I’ve grown to love Arch Linux due to its simplicity and ease of use. However installing it can be a bit of a process, especially if you want to do it with full disk encryption.
In this post I show you the steps I follow to install it with encryption.
Installation #
Go to arch linux downloads and head over to the geo.mirror.pkgbuild.com link under the “Worldwide” HTTP direct downloads.
Install the following files from there:
archlinux-####.##.##-x86_64.isoarchlinux-####.##.##-x86_64.iso.sig
It is important to verify the signature of the file, to ensure that is has not been tampered with:
pacman-key -v arch.iso.sig
Flash the .iso into a device, for instance /dev/sdc:
sudo cp arch.iso /dev/sdc
Boot the live environment.
Setup the disk:
sgdisk -Z -n1:0:+1024M -t1:ef00 -c1:efi -n2:0:+4096M -t2:ef02 -c2:boot -N3 -t3:8309 -c3:root /dev/sda
Load the encryption modules:
modprobe dm-crypt && modprobe dm-mod
Set up the encryption and then open it:
cryptsetup luksFormat -s 512 -h sha512 /dev/sda3
cryptsetup open /dev/sda3 luks_lvm
Create the volume and volume group:
pvcreate /dev/mapper/luks_lvm
vgcreate arch /dev/mapper/luks_lvm
Create a volume for your swap space. A good size for this is your RAM size (find out with free -h) + 2GB.
lvcreate -n swap -L 18G arch
Use entire disk space for your root volume:
lvcreate -n root -l +100%FREE arch
Create filesystems:
mkfs.fat -F32 /dev/sda1
mkfs.ext4 /dev/sda2
mkfs.btrfs -L root /dev/mapper/arch-root
Setup swap device:
mkswap /dev/mapper/arch-swap
swapon /dev/mapper/arch-swap
swapon -a
Mount Root, Boot and EFI:
mkdir -p /mnt/boot /mnt/boot/efi
mount /dev/mapper/arch-root /mnt
mount /dev/sda2 /mnt/boot
mount /dev/sda1 /mnt/boot/efi
Install Arch:
pacstrap -K /mnt base sof-firmware base-devel linux linux-firmware neovim btrfs-progs lvm2 grub efibootmgr zsh
Load the file table and chroot.
genfstab -U -p /mnt > /mnt/etc/fstab
arch-chroot /mnt /bin/bash
Add encryption hooks:
sudo sed -i '/^HOOKS=.*block/s/block /block encrypt lvm2 /' /etc/mkinitcpio.conf
Setup grub on efi partition:
grub-install --efi-directory=/boot/efi
Add cryptdevice to linux commandline arguments:
sed -i '/^GRUB_CMDLINE_LINUX_DEFAULT=/ s/"$/ root=\/dev\/mapper\/arch-root cryptdevice=UUID='$(blkid -s UUID -o value /dev/sda3)':luks_lvm"/' /etc/default/grub
mkdir /secure
dd if=/dev/random of=/secure/root_keyfile.bin bs=512 count=8
Change permissions on the secure files:
chmod 000 /secure/*
chmod 600 /boot/initramfs*
Add to partitions:
cryptsetup luksAddKey /dev/sda3 /secure/root_keyfile.bin
Recognize root keyfile:
sed -i 's/FILES=()/FILES=(\/secure\/root_keyfile.bin)/' your_file
Reload Linux:
mkinitcpio -p linux
Create grub config:
grub-mkconfig -o /boot/grub/grub.cfg
grub-mkconfig -o /boot/efi/EFI/arch/grub.cfg
Create a symlink for the timezone:
ln -sf /usr/share/zoneinfo/Europe/London /etc/localtime
Set up NTP:
echo "[Time]\nNTP=0.arch.pool.ntp.org 1.arch.pool.ntp.org 2.arch.pool.ntp.org 3.arch.pool.ntp.org\nFallbackNTP=0.pool.ntp.org 1.pool.ntp.org" > /etc/systemd/timesyncd.conf
Enable timesyncd:
systemctl enable systemd-timesyncd.service
Configure network manager, in order to use wifi:
pacman -S networkmanager
systemctl enable NetworkManager.service
Set up your locale:
sed -i -e "/^#"en_GB.UTF-8"/s/^#//" /mnt/etc/locale.gen
echo "KEYMAP=us" > /etc/vconsole.conf
echo "LANG=en_GB.UTF-8" > /etc/locale.conf
locale-gen
Add your hostname:
echo "arch" > /etc/hostname
Secure the root user by setting a password:
passwd
Add your user, for me it is e because it’s 1 character and fast to type:
useradd -m -k /var/empty -G wheel -s /bin/zsh e
passwd e
Add the wheel group to sudoers, to be able to execute commands as root with sudo:
echo "%wheel ALL=(ALL:ALL) ALL" > /etc/sudoers.d/wheel
Install amd or intel microcode depending on which processor you use (lscpu):
pacman -S amd-ucode # or intel-ucode
exit
umount -R /mnt
reboot
Put UEFI Secure Boot into “Setup Mode”:
sudo sbctl create-keys
sudo sbctl enroll-keys -m
And with that, we’re done! We just installed Arch with full disk encryption. Now you can officially say “I use arch BTW” :)