I've done a lot of research on the best practices on disk setup and have found a solution for all my disk related issues. This post aims to detail the process of using this method. While not the simplest to setup, it will save you later down the line when you want to change something around.
Before you begin partitioning the disk, you have to decide whether to use BIOS or UEFI. Some machines support just one option meaning you can skip having to think about it.
Over the years my opinion on the matter has shifted back and forth. Right now I prefer BIOS for its simplicity.
The first step of the process is the partitioning which breaks the disk up into smaller chunks that are used for different purposes.
My utility of choice for partitioning disks is fdisk which is already
installed on most Linux systems. Other options include gdisk and parted.
Make two partitions:
The choice you need to make now is the size of the boot partition. Most
documentation recommends ~256M, but because you can't change it later and
because I like have multiple partitions available, I use the safer option of
1G.
fdisk /dev/sdX
o # create a new DOS/MBR partition table
n # create a new partition (boot)
p # make it primary
ENTER # auto select number
ENTER # auto select starting sector
+1G # size of the boot partition
n # create another partition (LVM on LUKS)
p
ENTER
ENTER
ENTER # allow it to take all free space
w # save the table to the disk
After partitioning the disk, format each partition.
Format the partition using FAT32 on UEFI. On BIOS use any partition supported by your bootloader, I use limine which supports ext4.
mkfs.ext4 /dev/sdX # for BIOS
mkfs.fat -F32 /dev/sdX # for UEFI
Use the other partition that occupies the rest of the disk for LVM on LUKS. LUKS keeps all content encrypted. LVM uses virtual partitions to further split up the disk, making it easier to resize partitions as needed.
cryptsetup luksFormat /dev/sdX
cryptsetup open /dev/sdX crypt
pvcreate /dev/mapper/crypt
vgcreate crypt /dev/mapper/crypt
A swap parition gives the system more memory (like downloading more RAM!). It's used to prevent the system stalling when running out of space or to suspend/hibernate.
lvcreate -n swap -L 16G crypt
mkswap /dev/crypt/swap
swapon /dev/crypt/swap
Name your root partition after the distro that will go on it. This makes it more descriptive and easier to manage when multibooting.
lvcreate -n alpine -L 16G crypt # root partition
mkfs.ext4 /dev/crypt/alpine
mount /dev/crypt/alpine /mnt
Most guides pair the root partition with a separate home partition for your
personal data. An evolution of that idea is the space partition. Mount it on
/space with extra folders bind mounted as needed. For example mounting
/space/home to /home and /space/tors to /var/lib/transmission. This
gives you more flexibility in keeping data off the root partition.
lvcreate -n space -l 100%free crypt # space partition
mkfs.ext4 /dev/crypt/space
mkdir /mnt/space
mount /dev/crypt/space /mnt/space
mkdir /mnt/space/home
mount --rbind /mnt/space/home /mnt/home
Initramfs is a temporary file system booted into from the bootloader, it prepares the kernel and the rest of system.
Make sure your distro supports LUKS and LVM. Do this by enabling the required features and regenerating the initramfs image.
This is different for each distro, so refer to their documentation.
Cmdline are the options your bootloader passes to the initramfs to configure the system. When using LVM on LUKS, change them to ensure the initramfs can boot.
cryptroot=UUID=... # UUID of LUKS partition /dev/sdX
cryptdm=crypt # name of decrypted root partition
root=/dev/crypt/alpine # points to the root partition
rootfstype=ext4 # root partition's file system
resume=/dev/crypt/swap # swap partition for hibernation
Get the UUID of cryptroot using blkid /dev/sdX.
The format of the cmdline will depend on the initramfs so once again refer to their documentation.
fstab is the file used by the mount utility to automatically mount required partitions on boot.
Find the UUID of the boot partition using blkid /dev/sdX.
/dev/crypt/alpine / ext4 rw,relatime 0 1 # root
/dev/crypt/swap none swap defaults 0 0 # swap
UUID=... /boot ext4 rw,relatime 0 2 # boot
# space
/dev/crypt/space /space
/space/home /home/ none rbind,defaults 0 0
/space/tors /var/lib/transmission none rbind,defaults 0 0
/space/sync /var/lib/syncthing none rbind,defaults 0 0
On most Linx systems, the default bootloader is GRUB. I however prefer less complicated alternatives, for a long time I used rEFInd which doesn't support BIOS. My current bootloader of choice is limine which is suckless and supports both BIOS and UEFI at the same time.
To save you from having to enter two password everytime you boot your system. Enable autologin using agetty.