Arch Linux encrypted install
In my opinion, Arch Linux is the greatest rolling release distribution. The thing that pushes me to say this is that if you want to make a totally custom distribution, it’s possible (and it’s made for). Let’s drive right in.
Information and requirements
These elements are to be taken in consideration to follow this article:
- the following steps are performed on my laptop that has an NVMe (you will understand later)
- the installation is a monoboot (no shitty Windows alongside)
- I assume that the computer or laptop that will receive the installation is directly connected to your router.
Prepare the USB key
Download the image
Download the latest image here.
Check the file integrity
At the moment of writing this article, it is the August release (2020.08.01). The MD5 hash is
md5sum archlinux-2020.08.01-x86_64.iso cd918e38b3d468de98c1a523990500ef archlinux-2020.08.01-x86_64.iso
The file is good. Let’s continue.
Write the image
Plug your USB key and locate it. Mine is
sudo fdisk -l).
sudo dd if=archlinux-2020.08.01-x86_64.iso of=/dev/sda status=progress
Wait until the end. When it’s done, plug your USB to your computer or laptop and boot from the USB key.
Once the boot process is done, you are directly connected as root. The installation can begin.
I have a French keyboard, let’s change it.
Rank mirrors for speed download
Mirrors are servers from where you download package, if you rank them by the country where you are, you’ll download packages faster.
reflector --country France --age 6 --protocol https --sort rate --save /etc/pacman.d/mirrorlist
Modify your country in accordance with your location.
Synchronize packages again.
List disk’s details.
My disk is located at
/dev/nvme0n1, yours can be at
/dev/sda if you have a SSD. Once you’ve executed the first statement,
fdisk acts like a prompt, send to it the commands (except ones surrounded with
<>, where you have to press the key specified). Do not write the elements in parenthesis, it’s just a brief explanation for you.
fdisk /dev/nvme0n1 p (show partitions) g (use GPT partitioning style) n <ENTER> <ENTER> +512M t 1 n (create the EFI partition) <ENTER> <ENTER> +512M n <ENTER> <ENTER> <ENTER> (it takes the space available) t <ENTER> 30 (set partition type to Linux LVM) w (write changes)
Format the new partitions
/dev/nvme0n1p1 is the EFI partition, format it in FAT32.
mkfs.fat -F32 /dev/nvme0n1p1
/dev/nvmen1p2 is the Linux filesystem, format it in Ext4.
Setup the disk encryption
We are going to use LUKS (Linux Unified Key Setup) because it’s a great disk encryption specification.
cryptsetup luksFormat --use-random /dev/nvme0n1p3 YES <passphrase> <confirm> cryptsetup open --type=luks /dev/nvme0n1p3 lvm <passphrase>
Initialize physical volumes and volume group
Because we use LVM (Logical Volume Manager), we have to set up a physical volume.
pvcreate --dataalignment 1m /dev/mapper/lvm vgcreate volgroup /dev/mapper/lvm lvcreate -L 100GB volgroup -n lv_root lvcreate -l 100%FREE volgroup -n lv_home
Our volume group (to manipulate our logical volumes) is called
volgroup (but you can call it whatever you want). We have two logical volumes,
lv_root for the root filesystem and
lv_home for the home filesystem. Obviously, you can give the names you want.
Format the new logical volumes
mkfs.ext4 /dev/volgroup/lv_root mkfs.ext4 /dev/volgroup/lv_home
Mount the devices
mount /dev/volgroup/lv_root /mnt mkdir /mnt/home mount /dev/volgroup/lv_home /mnt/home mkdir /mnt/boot mount /dev/nvme0n1p2 /mnt/boot mkdir /mnt/etc
Generate the filesystem hierarchy
genfstab -U -p /mnt >> /mnt/etc/fstab
Install essential packages
Use the pacstrap script to install the base package, Linux kernel and firmware for common hardware.
pacstrap -i /mnt base base-devel
Change root in the new filesystem.
