Arch Linux encrypted installation

Installation steps with information taken from the official installation guide to assist the process with encryption. Be aware that this guide may become outdated and/or contain bugs. Also, this guide only covers a specific installation, so no swapfile, only with EFI system partition, etc.

Setup

  1. Download ISO file

  2. Verify signature

    $ gpg --keyserver-options auto-key-retrieve --verify archlinux-version-x86_64.iso.sig

    or from existing arch installation:

    $ pacman-key -v archlinux-version-x86_64.iso.sig
  3. Prepare USB flash drive

    $ dd bs=4M if=path/to/archlinux-version-x86_64.iso of=/dev/x conv=fsync oflag=direct status=progress
  4. Boot from USB file (UEFI)

Installation

  1. Verify boot mode

    $ ls /sys/firmware/efi/efivars

    If the command shows directory without error: booted in UEFI mode.

  2. Connect to the internet

    $ ip link
    $ ping archlinux.org
  3. Update the system clock

    $ timedatectl status
  4. Partition the disks

    $ fdisk -l
    or
    $ lsblk
    $ fdisk /dev/the_disk_to_be_partitioned
    1. Delete all existing partitions

    2. Create 2 new primary partitions on main disk

    3. Defaults except first partition endsize, type: +600M

    4. Optional: secure erase:

      $ dd if=/dev/urandom of=/dev/sdX# bs=4096 status=progress
  5. Encrypt main partition (and others if multiple disks)

    $ cryptsetup luksFormat /dev/sdX#
  6. Open encrypted partition (name is needed for reference but not permanent)

    $ cryptsetup open /dev/sdX# {name}
  7. Format the partitions

    $ mkfs.fat -F 32 /dev/boot_partition
    $ mkfs.ext4 /dev/mapper/{name}
  8. Mount the file systems

    $ mount /dev/mapper/{name} /mnt
    $ mkdir /mnt/boot
    $ mount /dev/boot_partition /mnt/boot
  9. Optional: sort mirrors on geographical location

    $  vim /etc/pacman.d/mirrorlist
  10. Install (essential) packages

    $ pacstrap -K /mnt base base-devel linux linux-firmware grub networkmanager cryptsetup lvm2 vim
  11. Generate fstab (define how partitions should be mounted)

    $ genfstab -U /mnt >> /mnt/etc/fstab
  12. Change root into new system

    $ arch-chroot /mnt
  13. Time zone (region and city variables)

    $ ln -sf /usr/share/zoneinfo/{Region}/{City} /etc/localtime
    $ hwclock --systohc
  14. Localization

    $ vim /etc/locale.gen
    1. uncomment lines

      en_US.UTF-8 UTF-8
      en_US ISO-8859-1
      $ locale-gen
    2. set lang variable

      $ vim /etc/locale.conf
      1. add text

        LANG=en_US.UTF-8
  15. Network configuration

    $ vim /etc/hostname
    1. add text

      myhostname
    2. Config hosts

      $ vim /etc/hosts
    3. add text (myhostname is variable based on /etc/hostname)

      127.0.0.1	localhost
      ::1		localhost
      127.0.1.1	{myhostname}.localdomain {myhostname}
    4. Enable services

      $ systemctl enable NetworkManager.service
      $ systemctl enable systemd-resolved.service
  16. Passwords and users

    $ passwd
    $ useradd -G wheel -m {user}
    $ passwd {user}
  17. Initial ramdisk

    $ vim /etc/mkinitcpio.conf
    1. Find like that starts with: HOOKS(base udev…​) and add near the end but still inside the brackets:

      encrypt lvm2
    2. Create new initramfs

      $ mkinitcpio -P
  18. Boot loader (GRUB)

    1. Exit chroot environment by typing exit or pressing Ctr+d.

    2. Add partition information to grub file

      $ lsblk -f >> /mnt/etc/default/grub
  19. Chroot into system and edit grub file

    $ arch-chroot /mnt
    $ vim /etc/default/grub
    1. Grab output of the previous (lsbblk -f) command at the bottom and move it to the top.

    2. Comment it

    3. Add to the GRUB_CMDLINE_LINUX_DEFAULT property to look like this (where {brackets} should be replaced with correct UUID and "cryptname" to preferred name)

      GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID={uuid-of-/dev/sdX#}:cryptname root=UUID={uuid-of-/dev/mapper/{name}}"
  20. Install GRUB

    $ pacman -S efibootmgr
    $ grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
  21. Microcode (CPU updates), depending on processor manufacturer run following

    $ pacman -S amd-ucode
    $ pacman -S intel-ucode
  22. Generate grub cfg

    $ grub-mkconfig -o /boot/grub/grub.cfg
  23. Exit chroot, reboot, remove USB, and (hopefully) enjoy.