Minimal instructions for installing arch linux on an UEFI system with full system encryption using dm-crypt and luks

arch-linux-install.sh

# Install ARCH Linux with encrypted file-system and UEFI
# The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.
# boot loaders (helpful when dual-booting): https://wiki.archlinux.org/index.php/Arch_boot_process#Boot_loader
#  - GRUB and rEFInd are quite popular
# General recommendations (after install): https://wiki.archlinux.org/index.php/General_recommendations

# Download the archiso image from https://www.archlinux.org/
# Copy to a usb-drive
dd if=archlinux.img of=/dev/sdX bs=16M && sync # on linux

# Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.

# Set your keymap, e.g. swedish keymap
loadkeys sv-latin1

# This assumes a wifi only system...
wifi-menu

# Sync timedatectl using ntp (later, setup timezones in chroot)
timedatectl set-ntp true
timedatectl status

# Create partitions
cgdisk /dev/sdX
# note: when attempting to dual boot (e.g. with windows), you can use the windows EFI system partition rather than creating a new one.
# however, newer Windows EFI partitions are usually quite small and don't have enough extra space for e.g. GRUB,
# so during a dual boot I usually create a second EFI partition, tell Windows UEFI to boot that first, and tell the linux
# bootloader where Windows EFI is so it can be chainloaded when booting into Windows.
1 100MB EFI partition # Hex code ef00
2 250MB Boot partition # Hex code 8300
3 100% size partiton # (to be encrypted) Hex code 8300

mkfs.vfat -F32 /dev/sdX1
mkfs.ext2 /dev/sdX2

# Setup the encryption of the system
cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sdX3
cryptsetup luksOpen /dev/sdX3 luks

# Create encrypted partitions
# This creates one partions for root, modify if /home or other partitions should be on separate partitions
pvcreate /dev/mapper/luks
vgcreate vg0 /dev/mapper/luks
lvcreate --size 8G vg0 --name swap
lvcreate -l +100%FREE vg0 --name root

# Create filesystems on encrypted partitions
mkfs.ext4 /dev/mapper/vg0-root
mkswap /dev/mapper/vg0-swap

# Mount the new system 
mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
swapon /dev/mapper/vg0-swap # Not needed but a good thing to test
mkdir /mnt/boot
mount /dev/sdX2 /mnt/boot
mkdir /mnt/boot/efi
mount /dev/sdX1 /mnt/boot/efi

# Install the system
# install other required packages (e.g. netctl for wifi) later during chroot
pacstrap /mnt base base-devel linux linux-firmware man-db man-pages texinfo

# 'install' fstab
genfstab -pU /mnt >> /mnt/etc/fstab

## 2019? Don't do this, had some errors booting
#    # Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)
#    tmpfs	/tmp	tmpfs	defaults,noatime,mode=1777	0	0

# Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)

# Fix hanging issues caused by upstream changes in lvm2:
# https://bbs.archlinux.org/viewtopic.php?id=242594
# https://unix.stackexchange.com/questions/105389/arch-grub-asking-for-run-lvm-lvmetad-socket-on-a-non-lvm-disk
mkdir /mnt/hostrun
mount --bind /run /mnt/hostrun

# Enter the new system
arch-chroot /mnt /bin/bash

# Link lvm:
mkdir /run/lvm
mount --bind /hostrun/lvm /run/lvm

# move your country's mirrorlist to the top of the file
vim /etc/pacman.d/mirrorlist

# system: for intel processors
pacman -S intel-ucode

# system: for amd processors
pacman -S amd-ucode

# system: for wifi
pacman -S dialog wpa_supplicant netctl dhcpcd

# install these if you want GRUB as bootloader
pacman -S grub-efi-x86_64 efibootmgr os-prober

# use rEFInd as bootloader instead
pacman -S refind-efi

# general quality of life
pacman -S zsh vim git

# Setup system clock
timedatectl set-timezone "America/New_York"
ln -sv /usr/share/zoneinfo/America/New_York /etc/localtime
hwclock --systohc --utc

# Set the hostname
echo MYHOSTNAME > /etc/hostname
# add following lines to /etc/hosts:
vim /etc/hosts
# 127.0.1.1 	<myhostname>.localdomain	<myhostname>
# b. Ensure <myhostname> is at the end of the other lines
# 127.0.0.1 	... 	localhost	myhostname
# ::1 		... 	localhost	myhostname

# Update locale
# uncomment your preferred locale (e.g. en_US.UTF-8)
vim /etc/locale.gen
locale-gen
echo LANG=en_US.UTF-8 >> /etc/locale.conf
echo LANGUAGE=en_US >> /etc/locale.conf
echo LC_ALL=C >> /etc/locale.conf

# Set password for root
passwd

# Add real user remove -s flag if you don't whish to use zsh
# useradd -m -g users -G wheel -s /usr/bin/zsh MYUSERNAME
# passwd MYUSERNAME

# Configure mkinitcpio with modules needed for the initrd image
vim /etc/mkinitcpio.conf
# Add 'ext4' to MODULES
# Add 'encrypt' and 'lvm2' to HOOKS before filesystems

# Regenerate initrd image
mkinitcpio -p linux

#### using GRUB bootloader

# Setup grub
grub-install --target=x86_64-efi --efi-directory=/boot/

# when using encryption:
# In /etc/default/grub edit the line:
# GRUB_CMDLINE_LINUX -> GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdX3:luks:allow-discards"
# I also uncommented:
# GRUB_ENABLE_CRYPTODISK=y

# if dual-booting with MORE THAN ONE EFI partition, mount the Windows EFI partition, e.g.
mkdir /winefi
mount /dev/sda2 /winefi  # get the correct block device from fdisk -l
# when running grub-mkconfig, GRUB should output a line about finding a Windows EFI partition as well.

# then run:
grub-mkconfig -o /boot/grub/grub.cfg

#### Using rEFInd bootloader
# TODO
# see: https://sidsbits.com/Arch-Install/#Boot-Managers-and-Kernels

# unmount lvm first
umount /run/lvm

# Exit new system and go into the cd shell
exit

# Unmount all partitions
umount -R /mnt
swapoff -a

# Reboot into the new system, don't forget to remove the cd/usb
reboot