Arch Linux encrypted install

In my opinion, Arch Linux is the greatest rolling release distribution. The thing that pushes me to say this is that if you want to make a totally custom distribution, it’s possible (and it’s made for). Let’s drive right in.

Information and requirements

These elements are to be taken in consideration to follow this article:

• the following steps are performed on my laptop that has an NVMe (you will understand later)
• the installation is a monoboot (no shitty Windows alongside)
• I assume that the computer or laptop that will receive the installation is directly connected to your router.

Prepare the USB key

Download the image

Download the latest image here.

Check the file integrity

At the moment of writing this article, it is the August release (2020.08.01). The MD5 hash is cd918e38b3d468de98c1a523990500ef.

md5sum archlinux-2020.08.01-x86_64.iso
cd918e38b3d468de98c1a523990500ef  archlinux-2020.08.01-x86_64.iso

The file is good. Let’s continue.

Write the image

Plug your USB key and locate it. Mine is /dev/sda (use sudo fdisk -l).

sudo dd if=archlinux-2020.08.01-x86_64.iso of=/dev/sda status=progress

Wait until the end. When it’s done, plug your USB to your computer or laptop and boot from the USB key.

Installation

Once the boot process is done, you are directly connected as root. The installation can begin.

Keyboard mapping

I have a French keyboard, let’s change it.

loadkeys fr

Synchronize packages

pacman -Syyy

Rank mirrors for speed download

Mirrors are servers from where you download package, if you rank them by the country where you are, you’ll download packages faster.

reflector --country France --age 6 --protocol https --sort rate --save /etc/pacman.d/mirrorlist

Modify your country in accordance with your location.

Synchronize packages again.

pacman -Syyy

Disk modification

List disk’s details.

fdisk -l

My disk is located at /dev/nvme0n1, yours can be at /dev/sda if you have a SSD. Once you’ve executed the first statement, fdisk acts like a prompt, send to it the commands (except ones surrounded with <>, where you have to press the key specified). Do not write the elements in parenthesis, it’s just a brief explanation for you.

fdisk /dev/nvme0n1
p (show partitions)
g (use GPT partitioning style)
n
<ENTER>
<ENTER>
+512M
t
1
n (create the EFI partition)
<ENTER>
<ENTER>
+512M
n
<ENTER>
<ENTER>
<ENTER> (it takes the space available)
t
<ENTER>
30 (set partition type to Linux LVM)
w (write changes)

Format the new partitions

The partition /dev/nvme0n1p1 is the EFI partition, format it in FAT32.

mkfs.fat -F32 /dev/nvme0n1p1

The partition /dev/nvmen1p2 is the Linux filesystem, format it in Ext4.

mkfs.ext4 /dev/nvme0n1p2

Setup the disk encryption

We are going to use LUKS (Linux Unified Key Setup) because it’s a great disk encryption specification.

cryptsetup luksFormat --use-random /dev/nvme0n1p3
YES
<passphrase>
<confirm>
cryptsetup open --type=luks /dev/nvme0n1p3 lvm
<passphrase>

Initialize physical volumes and volume group

Because we use LVM (Logical Volume Manager), we have to set up a physical volume.

pvcreate --dataalignment 1m /dev/mapper/lvm
vgcreate volgroup /dev/mapper/lvm
lvcreate -L 100GB volgroup -n lv_root
lvcreate -l 100%FREE volgroup -n lv_home

Our volume group (to manipulate our logical volumes) is called volgroup (but you can call it whatever you want). We have two logical volumes, lv_root for the root filesystem and lv_home for the home filesystem. Obviously, you can give the names you want.

Format the new logical volumes

mkfs.ext4 /dev/volgroup/lv_root
mkfs.ext4 /dev/volgroup/lv_home

Mount the devices

mount /dev/volgroup/lv_root /mnt
mkdir /mnt/home
mount /dev/volgroup/lv_home /mnt/home
mkdir /mnt/boot
mount /dev/nvme0n1p2 /mnt/boot
mkdir /mnt/etc

Generate the filesystem hierarchy

genfstab -U -p /mnt >> /mnt/etc/fstab

Install essential packages

Use the pacstrap script to install the base package, Linux kernel and firmware for common hardware.

pacstrap -i /mnt base base-devel

Chroot

Change root in the new filesystem.

arch-chroot /mnt/

Install the kernel

pacman -S linux linux-headers linux-firmware

Install usefull packages

pacman -S wpa_supplicant wireless_tools netctl dialog lvm2 dhcpcd git vim

Modify the initramfs configuration

Because our filesystem is encrypted, we have to modify the hooks. Add encrypt lvm2 in the HOOKS section of the /etc/mkinitcpio.conf file. The line concerned should look like the following statement.

