Efficient UEFI Encrypted Root and Swap Arch Linux Installation Procedure with an ENCRYPTED BOOT using KDE Plasma 5

arch-linux.txt

# This guide will be using LVM on LUKS, see https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS

# Download the archlinux-*.iso image from https://www.archlinux.org/download/ and its GnuPG signature.
# Use gpg --verify to ensure your archlinux-*.iso is exactly what the Arch developers intended.  For example:

$ gpg -v archlinux-2019.11.01-x86_64.iso.sig

# Burn the archlinux-*.iso  to a 1+ Gb USB stick.  On Mac, do something like:
$ diskutil unmountDisk /dev/disk4
$ sudo dd bs=4m of=/dev/rdisk4 if=archlinux-2020.01.01-x86_64.iso


-----------------------------------


# Set your keymap only if not you are not using the default English language.
$ loadkeys dk

# Connect to WiFi using:
$ wifi-menu

# Fix partition of the host
$ cfdisk /dev/sda

# We need ONLY two partitions!
# Partition Y = 100 MiB EFI partition # Hex code EF00
# Partition Z = Just size it to the last sector of your drive. # Hex code 8300.  

# Zero-out each of of your new partitions prior to creating filesystems on them.

$ cat /dev/zero > /dev/sda1

# followed by

$ cat /dev/zero > /dev/sda2

# Create a filesystem for /efi
$ mkfs.vfat -F 32 -n EFI /dev/sda1

# Encrypt and open your system partition
$ cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random --type luks1 luksFormat /dev/sda2

# Note our use of the critical '--type luks1' encryption switch.  The default Type 2 LUKS encryption PREVENTS Grub from
# being able to properly decrypt an encrypted /boot.  This is also precisely why an existing encrypted Arch system which used
# standard LUKS Type 2 encryption CANNOT be converted into an encrypted /boot system.  A clean install is necessary!

$ cryptsetup luksOpen /dev/sda2 luks

# Create encrypted LVM partitions

# Modify this structure only if you need additional, separate partitions.  The sizes used below are only suggestions.
# The VG and LV labels 'Arch, root and swap' can be changed to anything memorable to you.  Use your labels consistently, below!

$ pvcreate /dev/mapper/luks
$ vgcreate luks /dev/mapper/luks
$ lvcreate -L 8G luks -n swap
$ lvcreate -l 100%FREE luks -n root

# Create filesystems on your encrypted partitions
$ mkswap /dev/mapper/luks-swap
$ mkfs.xfs /dev/mapper/luks-root

# Mount the new system 
$ mount /dev/mapper/luks-root /mnt
$ swapon /dev/mapper/luks-swap
$ mkdir /mnt/boot
$ mkdir /mnt/efi
$ mount /dev/sda1 /mnt/efi

# Optional - Select the 10 most recently synchronized HTTPS mirrors, sort them by download speed, and overwrite the file /etc/pacman.d/mirrorlist:
$ pacman -Sy
$ pacman -S reflector
$ reflector --latest 10 --protocol https --sort rate --save /etc/pacman.d/mirrorlist

# Install your Arch system

$ pacstrap /mnt base base-devel grub-efi-x86_64 efibootmgr dialog wpa_supplicant linux linux-headers dkms dhcpcd netctl lvm2 linux-firmware iw vim reflector

# Create and review FSTAB
$ genfstab -U /mnt >> /mnt/etc/fstab

# Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)
tmpfs	/tmp	tmpfs	defaults,noatime,mode=1777	0	0

# Enter the new system
$ arch-chroot /mnt /bin/bash

# Set the system clock
$ ln -s /usr/share/zoneinfo/Europe/Copenhagen /etc/localtime
$ hwclock --systohc --utc
$ timedatectl set-ntp true
$ localectl set-keymap dk

# Assign your hostname
$ hostnamectl set-hostname x1-carbon
$ echo x1-carbon > /etc/hostname

# Set or update your locale
If English is your native language, you need to edit exactly two lines to correctly configure your locale language settings:
a. In /etc/locale.gen **uncomment only**: en_US.UTF-8 UTF-8
b. In /etc/locale.conf, you should **only** have this line: LANG=en_US.UTF-8

# Now run:
$ locale-gen

# Set your root password
$ passwd

# Create a User, assign appropriate Group membership, and set a User password.  'Wheel' is just one important Group.
$ useradd -m -G wheel,storage,power,network,uucp -s /bin/bash MyUserName
$ passwd MyUserName 

