BlackStrap
Installing Arch Linux manually is a rite of passage. You partition disks, configure encryption, bootstrap the system, set up bootloaders—it’s educational, but after the tenth time, it’s just tedious, and we all have to get work done.
BlackStrap automates the entire process of getting to a minimally viable system while giving you the flexibility to customize security features, filesystem choices, and optional tooling like BlackArch repositories and SSH servers.
Contents:
- What It Does
- Encryption Options
- Boot Integrity Monitoring
- BTRFS Support
- Disk Layout Examples
- Usage
- Optional Features
- Security Considerations
- What Gets Installed
- Design Highlights
- Use Cases
What It Does#
BlackStrap is an interactive installer script that handles:
- Full UEFI-based Arch installation from scratch
- LVM on LUKS encryption with multiple security tiers
- BTRFS or ext4 filesystems with optional snapshot management
- Boot integrity monitoring to detect tampering
- Automated partitioning (EFI + boot + encrypted root)
- Zsh and Oh My Zsh pre-configured with custom theming
- Optional BlackArch repo integration for security tools
- Optional SSH server with password or key-based auth
It’s designed for security researchers, pentesters, and anyone who wants a hardened Arch system without the repetitive manual setup.
Encryption Options#
Standard Encryption (Recommended)#
./blackstrap.sh
- LUKS2 encryption for root partition (modern Argon2id)
- Unencrypted
/bootwith integrity monitoring - Single password prompt at boot
- SHA256 checksums detect tampering attempts
Best for: Most users who want strong encryption without boot-time complexity.
Full Disk Encryption (Maximum Security)#
./blackstrap.sh --encrypt-boot
- LUKS1 for
/boot(GRUB compatibility) + LUKS2 for root - Entire disk encrypted including kernel and initramfs
- Option for keyfile (1 password) or manual unlock (3 passwords)
- Complete evil maid attack prevention
Best for: High-security environments, paranoid setups, or systems with sensitive data.
No Encryption (Testing/VMs)#
./blackstrap.sh --no-encryption
- Plain partitions, no LUKS
- Fast boot, no password prompts
- For development VMs and testing only
Boot Integrity Monitoring#
When using standard encryption (unencrypted /boot), BlackStrap installs a boot integrity tool that:
- Generates SHA256 checksums of all
/bootfiles on first boot - Verifies checksums automatically at each boot
- Warns via MOTD if tampering is detected
- Integrates with pacman to warn about kernel updates
# Check for tampering
sudo boot-integrity verify
# Detailed check with file checksums
sudo boot-integrity verify -v
# Update checksums after kernel updates
sudo boot-integrity update
# View database information
sudo boot-integrity info
If an attacker modifies your kernel or initramfs (evil maid attack), you’ll know before entering your encryption password.
BTRFS Support#
During installation, you can choose BTRFS with:
- zstd compression (typical 30-40% space savings)
- Subvolume layout:
@,@home,@var_log - Automatic snapshot management via snapper
- Pre-configured snapper hooks on first boot
Perfect for systems where you want rollback capability and compression benefits.
Disk Layout Examples#
Standard Encryption:
/dev/sda1 → EFI (512MB, unencrypted)
/dev/sda2 → /boot (1GB, unencrypted, checksummed)
/dev/sda3 → LUKS2 → LVM
├─ swap (4GB)
└─ root (remaining, ext4 or BTRFS)
Full Disk Encryption:
/dev/sda1 → EFI (512MB, unencrypted - UEFI requirement)
/dev/sda2 → LUKS1 → /boot (1GB, encrypted)
/dev/sda3 → LUKS2 → LVM
├─ swap (4GB)
└─ root (remaining)
Usage#
Boot into a live Arch ISO and run:
curl -O https://raw.githubusercontent.com/axiom0x0/BlackStrap/main/blackstrap.sh
chmod +x blackstrap.sh
./blackstrap.sh
The script will interactively prompt for:
- Target disk selection
- Hostname, username, password
- Timezone and locale
- Filesystem type (ext4 or BTRFS)
- Text editor preference
- Encryption passwords
- BlackArch repository (optional)
- SSH server setup (optional)
After installation completes, reboot into your new encrypted Arch system.
Optional Features#
BlackArch Repository#
During installation, you can opt to install the BlackArch repository, which provides:
- 2800+ penetration testing and security tools
- Organized by category (exploitation, forensics, wireless, etc.)
- Maintained separately from official Arch repos
The script modifies the BlackArch installer to skip bloated defaults and install cleanly.