Install the kernel
pacman -S linux linux-headers linux-firmware
Install usefull packages
pacman -S wpa_supplicant wireless_tools netctl dialog lvm2 dhcpcd git vim
Modify the initramfs configuration
Because our filesystem is encrypted, we have to modify the hooks. Add
encrypt lvm2 in the
HOOKS section of the
/etc/mkinitcpio.conf file. The line concerned should look like the following statement.
grep HOOKS /etc/mkinitcpio.conf | tail -1 HOOKS=(base udev autodetect modconf block encrypt lvm2 filesystems keyboard fsck)
Create the initramfs
Initramfs is a scheme for loading a temporary root filesystem into memory, which may be used as part of the Linux startup process.
mkinitcpio -p linux
Modify and generate the locale
I want to define my locale to
en_US.UTF-8. If you don’t know which locale to use, I advise you to open the file and find the one that fits to you. Don’t use
sed if you don’t know what you do to avoid file destructuring).
sed -i "s/#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/" /etc/locale.gen locale-gen
Modify the root password
Add your user
Choose your own username at the end of the following statement.
useradd -m -g users -G wheel <username>
Then, define your password.
Give you sudo access
If you want to be able to install packages, connect to a Wi-Fi newtork and much more, I advise you to uncomment the line starting with
%wheel. By doing this, you allow users in group
wheel (we do this earlier with
-G wheel) to execute the
visudo %wheel ALL=(ALL) ALL
The visudo command locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later.
Install bootloader related stuff
GRUB is going to be our bootloader.
pacman -S grub efibootmgr dosfstools os-prober mtools
Edit the GRUB configuration
In the same way that we have edited hooks for the initramfs, we have to edit the bootloader configuration to tell to GRUB that we have an encrypted filesystem. Add
cryptdevice=/dev/nvme0n1p3:volgroup:allow-discards in the
GRUB_CMDLINE_LINUX_DEFAULT section. Make sure that you write the exact sentence, otherwise your system won’t boot.
cat /etc/default/grub | grep "GRUB_CMDLINE_LINUX_DEFAULT" GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 cryptdevice=/dev/nvme0n1p3:volgroup:allow-discards quiet"
/etc/default/grub file. The line concerned should look like the following statement.
cat /etc/default/grub | grep "GRUB_ENABLE_CRYPTODISK" GRUB_ENABLE_CRYPTODISK=y
If set to
grub-install will check for encrypted disks and generate additional commands needed to access them during boot. Note that in this case unattended boot is not possible because GRUB will wait for passphrase to unlock encrypted container.
Prepare the bootloader installation
mkdir /boot/EFI mount /dev/nvme0n1p1 /boot/EFI grub-install --target=x86_64-efi --bootloader-id="Arch Linux" --recheck
--bootloader-id flag defines the bootloader identifier. A directory of that name will be created in
/boot/EFI/ to store the EFI binary and it is the name that will appear in the UEFI boot menu to identify the GRUB boot entry.
Copy the English GRUB messages
cp /usr/share/locale/en\@quot/LC_MESSAGES/grub.mo /boot/grub/locale/en.mo
Generate the configuration
grub-mkconfig -o /boot/grub/grub.cfg
Install processor microcode and video driver
Processor manufacturers release stability and security updates to the processor microcode. These updates provide bug fixes that can be critical to your system’s stability. Without them, you may experience spurious crashes or unexpected system halts that can be difficult to track down.
For an Intel based CPU and GPU, install the following package.
pacman -S intel-ucode mesa
For an AMD based processor, install this one.
pacman -S amd-ucode mesa
For a nVidia based GPU, install this one.
pacman -S nvidia nvidia-utils
Exit and unmount our brand new filesystem
exit umount -R /mnt reboot
At this point, your system reboots. GRUB should appears and ask you which operating system he has to execute. We have only one OS, so choose Arch Linux. The second screen requires the passphrase to unlock your filesystem. The last screen asks you to login. I advise you to login with your user and not as root for two reasons: first, it’s not a good idea to execute things as superuser and then we have created a user so, use it.
Once connected with your user, you may want to use yay (the tools to install community packages). If you have a French keyboard, don’t forget to execute
sudo loadkeys fr to avoid typing crazy things.
git clone https://aur.archlinux.org/yay.git /tmp/yay cd /tmp/yay makepkg -si Y Y cd rm -rf /tmp/yay
Add some fancy to pacman and yay.
sudo sed -i "s/#Color/Color/" /etc/pacman.conf
Control how much disk space the journal may use up at most.
sudo sed -i "s/#SystemMaxUse=/SystemMaxUse=50M/" /etc/systemd/journald.conf
Great, you have now a fresh encryted Arch Linux installed on your computer or laptop. In this article, we will setup Spectrwm: a small dynamic tiling window manager for X11. Yes, currently our brand new Arch Linux is not very ergonomic, pretty rustic and not easy to use. Indeed, all GUI (Graphical User Interface) can’t spawn without a windowing system.