Arch Linux encrypted installation

Installation steps with information taken from the official installation guide to assist the process with encryption. Be aware that this guide may become outdated and/or contain bugs. Also, this guide only covers a specific installation, so no swapfile, only with EFI system partition, etc.

Setup

Download ISO file

Verify signature

$ gpg --keyserver-options auto-key-retrieve --verify archlinux-version-x86_64.iso.sig

or from existing arch installation:

$ pacman-key -v archlinux-version-x86_64.iso.sig

Prepare USB flash drive

$ dd bs=4M if=path/to/archlinux-version-x86_64.iso of=/dev/x conv=fsync oflag=direct status=progress

Boot from USB file (UEFI)

Installation

Verify boot mode
$ ls /sys/firmware/efi/efivars
If the command shows directory without error: booted in UEFI mode.
Connect to the internet
$ ip link $ ping archlinux.org
Update the system clock
$ timedatectl status
Partition the disks
$ fdisk -l or $ lsblk $ fdisk /dev/the_disk_to_be_partitioned
1. Delete all existing partitions
2. Create 2 new primary partitions on main disk
3. Defaults except first partition endsize, type: +600M
4. Optional: secure erase:
  $ dd if=/dev/urandom of=/dev/sdX# bs=4096 status=progress
Encrypt main partition (and others if multiple disks)
$ cryptsetup luksFormat /dev/sdX#
Open encrypted partition (name is needed for reference but not permanent)
$ cryptsetup open /dev/sdX# {name}

Format the partitions

$ mkfs.fat -F 32 /dev/boot_partition
$ mkfs.ext4 /dev/mapper/{name}

Mount the file systems

$ mount /dev/mapper/{name} /mnt
$ mkdir /mnt/boot
$ mount /dev/boot_partition /mnt/boot

Optional: sort mirrors on geographical location
$ vim /etc/pacman.d/mirrorlist

Install (essential) packages

$ pacstrap -K /mnt base base-devel linux linux-firmware grub networkmanager cryptsetup lvm2 vim

Generate fstab (define how partitions should be mounted)
$ genfstab -U /mnt >> /mnt/etc/fstab
Change root into new system
$ arch-chroot /mnt

Time zone (region and city variables)

$ ln -sf /usr/share/zoneinfo/{Region}/{City} /etc/localtime
$ hwclock --systohc

Localization

$ vim /etc/locale.gen

uncomment lines

en_US.UTF-8 UTF-8
en_US ISO-8859-1

$ locale-gen

set lang variable
$ vim /etc/locale.conf
1. add text
  LANG=en_US.UTF-8

Network configuration

$ vim /etc/hostname

add text
myhostname
Config hosts
$ vim /etc/hosts

add text (myhostname is variable based on /etc/hostname)

127.0.0.1	localhost
::1		localhost
127.0.1.1	{myhostname}.localdomain {myhostname}

Enable services

$ systemctl enable NetworkManager.service
$ systemctl enable systemd-resolved.service

Passwords and users

$ passwd
$ useradd -G wheel -m {user}
$ passwd {user}

Initial ramdisk
$ vim /etc/mkinitcpio.conf
1. Find like that starts with: HOOKS(base udev…) and add near the end but still inside the brackets:
  encrypt lvm2
2. Create new initramfs
  $ mkinitcpio -P
Boot loader (GRUB)
1. Exit chroot environment by typing exit or pressing Ctr+d.
2. Add partition information to grub file
  $ lsblk -f >> /mnt/etc/default/grub
Chroot into system and edit grub file
$ arch-chroot /mnt $ vim /etc/default/grub
1. Grab output of the previous (lsbblk -f) command at the bottom and move it to the top.
2. Comment it
3. Add to the GRUB_CMDLINE_LINUX_DEFAULT property to look like this (where {brackets} should be replaced with correct UUID and "cryptname" to preferred name)
  GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID={uuid-of-/dev/sdX#}:cryptname root=UUID={uuid-of-/dev/mapper/{name}}"

Install GRUB

$ pacman -S efibootmgr
$ grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB

Microcode (CPU updates), depending on processor manufacturer run following
$ pacman -S amd-ucode $ pacman -S intel-ucode
Generate grub cfg
$ grub-mkconfig -o /boot/grub/grub.cfg
Exit chroot, reboot, remove USB, and (hopefully) enjoy.

Contact Donate