddKey /dev/sda2 /boot/volume.key

These two commands set the correct permissions for the key file.

[xchroot /mnt] # chmod 000 /boot/volume.key
[xchroot /mnt] # chmod -R g-rwx,o-rwx /boot

Edit the crypttab file and add the following line to the file:

[xchroot /mnt] # nano /etc/crypttab

cryptroot      /dev/sda2      /boot/volume.key     luks

Use your device name instead of sda2.

Edit the crypt.conf file and add the following line to the file:

[xchroot /mnt] # nano /etc/dracut.conf.d/10-crypt.conf

install_items+=" /boot/volume.key /etc/crypttab "

10. Install GRUB

Make sure that the device name is correct.

[xchroot /mnt] # grub-install /dev/sda

Reconfigures everything and regenerates the GRUB configuration file.

[xchroot /mnt] # xbps-reconfigure -fa

To exit the chroot

[xchroot /mnt] # exit

Recursively unmount everything mounted under /mnt

# umount -R /mnt

# reboot

You should remove the installation media.

11. Post-Installation

After rebooting, entering the passphrase, seeing the GRUB menu, and logging in as root, you should enable the network service.

# ln -s /etc/sv/NetworkManager /var/service/

# ln -s /etc/sv/dbus /var/service/

To start the network manager and dbus services.

# sv up NetworkManager

# sv up dbus

If you are using an Ethernet cable, it connects automatically. For Wi-Fi, run nmtui and activate a connection.

Edit the resolv.conffile

# nano /etc/resolv.conf

nameserver 1.1.1.1
nameserver 8.8.8.8

To test the connection, run the following command.

# ping -c4 voidlinux.org

Add a new user to your system. The -m option creates a home directory, and -G wheel adds the user to the wheel group (which allows administrative privileges):

# useradd -mG wheel <yourUserName>
# passwd <yourUserName>

Replace <yourUserName> with the username you want to create and use.

Now, edit the sudoers file to give the new user permission to use sudo. Here we set the default editor to nano:

# EDITOR=nano visudo

Inside the file, find the following line and uncomment it by removing the # at the beginning:

%wheel ALL=(ALL:ALL) ALL

This allows any user in the wheel group to execute commands as root using sudo.

Install some utilities:

# sudo xbps-install -S htop ufetch

# ufetch

Et voilà! You now have a base Void Linux system with full disk encryption.