grep HOOKS /etc/mkinitcpio.conf | tail -1
HOOKS=(base udev autodetect modconf block encrypt lvm2 filesystems keyboard fsck)

Create the initramfs

Initramfs is a scheme for loading a temporary root filesystem into memory, which may be used as part of the Linux startup process.

mkinitcpio -p linux

Modify and generate the locale

I want to define my locale to en_US.UTF-8. If you don’t know which locale to use, I advise you to open the file and find the one that fits to you. Don’t use sed if you don’t know what you do to avoid file destructuring).

sed -i "s/#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/" /etc/locale.gen
locale-gen

Modify the root password

passwd

Add your user

Choose your own username at the end of the following statement.

useradd -m -g users -G wheel <username>

Then, define your password.

passwd <username>

Give you sudo access

If you want to be able to install packages, connect to a Wi-Fi newtork and much more, I advise you to uncomment the line starting with %wheel. By doing this, you allow users in group wheel (we do this earlier with -G wheel) to execute the sudo command.

visudo
%wheel ALL=(ALL) ALL

The visudo command locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later.

Install bootloader related stuff

GRUB is going to be our bootloader.

pacman -S grub efibootmgr dosfstools os-prober mtools

Edit the GRUB configuration

In the same way that we have edited hooks for the initramfs, we have to edit the bootloader configuration to tell to GRUB that we have an encrypted filesystem. Add cryptdevice=/dev/nvme0n1p3:volgroup:allow-discards in the GRUB_CMDLINE_LINUX_DEFAULT section. Make sure that you write the exact sentence, otherwise your system won’t boot.

cat /etc/default/grub | grep "GRUB_CMDLINE_LINUX_DEFAULT"
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 cryptdevice=/dev/nvme0n1p3:volgroup:allow-discards quiet"

Uncomment GRUB_ENABLE_CRYPTODISK=y in /etc/default/grub file. The line concerned should look like the following statement.

cat /etc/default/grub | grep "GRUB_ENABLE_CRYPTODISK"
GRUB_ENABLE_CRYPTODISK=y

If set to y, grub-mkconfig and grub-install will check for encrypted disks and generate additional commands needed to access them during boot. Note that in this case unattended boot is not possible because GRUB will wait for passphrase to unlock encrypted container.

Prepare the bootloader installation

mkdir /boot/EFI
mount /dev/nvme0n1p1 /boot/EFI
grub-install --target=x86_64-efi --bootloader-id="Arch Linux" --recheck

The --bootloader-id flag defines the bootloader identifier. A directory of that name will be created in /boot/EFI/ to store the EFI binary and it is the name that will appear in the UEFI boot menu to identify the GRUB boot entry.

Copy the English GRUB messages

cp /usr/share/locale/en\@quot/LC_MESSAGES/grub.mo /boot/grub/locale/en.mo

Generate the configuration

grub-mkconfig -o /boot/grub/grub.cfg

Install processor microcode and video driver

Processor manufacturers release stability and security updates to the processor microcode. These updates provide bug fixes that can be critical to your system’s stability. Without them, you may experience spurious crashes or unexpected system halts that can be difficult to track down.

For an Intel based CPU and GPU, install the following package.

pacman -S intel-ucode mesa

For an AMD based processor, install this one.

pacman -S amd-ucode mesa

For a nVidia based GPU, install this one.

pacman -S nvidia nvidia-utils

Exit and unmount our brand new filesystem

exit
umount -R /mnt
reboot

At this point, your system reboots. GRUB should appears and ask you which operating system he has to execute. We have only one OS, so choose Arch Linux. The second screen requires the passphrase to unlock your filesystem. The last screen asks you to login. I advise you to login with your user and not as root for two reasons: first, it’s not a good idea to execute things as superuser and then we have created a user so, use it.

Post-installation

Once connected with your user, you may want to use yay (the tools to install community packages). If you have a French keyboard, don’t forget to execute sudo loadkeys fr to avoid typing crazy things.

Install yay

git clone https://aur.archlinux.org/yay.git /tmp/yay
cd /tmp/yay
makepkg -si
Y
Y
cd
rm -rf /tmp/yay

Miscellaneous configurations

Add some fancy to pacman and yay.

sudo sed -i "s/#Color/Color/" /etc/pacman.conf

Control how much disk space the journal may use up at most.

sudo sed -i "s/#SystemMaxUse=/SystemMaxUse=50M/" /etc/systemd/journald.conf

Great, you have now a fresh encryted Arch Linux installed on your computer or laptop. In this article, we will setup Spectrwm: a small dynamic tiling window manager for X11. Yes, currently our brand new Arch Linux is not very ergonomic, pretty rustic and not easy to use. Indeed, all GUI (Graphical User Interface) can’t spawn without a windowing system.