Skip to content

Instantly share code, notes, and snippets.

@Thrilleratplay

Thrilleratplay/arch-linux-install.md

Forked from mattiaslundberg/arch-linux-install
Last active November 8, 2024 00:06
Show Gist options
  • Save Thrilleratplay/93d57dbab36dc4304cd8 to your computer and use it in GitHub Desktop.
Save Thrilleratplay/93d57dbab36dc4304cd8 to your computer and use it in GitHub Desktop.
Download ZIP
Installing Arch Linux on an LUKS Encrpyted root and booting from UEFI
Raw
arch-linux-install.md

Installing Arch Linux on an LUKS Encrypted root and booting from UEFI.

Sources

Before you begin

  • For Gummiboot, EFI must be enabled in the bios setup BEFORE YOU START the installation process. It will yell at you if this is not enabled.
  • If you do not have UEFI, it may be easier to use rEFInd or Grub2
  • This is only for a single booted system and am I not sure if dual booting Windows or OSX will work with this configuration
Variables to replace
/dev/sdX    # replace with your drive
MYHOSTNAME  # replace this with your hostname
MYUSERNAME  # single user name
  1. Begin by booting into the Arch Linux ISO installation
  2. Ethernet is plugged in on boot, dhcpcd is run automatically.
  1. Overwrite the whole drive with random data to strengthen encryption. At the same time perform a bad blocks scan to make sure the hard drive is not going to die too soon:
    NOTE: This is intended to ABLITERATE ALL DATA ON THE DRIVE!!!!!
$>  badblocks -c 10240 -s -w -t random -v /dev/sdX
  1. Create partitions
  • Start cgdisk:
$>  cgdisk /dev/sdX
partition number Size name fs hex fs type formatted
1 50MB efi ef00 EFI system fat32
2 210GB cryp 8300 Linux filesystem crypt_luks with ext4 lvm
3 88GB data 8300 Linux filesystem ext4 (will not be encrypted)
  1. Set up sdX1 and sdX3 file systems
$>  mkfs.vfat -F32 /dev/sdX1
$>  mkfs.ext4 /dev/sdX3
  1. Setup the encryption of the system on /dev/sdX2
    Information about encryption options here
  • aes - Encryption block cipher
  • xts - Block cipher encryption mode
  • plain64 - the initial vector is the 64-bit little-endian version of the sector number, padded with zeros if necessary.
$>  cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sdX2
# Then open newly created luks partition
$>  cryptsetup luksOpen /dev/sdX2 luks
  1. Create encrypted physical volume, volume group and logical volumes for swap and root partitions
$>  pvcreate /dev/mapper/luks
$>  vgcreate vgcrypt /dev/mapper/luks
# Creates one logic for swap
$>  lvcreate --size 8G vgcrypt --name swap
# All of the remaining space is made into create root
$>  lvcreate -l +100%FREE vgcrypt --name root
  1. Create filesystems on encrypted volumes
$>  mkfs.ext4 /dev/mapper/vgcrypt-root
$>  mkswap /dev/mapper/vgcrypt-swap
  1. Mount the new system
# /mnt is the installed system
$>  mount /dev/mapper/vgcrypt-root /mnt 
$>  swapon /dev/mapper/vgcrypt-swap # used in fstab generation
$>  mkdir /mnt/boot
$>  mount /dev/sdX1 /mnt/boot
$>  mkdir -p /mnt/data/docker
$>  mount /dev/sda3 /mnt/data/docker
  1. Install the core system with UEFI boot capabilities (zsh is optional)
$>  pacstrap /mnt base base-devel gummiboot zsh efibootmgr linux
  1. Generate fstab
$>  genfstab -pU /mnt > /mnt/etc/fstab
  • To make /tmp a tmpfs ramdisk (add the following line to /mnt/etc/fstab)
tmpfs	/tmp	tmpfs	defaults,noatime,mode=1777	0	0
  1. Enter the new system
$>  arch-chroot /mnt /bin/bash

######YOU ARE NOW IN THE CHROOT JAIL
12. Setup system clock
TODO: add ntpdate setup

$>  ln -s /usr/share/zoneinfo/America/New_York /etc/localtime
$>  hwclock --systohc --utc
  1. Set the hostname
$>  echo MYHOSTNAME > /etc/hostname
  1. Set password for root
$>  passwd
  1. OPTIONAL: Add user NOTE: if you are not using zsh, change to appropriate shell like bash
$>  useradd -m -g users -G wheel,storage,power -s /bin/zsh MYUSERNAME
$>  passwd MYUSERNAME
  1. Configure mkinitcpio with modules needed for the initrd image
$>  nano /etc/mkinitcpio.conf

Add 'keymap encrypt lvm2' to HOOKS BEFORE 'filesystems' and 'shutdown' to the end, like the following line:

HOOKS="base udev autodetect modconf block keymap encrypt lvm2 filesystems keyboard fsck shutdown"

Then regenerate initrd image

$>  mkinitcpio -p linux
  1. Setup gummiboot
  2. Install gummyboot into /boot
$>  gummiboot install
  1. Create Arch Boot option.
$>  nano /boot/loader/entries/arch.conf

It should look like this:

title          Arch Linux
linux          /vmlinuz-linux
options        initrd=/initramfs-linux.img cryptdevice=/dev/sdX2:luks-vgcrypt root=/dev/vgcrypt/root rw
  1. Modify gummiboot options
$>  nano /boot/loader/loader.conf

Change the default boot option To "arch" and uncomment timeout if desired

default arch
  1. Exit new system and go into the cd shell
$>  exit

######YOU ARE NOW LEAVING THE CHROOT JAIL

  1. Unmount all partitions and reboot (don't forget to remove the cd/usb)
umount -R /mnt
reboot
@Thrilleratplay
Copy link
Author

fix typos

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment