Install ArchLinux with Disk Encryption

To jump straight to the installation steps go to Installation.

Background #

So the other day I decided to finally take the plunge and install ArchLinux. I have never really been a “distro-hopper”. For the most part, I stuck with Ubuntu. Which to be fair served me pretty well.

A few years ago, I made the switch to OSX. And for a while, it was all nice and shiny. But after about 4 years of using OSX, I started to feel that there was a lot about the internals of my machine that I did not understand. And that brings us back to the main topic of this post - Install Arch with Disk Encryption.

Why Arch? #

It came down to one simple feeling - Ubuntu felt too easy. And that’s a good thing! But I wanted a challenge. So I read up on ArchLinux for about a week and asked my friends who were Arch users for their opinions. And the more I read about it, the more I wanted to try it. By the way, I have never seen a better documentation than the Arch Wiki. I highly recommend that you give it a read, especially the introduction. Without much further ado, lets jump into the installation.

Installation #

Please Note: This is just one way to install ArchLinux. The beauty of ArchLinux is that you can set it up however you want. See the Installation Guide on the Arch Wiki.

Each of the section below starts with a link to the Arch Wiki which has more details and further reading on the step.

Disclaimer #

This is not an original piece of work. I researched from a few different sources and am collating here the steps that worked for me. Please see references for the links I used as sources.

Installation Setup #

This installation assumes the following setup:

• You have UEFI
• You want full disk encryption
  • Specifically set up LVM on LUKS using dmcrypt
• You are not planning on keeping another OS on the machine
• You want to use systemd-boot as your boot manager
• You want to use GNOME as your desktop environment

Step 1: Create a bootable USB disk #

Getting & Installing Arch

USB Flash Installation Media

• Download the current ISO image from the download page using a convenient method.
• Find out the name of your USB drive with lsblk. Make sure that it is not mounted.

sudo dd bs=4M if=/path/to/archlinux.iso of=/dev/sdx status=progress oflag=sync

Step 2: Boot into the live media #

Make sure to turn off Secure Boot. The boot files for Arch are not signed

Step 3: Setup Environment #

Installation setup

Load Keymap #

loadkeys uk

Setup Wifi #

Skip this step if you are on a wired connection. Otherwise:

# List your wifi device
iw dev

# setup wifi
wifi-menu -o <device name>

Setup NTP #

timedatectl set-ntp true

Create Partitions #

Partitioning

Use lsblk to find your HD/SSD. Lets say its /dev/sdX

cgdisk /dev/sdX

# 1. 512MB EFI partition # Hex code ef00
# 2. 100% size partiton # (to be encrypted) Hex code 8300

Format Partitions #

mkfs.vfat -F32 /dev/sdX1
mkfs.ext4 /dev/sdX2

Create Encypted Volumes #

Encryption

# Setup encryption
# aes - Encryption block cipher
# xts - Block cipher encryption mode
# plain64 - the initial vector is the 64-bit little-endian version of the sector number, padded with zeros if necessary.
cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sdX2

# Open newly created encrypted block
cryptsetup luksOpen /dev/sdX2 cryptlvm

# Create encrypted partitions
# This creates one partions for root, modify if /home or other partitions should be on separate partitions
pvcreate /dev/mapper/cryptlvm
vgcreate vg0 /dev/mapper/cryptlvm
lvcreate --size 8G vg0 --name swap
lvcreate -l +100%FREE vg0 --name root

# Create filesystems on encrypted partitions
mkfs.ext4 /dev/mapper/vg0-root
mkswap /dev/mapper/vg0-swap

Mount Partitions #

mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
swapon /dev/mapper/vg0-swap
mkdir /mnt/boot
mount /dev/sdX1 /mnt/boot

Step 4: Install OS #

pacstrap /mnt base base-devel grub-efi-x86_64 zsh vim git efibootmgr dialog wpa_supplicant

This might take some time

Step 5: Setup OS #

Generate an fstab file #

genfstab -U /mnt >> /mnt/etc/fstab

Its a good idea to check the contents of /mnt/etc/fstab at this point and make sure it looks all good.