# Type: visudo and find this line: # %wheel ALL=(ALL) ALL and delete # character 

# Let's create our crypto keyfile:

cd /
dd bs=512 count=4 if=/dev/random of=crypto_keyfile.bin iflag=fullblock
chmod 000 /crypto_keyfile.bin
chmod 600 /boot/initramfs-linux*
cryptsetup luksAddKey /dev/sda2 /crypto_keyfile.bin

# Configure mkinitcpio with the correct FILES statement and proper HOOKS required for your initrd image:

vim /etc/mkinitcpio.conf

# SET THE FOLLOWING OPTIONS
MODULES(xfs)
FILES=(/crypto_keyfile.bin)
HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems resume fsck)

# Generate your initrd image
$ mkinitcpio -p linux

# Install and Configure Grub-EFI

# Since we need grub to decrypt our encrypted /boot, we first need to configure grub so that it knows we are working with
# a LUKS encrypted disk.

vim /etc/default/grub

# UNCOMMENT this line:

GRUB_ENABLE_CRYPTODISK=y

# The correct way to install grub on an UEFI computer, irrespective of your use of a HDD or SSD, and whether you are
# installing dedicated Arch, or multi-OS booting, for our encrypted /boot purposes is:

$ grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=ArchLinux --recheck

# Edit /etc/default/grub so it includes a statement like this:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:luks root=/dev/mapper/luks-root resume=/dev/mapper/luks-swap cryptkey=rootfs:/crypto_keyfile.bin"

# If you are not using swap, eliminate the 'resume' statement above.

# Generate Your Final Grub Configuration:
$ grub-mkconfig -o /boot/grub/grub.cfg

# Exit Your New Arch System

$ exit

# Backup your headers
$ cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file=/mnt/efi/luks-header
$ cp /mnt/etc/lvm /mnt/efi/lvm-backup -Rafv

# Unmount all partitions
$ umount -R /mnt
$ swapoff -a

# Reboot and Enjoy Your Encrypted BOOT Arch Linux System!
$ reboot

__________________________ 

# If you have problems connecting to wifi, try start disable power save on the netcard:

$ iw dev wlan0 set power_save off

# Reconnect to wifi
$ wifi-menu
__________________________ 

# Log in as root, and not as a user, and setup Plasma:

# Setup reflector again
$ reflector --latest 10 --protocol https --sort rate --save /etc/pacman.d/mirrorlist
$ pacman -Sy
$ pacman -S plasma-desktop sddm networkmanager plasma-nm fwupd intel-ucode xf86-video-intel

# Install applications
$ pacman -S openvpn networkmanager-openvpn plasma-pa pulseaudio bluez bluez-utils throttled cryfs dnscrypt-proxy dnsmasq git sudo zsh wget powertop tlp konsole

# Install fonts
$ pacman -S ttf-dejavu ttf-liberation

# Finalize setup
$ systemctl enable sddm NetworkManager lenovo_fix.service tlp dnscrypt-proxy dnsmasq
$ pacman -R netctl dhcpcd

$ reboot

__________________________


# Log in to sddm's GUI as your user

__________________________

# Complete the setup , by opening the Konsole and start

$ git clone https://aur.archlinux.org/yay.git
$ cd yay
$ makepkg -si

$ git clone https://github.com/kwin-scripts/kwin-tiling.git
$ cd kwin-tiling/
$ plasmapkg2 --type kwinscript -i .

# Install the last applications

$ yay -S google-chrome spotify visual-studio-code-bin teamviewer slack-desktop dropbox polybar dolphin redshift vlc spectacle kwalletmanager kinfocenter ark thunderbird terminator latte-dock
$ yay -Yc

# Install themes
$ yay -S papirus-icon-theme-kde
-------------------------------------------

Dotfiles with Dotbot



# Make sure reflector updates the mirrorlist

$ cat /etc/systemd/system/reflector.service
[Unit]
Description=Pacman mirrorlist update
Wants=network-online.target
After=network-online.target

[Service]
Type=oneshot
ExecStart=/usr/bin/reflector --protocol https --latest 30 --number 20 --sort rate --save /etc/pacman.d/mirrorlist

[Install]
RequiredBy=multi-user.target

$ cat /etc/systemd/system/reflector.timer
[Unit]
Description=Run reflector weekly

[Timer]
OnCalendar=Mon *-*-* 7:00:00
RandomizedDelaySec=15h
Persistent=true

[Install]
WantedBy=timers.target