← Home

How I install Arch Linux with full disk encryption

2 September, 2024

I've grown to love Arch Linux due to its simplicity and ease of use. However installing it can be a bit of a process, especially if you want to do it with full disk encryption.

In this post I show you the steps I follow to install it with encryption.

Installation

Go to arch linux downloads and head over to the geo.mirror.pkgbuild.com link under the "Worldwide" HTTP direct downloads.

Install the following files from there:

It is important to verify the signature of the file, to ensure that is has not been tampered with:

pacman-key -v arch.iso.sig

Flash the .iso into a device, for instance /dev/sdc:

sudo cp arch.iso /dev/sdc

Boot the live environment.

Connect to the internet.

Setup the disk:

sgdisk -Z -n1:0:+1024M -t1:ef00 -c1:efi -n2:0:+4096M -t2:ef02 -c2:boot -N3 -t3:8309 -c3:root /dev/sda

Load the encryption modules:

modprobe dm-crypt && modprobe dm-mod

Set up the encryption and then open it:

cryptsetup luksFormat -s 512 -h sha512 /dev/sda3
cryptsetup open /dev/sda3 luks_lvm

Create the volume and volume group:

pvcreate /dev/mapper/luks_lvm
vgcreate arch /dev/mapper/luks_lvm

Create a volume for your swap space. A good size for this is your RAM size (find out with free -h) + 2GB.

lvcreate -n swap -L 18G arch

Use entire disk space for your root volume:

lvcreate -n root -l +100%FREE arch

Create filesystems:

mkfs.fat -F32 /dev/sda1
mkfs.ext4 /dev/sda2
mkfs.btrfs -L root /dev/mapper/arch-root

Setup swap device:

mkswap /dev/mapper/arch-swap
swapon /dev/mapper/arch-swap
swapon -a

Mount Root, Boot and EFI:

mkdir -p /mnt/boot /mnt/boot/efi
mount /dev/mapper/arch-root /mnt
mount /dev/sda2 /mnt/boot
mount /dev/sda1 /mnt/boot/efi

Install Arch:

pacstrap -K /mnt base sof-firmware base-devel linux linux-firmware neovim btrfs-progs lvm2 grub efibootmgr zsh

Load the file table and chroot.

genfstab -U -p /mnt > /mnt/etc/fstab
arch-chroot /mnt /bin/bash

Add encryption hooks:

sudo sed -i '/^HOOKS=.*block/s/block /block encrypt lvm2 /' /etc/mkinitcpio.conf

Setup grub on efi partition:

grub-install --efi-directory=/boot/efi

Add cryptdevice to linux commandline arguments:

sed -i '/^GRUB_CMDLINE_LINUX_DEFAULT=/ s/"$/ root=\/dev\/mapper\/arch-root cryptdevice=UUID='$(blkid -s UUID -o value /dev/sda3)':luks_lvm"/' /etc/default/grub

mkdir /secure
dd if=/dev/random of=/secure/root_keyfile.bin bs=512 count=8

Change permissions on the secure files:

chmod 000 /secure/*
chmod 600 /boot/initramfs*

Add to partitions:

cryptsetup luksAddKey /dev/sda3 /secure/root_keyfile.bin

Recognize root keyfile:

sed -i 's/FILES=()/FILES=(\/secure\/root_keyfile.bin)/' your_file

Reload Linux:

mkinitcpio -p linux

Create grub config:

grub-mkconfig -o /boot/grub/grub.cfg
grub-mkconfig -o /boot/efi/EFI/arch/grub.cfg

Create a symlink for the timezone:

ln -sf /usr/share/zoneinfo/Europe/London /etc/localtime

Set up NTP:

echo "[Time]\nNTP=0.arch.pool.ntp.org 1.arch.pool.ntp.org 2.arch.pool.ntp.org 3.arch.pool.ntp.org\nFallbackNTP=0.pool.ntp.org 1.pool.ntp.org" > /etc/systemd/timesyncd.conf

Enable timesyncd:

systemctl enable systemd-timesyncd.service

Configure network manager, in order to use wifi:

pacman -S networkmanager
systemctl enable NetworkManager.service

Set up your locale:

sed -i -e "/^#"en_GB.UTF-8"/s/^#//" /mnt/etc/locale.gen
echo "KEYMAP=us" > /etc/vconsole.conf
echo "LANG=en_GB.UTF-8" > /etc/locale.conf
locale-gen

Add your hostname:

echo "arch" > /etc/hostname

Secure the root user by setting a password:

passwd

Add your user, for me it is e because it's 1 character and fast to type:

useradd -m -k /var/empty -G wheel -s /bin/zsh e
passwd e

Add the wheel group to sudoers, to be able to execute commands as root with sudo:

echo "%wheel ALL=(ALL:ALL) ALL" > /etc/sudoers.d/wheel

Install amd or intel microcode depending on which processor you use (lscpu):

pacman -S amd-ucode # or intel-ucode

exit
umount -R /mnt
reboot

Put UEFI Secure Boot into "Setup Mode":

sudo sbctl create-keys
sudo sbctl enroll-keys -m

And with that, we're done! We just installed Arch with full disk encryption. Now you can officially say "I use arch BTW" :)