SSH Server Setup#
Choose between:
Password-based auth:
- Standard SSH with password login
- Quick setup for trusted networks
Key-based auth (recommended):
- More secure than passwords
- Script sets up temporary SSH server during install
- You run
ssh-copy-idfrom your local machine - Password authentication disabled post-install
Note: With key-based auth, ensure your VM uses bridged networking (not NAT) so your host can reach it during installation.
Security Considerations#
Boot Integrity vs Full Disk Encryption:
| Feature | Standard | Full Disk (no keyfile) | Full Disk (with keyfile) |
|---|---|---|---|
| Root filesystem | ✅ LUKS2 encrypted | ✅ LUKS2 encrypted | ✅ LUKS2 encrypted |
| /boot partition | ❌ Unencrypted | ✅ LUKS1 encrypted | ✅ LUKS1 encrypted |
| Password prompts | 1 (at boot) | 3 (GRUB + root + boot) | 1 (GRUB only) |
| Tampering detection | ✅ SHA256 checksums | ✅ Encryption | ✅ Encryption |
| Evil maid protection | ⚠️ Detection only | ✅ Full prevention | ✅ Full prevention |
| Ease of use | ✅ Simple | ⚠️ Complex | ✅ Reasonable |
Why LUKS1 + LUKS2?
- GRUB can only decrypt LUKS1 (not LUKS2)
- LUKS2 uses Argon2id (much stronger than LUKS1’s PBKDF2)
- This dual setup gives GRUB compatibility + modern encryption for root
What Gets Installed#
Base System:
base,linux,linux-firmwarezsh,sudo,curl,git,wgetNetworkManager,grub,efibootmgr
With Encryption:
lvm2,cryptsetup- Boot integrity monitoring tool (standard mode)
- Automatic crypttab configuration (full disk mode)
- Pacman hooks for update warnings
With BTRFS:
btrfs-progssnapperfor snapshot management- Automatic snapper configuration
Optional:
- BlackArch repository and tools
- SSH server (OpenSSH)
- Oh My Zsh with custom configuration
Design Highlights#
SSH Key Setup in the Live Environment#
One of the trickier problems: how do you set up SSH key-based auth when the system doesn’t exist yet?
BlackStrap solves this by spinning up a temporary SSH server in the live boot environment before installation even starts. It creates a temporary user, displays connection details (IP, username, temp password), and waits for you to run ssh-copy-id from your local machine.
Once your public key is copied, the script transfers it to the new system’s /home/user/.ssh/authorized_keys during installation. After reboot, you can SSH in with keys, and password auth is disabled by default.
This only works if your VM/system is reachable from your host machine—NAT networking won’t cut it. Use bridged networking so the live environment gets an IP on your local network.
The LUKS1+LUKS2 Hybrid#
GRUB (the bootloader) can’t decrypt LUKS2—only LUKS1. But LUKS1 uses the older PBKDF2 key derivation function, which is significantly weaker than LUKS2’s Argon2id.
The solution: dual LUKS containers.
/bootis encrypted with LUKS1 (GRUB compatibility)- Root filesystem is encrypted with LUKS2 (modern security)
This gives you encrypted kernel/initramfs (evil maid protection) while keeping strong encryption on your actual data. The keyfile option embeds the /boot unlock key in the initramfs, reducing three password prompts to one.
Boot Integrity vs Full Encryption#
For standard encryption (unencrypted /boot), BlackStrap installs a custom boot integrity monitoring tool that:
- Generates SHA256 checksums of
/bootcontents on first boot - Verifies them automatically at each boot
- Integrates with pacman via hooks to warn about kernel updates
- Displays tamper warnings in MOTD if files change
It’s not as secure as full disk encryption (an attacker could modify the kernel), but it detects tampering, which is often sufficient. The trade-off is simplicity: one password at boot vs three (or dealing with keyfiles).
For most threat models, detection is enough. If someone has physical access to modify your /boot, they’ve already won in other ways.
Use Cases#
- Pentesting VMs - Quick setup with BlackArch tools pre-installed
- Secure workstations - Full disk encryption with boot integrity
- Development environments - Fast BTRFS snapshots for rollback
- Learning Arch - Automated setup with customization options
- Reproducible builds - Scripted configuration for consistent deployments
Get It#
Source code and full documentation on GitHub: axiom0x0/BlackStrap
The script is designed for single-disk, clean UEFI installations. For dual-boot or complex partitioning scenarios, manual setup may be required.