Arch Linux encrypted installation

Home Books Blog Guides Links Contact Donate

Installation steps with information taken from the official installation guide to assist the process with encryption. Be aware that this guide may become outdated and/or contain bugs. Also, this guide only covers a specific installation, so no swapfile, only with EFI system partition, etc.

Setup

Download ISO file

Verify signature

$ gpg --keyserver-options auto-key-retrieve --verify archlinux-version-x86_64.iso.sig

or from existing arch installation:

$ pacman-key -v archlinux-version-x86_64.iso.sig

Prepare USB flash drive

$ dd bs=4M if=path/to/archlinux-version-x86_64.iso of=/dev/x conv=fsync oflag=direct status=progress

Boot from USB file (UEFI)

Installation

Verify boot mode
$ ls /sys/firmware/efi/efivars
If the command shows directory without error: booted in UEFI mode.
Connect to the internet
$ ip link $ ping archlinux.org
Update the system clock
$ timedatectl status
Partition the disks
$ fdisk -l or $ lsblk $ fdisk /dev/the_disk_to_be_partitioned
1. Delete all existing partitions
2. Create 2 new primary partitions on main disk
3. Defaults except first partition endsize, type: +600M
4. Optional: secure erase:
  $ dd if=/dev/urandom of=/dev/sdX# bs=4096 status=progress
Encrypt main partition (and others if multiple disks)
$ cryptsetup luksFormat /dev/sdX#
Open encrypted partition (name is needed for reference but not permanent)
$ cryptsetup open /dev/sdX# {name}

Format the partitions

$ mkfs.fat -F 32 /dev/boot_partition
$ mkfs.ext4 /dev/mapper/{name}

Mount the file systems

$ mount /dev/mapper/{name} /mnt
$ mkdir /mnt/boot
$ mount /dev/boot_partition /mnt/boot

Optional: sort mirrors on geographical location
$ vim /etc/pacman.d/mirrorlist

Install (essential) packages

$ pacstrap -K /mnt base base-devel linux linux-firmware grub networkmanager cryptsetup lvm2 vim

Generate fstab (define how partitions should be mounted)
$ genfstab -U /mnt >> /mnt/etc/fstab
Change root into new system
$ arch-chroot /mnt

Time zone (region and city variables)

$ ln -sf /usr/share/zoneinfo/{Region}/{City} /etc/localtime
$ hwclock --systohc

Localization

$ vim /etc/locale.gen

uncomment lines

en_US.UTF-8 UTF-8
en_US ISO-8859-1

$ locale-gen

set lang variable
$ vim /etc/locale.conf
1. add text
  LANG=en_US.UTF-8

Network configuration

$ vim /etc/hostname

add text
myhostname
Config hosts
$ vim /etc/hosts

add text (myhostname is variable based on /etc/hostname)

127.0.0.1	localhost
::1		localhost
127.0.1.1	{myhostname}.localdomain {myhostname}

Enable services

$ systemctl enable NetworkManager.service
$ systemctl enable systemd-resolved.service

Passwords and users

$ passwd
$ useradd -G wheel -m {user}
$ passwd {user}

Initial ramdisk
$ vim /etc/mkinitcpio.conf
1. Find like that starts with: HOOKS(base udev…) and add near the end but still inside the brackets:
  encrypt lvm2
2. Create new initramfs
  $ mkinitcpio -P
Boot loader (GRUB)
1. Exit chroot environment by typing exit or pressing Ctr+d.
2. Add partition information to grub file
  $ lsblk -f >> /mnt/etc/default/grub
Chroot into system and edit grub file
$ arch-chroot /mnt $ vim /etc/default/grub
1. Grab output of the previous (lsbblk -f) command at the bottom and move it to the top.
2. Comment it
3. Add to the GRUB_CMDLINE_LINUX_DEFAULT property to look like this (where {brackets} should be replaced with correct UUID and "cryptname" to preferred name)
  GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID={uuid-of-/dev/sdX#}:cryptname root=UUID={uuid-of-/dev/mapper/{name}}"

Install GRUB

$ pacman -S efibootmgr
$ grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB

Microcode (CPU updates), depending on processor manufacturer run following
$ pacman -S amd-ucode $ pacman -S intel-ucode
Generate grub cfg
$ grub-mkconfig -o /boot/grub/grub.cfg
Exit chroot, reboot, remove USB, and (hopefully) enjoy.