Skip to content

Instantly share code, notes, and snippets.

@coldhardcache

coldhardcache/arch-linux-install.md

Forked from kylemanna/arch-linux-install.md
Last active January 21, 2021 09:34
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save coldhardcache/b26dd3da4262d00aeb7ef33b1ecbad7e to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save coldhardcache/b26dd3da4262d00aeb7ef33b1ecbad7e to your computer and use it in GitHub Desktop.
Download ZIP
Starting Guide for Arch Install with full system encryption using dm-crypt and luks
Raw
arch-linux-install.md

Install ARCH Linux with encrypted file-system and UEFI

The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.

Download the Arch ISO

Copy to a USB drive

dd if=archlinux.img of=/dev/sdX bs=16M && sync # on linux

Boot from USB drive

Disable secure boot in the BIOS configuration. Change Boot Order to the flash drive.

If using WiFi, use iwd to connect to Network

iwd

Create partitions

cfdisk /dev/nvme0n1
Make:
1 512MB EFI partition # Hex code ef00 (EFI Boot Partition)
2 100% size partiton # (to be encrypted) Hex code 8300 (Linux filesystem)

Create EFI partition

mkfs.vfat -F32 -n EFI /dev/nvme0n1p1

Setup the encryption of the system with 256 bit effective size

Note: Many NVMe drives can exceed 2GB/s, consider your crypto algorithm wisely, review cryptsetup benchmark, the defaults are viewable end of cryptsetup --help, defaults are commonly the fastest with good security from my experience with cryptsetup (AES 256, sha256, 2000ms)

cryptsetup --use-random luksFormat /dev/nvme0n1p2
cryptsetup luksOpen /dev/nvme0n1p2 luks

Create encrypted partitions

This creates one partions for root, modify if /home or other partitions should be on separate partitions

pvcreate /dev/mapper/luks
vgcreate vg0 /dev/mapper/luks
lvcreate --size 16G vg0 --name swap
lvcreate -l +100%FREE vg0 --name root

Create filesystems on encrypted partitions

mkfs.ext4 -L root /dev/mapper/vg0-root
mkswap /dev/mapper/vg0-swap

Mount the new system

mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
swapon /dev/mapper/vg0-swap # Not needed but a good thing to test
mkdir /mnt/boot
mount /dev/nvme0n1p1 /mnt/boot

Install the system

Also includes stuff needed for starting wifi when first booting into the newly installed system

pacstrap /mnt base base-devel bash linux linux-firmware vim git sudo efibootmgr dialog tmux lvm2

Optionals:

iwd # if using WiFi

#microcodes can be iffy - may sometimes be best to roll with what's in the the mobo
intel-ucode #if Intel
amd-ucode #if AMD

Generate fstab

genfstab -pU /mnt | tee -a /mnt/etc/fstab

Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)

tmpfs   /tmp	tmpfs	defaults,noatime,mode=1777	0	0

Also change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)

Enter the new system

arch-chroot /mnt /bin/bash

Setup system clock

ln -s /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
hwclock --systohc --utc

Set the hostname

echo MYHOSTNAME > /etc/hostname

Generate locale

Uncomment wanted locales in /etc/locale.gen

vim /etc/locale.gen
locale-gen
localectl set-locale LANG=en_US.UTF-8

To avoid problems with gnome-terminal set locale system wide Do NOT set LC_ALL=C. It overrides all the locale vars and messes up special characters Pay attention to the UTF-8. Capital letters !

echo LANG=en_US.UTF-8 >> /etc/locale.conf
echo LC_ALL= >> /etc/locale.conf

Set password for root

passwd

Add user

groupadd MYUSERNAME
useradd -m -g MYUSERNAME -G wheel,storage,power,network,uucp -s /bin/zsh MYUSERNAME
passwd MYUSERNAME

Configure mkinitcpio with modules needed for the initrd image

vim /etc/mkinitcpio.conf
  • Add 'ext4' to MODULES
  • Add 'encrypt' and 'lvm2' to HOOKS before filesystems
  • Add 'resume' after 'lvm2' (also has to be after 'udev')

Regenerate initrd image

mkinitcpio -p linux

Setup systembootd (grub will not work on nvme at this moment)

bootctl --path=/boot install

Create loader.conf

echo default arch >> /boot/loader/loader.conf
echo timeout 5 >> /boot/loader/loader.conf

Create arch.conf (or XYZ.conf for default XYZ in loader.conf)

nvim /boot/loader/entries/arch.conf

Add the following content to arch.conf

<UUID> is the the one of the raw encrypted device (/dev/nvme0n1p2). It can be found with the blkid command. (Tip: Copying the UUID at this point may suck, so you can blkid | grep "nvme1n1p2" | cut -b 23-58 >> /boot/loader/entries/arch.conf to snag it and then edit the rest of the arch.conf.

title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img   # or amd-ucode.img (or none)
initrd /initramfs-linux.img
options cryptdevice=UUID=<UUID>:vg0 root=/dev/mapper/vg0-root resume=/dev/mapper/vg0-swap rw intel_pstate=no_hwp

Exit new system

exit

Unmount all partitions

umount -R /mnt
swapoff -a

Reboot into the new system, don't forget to remove the cd/usb

reboot
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment