Install notes for Arch Linux with full disk encryption

encrypted-arch.md

Install Arch Linux with full disk encryption

Links

• Arch Linux install guide
• Encryption: LVM on LUKS

Download verify, and boot ISO.

Refer to main Arch Linux install guide for more information.

Make sure network is up

ip link
ping archlinux.org

Refer to main Arch Linux install guide for more information.

Set the clock

These steps probably aren't really necessary but they are traditional and you should probably just do them. You can tab-complete TZ to find your proper zone.

timedatectl set-ntp true
timedatectl set-timezone America/Los_Angeles
timedatectl status

Partitioning Disks

We will use the LVM on LUKS pattern to achieve full disk encryption. You can read about other strategies here.

Here is a breakdown of what we're going for:

+----------------+ +-----------------------------------------------------------------------+
| Boot partition | | Logical volume 1      | Logical volume 2      | Logical volume 3      |
|                | |                       |                       |                       |
| /boot          | | [SWAP]                | /                     | /home                 |
|                | |                       |                       |                       |
|                | | /dev/VolumeGroup/swap | /dev/VolumeGroup/root | /dev/VolumeGroup/home |
|                | |_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _|
|                | |                                                                       |
|                | |                         LUKS2 encrypted partition                     |
| /dev/sda1      | |                           /dev/sda2                                   |
+----------------+ +-----------------------------------------------------------------------+

Prepare the disk

If the disk is a hard drive, it is a good idea to write random date to the entire drive first. If the disk is an SSD this method is not effective (and in fact, may be detrimential to the drive) and you will have to settle for slightly softer security.

You can read more about this here.

Create Partitions

Find the device associated with your disk. You can list all disks with fdisk -l. For this guide, I'll be referring to the physical disk as /dev/sda, though yours may be different. The contents of this disk will be destroyed in this process.

Open the disk in fdisk:

fdisk /dev/sda

Create a boot partition.

• n to create a new partition
• p for primary
• 1 for partition 1
• enter to choose default start point (2048 for me)
• +200M for a 200MiB boot parition size (feel free to adjust)

Create the main parition. Make a new parition using the rest of the disk. (n, p, 2, enter, enter)

Once done, p will show partition layout and w will write the changes to the disk.

Setup Encryption

Encrypt the main system partition with LUKS:

cryptsetup luksFormat /dev/sda2
cryptsetup open /dev/sda2 cryptlvm

The name cryptlvm is arbitrary, but you will need it later when setting up LVM and also when configuring grub. The decrypted container is now available at /dev/mapper/cryptlvm.

Setup LVM

Create the logical volumes. (Using the name given above - cryptlvm)

pvcreate /dev/mapper/cryptlvm
vgcreate VolumeGroup /dev/mapper/cryptlvm

The name VolumeGroup is arbitrary. Going forward, you will use this to refer to your logical volumes.

Create all of your logical volumes on the volume group. Feel free to adjust sizes.

• Swap should generally be 8-24G depending on how much ram you have (a factor of 1.5 to 2 is usually sufficient).
• For Arch, ~30-35G seem reasonable for root, though feel free to dedicate more to this (50G or so would be very safe). Minimum is probably around 15-20G to be safe.

Don't fret too much about this. One nice thing about using LVM is that you can change the sizes of your logical volumes fairly easily.

lvcreate -L 8G VolumeGroup -n swap
lvcreate -L 32G VolumeGroup -n root
lvcreate -l 100%FREE VolumeGroup -n home

Format filesystems on each logical volume.

mkswap /dev/VolumeGroup/swap
mkfs.ext4 /dev/VolumeGroup/root
mkfs.ext4 /dev/VolumeGroup/home

Mount your filesystems.

mount /dev/VolumeGroup/root /mnt
mkdir /mnt/home
mount /dev/VolumeGroup/home /mnt/home
swapon /dev/VolumeGroup/swap

Prepare the boot partition

mkfs.ext4 /dev/sda1
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot

Arch Linux Base Installation

Select the mirrors

Edit /etc/pacman.d/mirrorlist if you want.

Install the base packages

Use the pacstrap script to install the base package group:

pacstrap /mnt base

Configure the system

Generate an fstab file.

Make sure everything is mounted correctly in /mnt before doing this. lsblk may be helpful here.

When you are sure run:

genfstab -U /mnt >> /mnt/etc/fstab

Open the file and check for errors. (A common one is 2 swaps, one from the live iso and one from your newly created swap)

If you've done everything correctly up to this point, it should look similar to this:

Chroot

Change root into the new system:

arch-chroot /mnt

Install a decent editor

This is completely optional, but only vi is included in the base install and it is kind of a pain to use. I like to install vim here for my sanity editing config files moving forward.

pacman -S vim

Time zone

Set the time zone:

ln -sf /usr/share/zoneinfo/Region/City /etc/localtime

Run hwclock to generate /etc/adjtime:

hwclock --systohc

This command assumes the hardware clock is set to UTC.

Localization

Uncomment en_US.UTF-8 UTF-8 and other needed locales in /etc/locale.gen, and generate them with:

locale-gen

Create the locale.conf(5) file, and set the LANG variable accordingly:

/etc/locale.conf

LANG=en_US.UTF-8

Network configuration

Create the hostname file

/etc/hostname

myhostname

Add matching entries to hosts file

/etc/hosts

127.0.0.1	localhost
::1		localhost
127.0.0.1	myhostname.localdomain	myhostname

If the system has a permanent IP address, it should be used instead of 127.0.0.1.

NetworkManager

If you want NetworkManager, install it now. Otherwise, configure your network some other way.

pacman -S networkmanager
systemctl enable NetworkManager

Prepare the system for boot

Configure mkinitcpio

This file tells mkinitcpio how to configure the ramdisk that helps boot the system. This is the environment you will be in when you type you passwd to unlock your drive during boot. There are multiple ways to set this up; I have gone with the systemd (sd-) version here.

In the /etc/mkinitcpio.conf file, find HOOKS= and replace that line with:

HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt sd-lvm2 filesystems fsck)

Create a vconsole config (this can be blank, but it needs to exist since we're using the sd-vconsole module)

touch /etc/vconsole.conf

Create a new initramfs from above config:

mkinitcpio -p linux

You should not see any errors, but warnings are probably ok.

Prepare the bootloader

Install Grub

pacman -S grub
grub-install --target=i386-pc /dev/sda

Configure Grub

Get the uuid of your encrypted partition (sda2)

blkid /dev/sda2

Edit /etc/default/grub, replacing the-uuid-from-above with the uuid of your encrypted partition. Make sure to get this right; this tells grub how to boot your system.

GRUB_CMDLINE_LINUX_DEFAULT="quiet rd.luks.name=the-uuid-from-above=cryptlvm rd.luks.options=discard root=/dev/VolumeGroup/root resume=/dev/VolumeGroup/swap"

Install Grub config

grub-mkconfig -o /boot/grub/grub.cfg

Set a root password

Almost done! Don't forget to set a root password.

passwd

Reboot and pray

Good luck! I've done this twice now, and both times it has worked the first time. I believe in you!

Login on the tty and run lsblk; you should see something like this:

Congrats and have fun building on top of your fresh, new, encrypted system!