CHROOT into the new system #

arch-chroot /mnt /bin/bash

Setup system clock #

ln -sf /usr/share/zoneinfo/Europe/London /etc/localtime
hwclock --systohc

Setup Locale #

Uncomment en_GB.UTF-8 UTF-8 and other needed localizations in /etc/locale.gen, and generate them with:

locale-gen

Set the LANG variable in `/etc/locale.conf accordingly, for example:

echo LANG=en_GB.UTF-8 > /etc/locale.conf

Make your keyboard layout persistent

echo KEYMAP=uk > /etc/vconsole.conf

Setup Network Configuration #

Networking

Replace MYHOSTNAME with your hostname in the command below.

echo MYHOSTNAME > /etc/hostname

Add matching entries in /etc/hosts

127.0.0.1	localhost
::1		    localhost
127.0.1.1	MYHOSTNAME.localdomain	MYHOSTNAME

Setup User #

At this point in the setup, you will be logged in as the root user. You should create a password for the root user.

passwd

You should also create a regular user.

# If you would like to use a different shell than `zsh` change appropriately
useradd -m -g users -G wheel -s /bin/zsh MYUSERNAME
passwd MYUSERNAME

Create a new initramfs image #

Configuring mkinitcpio for encrypted device

Edit /etc/mkinitcpio.conf.

# Add ext4 to Modules
MODULES=(ext4)

# Edit the `HOOKS` line to look like this
HOOKS=(base udev autodetect keyboard keymap modconf block encrypt lvm2 resume filesystems fsck)

NOTE: It is important that you don’t change the order of the HOOKS line as that is the order in which the kernel modules will be loaded.

Generate the image.

mkinitcpio -p linux

Configure bootloader #

Configure bootloader

bootctl --path=/boot install

Create /boot/loader/entries/arch.conf.

title	Arch Linux
linux	/vmlinuz-linux
initrd	/initramfs-linux.img
options cryptdevice=UUID=<UUID for /dev/sdX2>:lvm:allow-discards resume=/dev/mapper/vg0-swap root=/dev/mapper/vg0-root rw quiet

You can get the UUID to your partition using blkid (might have to use sudo).

Edit /boot/loader/loader.conf.

timeout 0
default arch
editor 0

Step 6: Finish installation and reboot into new system #

exit
umount -R /mnt
reboot

At this point you have a base installation of ArchLinux. Login you created a user account, use that, or simply use the root credentials. It is not recommended to stick with root credential for a prolonged period of time.

Step 7: Post Installation #

In the following steps, you will have to use sudo if you are not the root user.

Install PulseAudio Server #

PulseAudio

pacman -Su pulseaudio pulseaudio-alsa

Install GNOME #

GNOME

pacman -Su gnome

You can choose to install the gnome-extra package as well. See link above for details.

The above is sufficient if you are planning to run GNOME on Wayland. However, if you want to use Xorg as your display server, you need install it.

pacman -Su xorg

GNOME automatically installs GDM as the display manager. You do need to enable it in order for it to automatically start when you boot.

systemctl enable gdm.server

Install NetworkManger #

GNOME uses NetworkManger in order to detect and connect to networks. While it is possible to use other tools for this purpose, NetworkManager is the most convenient.

pacman -Su networkmanager

Optional Step: Install Firewall #

pacman -Su ufw

And that’s it. Just run reboot to restart your system.

References #

• Gist: Minimal instructions for installing arch linux on an UEFI system with full system encryption using dm-crypt and luks
• Gist: Installing Arch Linux on an LUKS Encrypted root and booting from UEFI
• Gist: Installing Arch with GPT, dm-crypt, LUKS, LVM and systemd-boot
• Gist: Efficient Encrypted UEFI-Booting Arch Installation
• All the Arch Wiki links mentioned during the installation steps.