Arch Linux encrypted installation
Installation steps with information taken from the official installation guide to assist the process with encryption. Be aware that this guide may become outdated and/or contain bugs. Also, this guide only covers a specific installation, so no swapfile, only with EFI system partition, etc.
Setup
-
Verify signature
$ gpg --keyserver-options auto-key-retrieve --verify archlinux-version-x86_64.iso.sig
or from existing arch installation:
$ pacman-key -v archlinux-version-x86_64.iso.sig
-
Prepare USB flash drive
$ dd bs=4M if=path/to/archlinux-version-x86_64.iso of=/dev/x conv=fsync oflag=direct status=progress
-
Boot from USB file (UEFI)
Installation
-
Verify boot mode
$ ls /sys/firmware/efi/efivars
If the command shows directory without error: booted in UEFI mode.
-
Connect to the internet
$ ip link $ ping archlinux.org
-
Update the system clock
$ timedatectl status
-
Partition the disks
$ fdisk -l or $ lsblk $ fdisk /dev/the_disk_to_be_partitioned
-
Delete all existing partitions
-
Create 2 new primary partitions on main disk
-
Defaults except first partition endsize, type: +600M
-
Optional: secure erase:
$ dd if=/dev/urandom of=/dev/sdX# bs=4096 status=progress
-
-
Encrypt main partition (and others if multiple disks)
$ cryptsetup luksFormat /dev/sdX#
-
Open encrypted partition (name is needed for reference but not permanent)
$ cryptsetup open /dev/sdX# {name}
-
Format the partitions
$ mkfs.fat -F 32 /dev/boot_partition $ mkfs.ext4 /dev/mapper/{name}
-
Mount the file systems
$ mount /dev/mapper/{name} /mnt $ mkdir /mnt/boot $ mount /dev/boot_partition /mnt/boot
-
Optional: sort mirrors on geographical location
$ vim /etc/pacman.d/mirrorlist
-
Install (essential) packages
$ pacstrap -K /mnt base base-devel linux linux-firmware grub networkmanager cryptsetup lvm2 vim
-
Generate fstab (define how partitions should be mounted)
$ genfstab -U /mnt >> /mnt/etc/fstab
-
Change root into new system
$ arch-chroot /mnt
-
Time zone (region and city variables)
$ ln -sf /usr/share/zoneinfo/{Region}/{City} /etc/localtime $ hwclock --systohc
-
Localization
$ vim /etc/locale.gen
-
uncomment lines
en_US.UTF-8 UTF-8 en_US ISO-8859-1
$ locale-gen
-
set lang variable
$ vim /etc/locale.conf
-
add text
LANG=en_US.UTF-8
-
-
-
Network configuration
$ vim /etc/hostname
-
add text
myhostname
-
Config hosts
$ vim /etc/hosts
-
add text (myhostname is variable based on /etc/hostname)
127.0.0.1 localhost ::1 localhost 127.0.1.1 {myhostname}.localdomain {myhostname}
-
Enable services
$ systemctl enable NetworkManager.service $ systemctl enable systemd-resolved.service
-
-
Passwords and users
$ passwd $ useradd -G wheel -m {user} $ passwd {user}
-
Initial ramdisk
$ vim /etc/mkinitcpio.conf
-
Find like that starts with: HOOKS(base udev…) and add near the end but still inside the brackets:
encrypt lvm2
-
Create new initramfs
$ mkinitcpio -P
-
-
Boot loader (GRUB)
-
Exit chroot environment by typing exit or pressing Ctr+d.
-
Add partition information to grub file
$ lsblk -f >> /mnt/etc/default/grub
-
-
Chroot into system and edit grub file
$ arch-chroot /mnt $ vim /etc/default/grub
-
Grab output of the previous (lsbblk -f) command at the bottom and move it to the top.
-
Comment it
-
Add to the GRUB_CMDLINE_LINUX_DEFAULT property to look like this (where {brackets} should be replaced with correct UUID and "cryptname" to preferred name)
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID={uuid-of-/dev/sdX#}:cryptname root=UUID={uuid-of-/dev/mapper/{name}}"
-
-
Install GRUB
$ pacman -S efibootmgr $ grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
-
Microcode (CPU updates), depending on processor manufacturer run following
$ pacman -S amd-ucode $ pacman -S intel-ucode
-
Generate grub cfg
$ grub-mkconfig -o /boot/grub/grub.cfg
-
Exit chroot, reboot, remove USB, and (hopefully) enjoy.