# Install ARCH Linux with encrypted file-system and UEFI # The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description. # Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration. # This assumes a wifi only system... wifi-menu # sync the clock timedatectl set-ntp true # Create partitions sgdisk --zap-all /dev/nvme0n1 # Create partitions cgdisk /dev/nvme0n1 1 512MB EFI partition # Hex code ef00 2 512MB Boot partition # Hex code 8300 3 100% size partiton # (to be encrypted) Hex code 8300 # Create EFI partition mkfs.vfat -F32 /dev/nvme0n1p1 mkfs.ext2 /dev/nvme0n1p2 # Setup the encryption of the system # cryptsetup -c aes-xts-plain64:sha256 -y --use-random luksFormat /dev/nvme0n1p3 cryptsetup luksFormat /dev/nvme0n1p3 cryptsetup luksOpen /dev/nvme0n1p3 luks # Create encrypted partitions # This creates one partions for root, modify if /home or other partitions should be on separate partitions pvcreate /dev/mapper/luks vgcreate vg0 /dev/mapper/luks lvcreate -L 18G vg0 -n swap lvcreate -L 30G vg0 -n root lvcreate -L 300G vg0 -n var lvcreate -l +100%FREE vg0 -n home #check to ensure the volumes are there lvscan # Create filesystems on encrypted partitions mkfs.ext4 /dev/mapper/vg0-root mkfs.ext4 /dev/mapper/vg0-var mkfs.ext4 /dev/mapper/vg0-home mkswap /dev/mapper/vg0-swap # Mount the new system mount /dev/mapper/vg0-root /mnt # /mnt is the installed system swapon /dev/mapper/vg0-swap # Not needed but a good thing to test mkdir /mnt/var mount /dev/mapper/vg0-var /mnt/var mkdir /mnt/home mount /dev/mapper/vg0-home /mnt/home mkdir /mnt/boot mount /dev/nvme0n1p2 /mnt/boot mkdir /mnt/boot/efi mount /dev/nvme0n1p1 /mnt/boot/efi # Install the system also includes stuff needed for starting wifi when first booting into the newly installed system # Unless vim and zsh are desired these can be removed from the command pacstrap /mnt base base-devel vim less sudo grub efibootmgr dialog wpa_supplicant # 'install' fstab genfstab -pU /mnt > /mnt/etc/fstab # Make /tmp a ramdisk (add the following line to /mnt/etc/fstab) tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0 # Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD) # Enter the new system arch-chroot /mnt /bin/bash # Setup system clock ln -s /usr/share/zoneinfo/America/New_York /etc/localtime hwclock --systohc --utc # Set the hostname echo myhostname > /etc/hostname # Update hosts vim /etc/hosts ... 127.0.0.1 localhost ::1 localhost 127.0.1.1 myhostname.localdomain myhostname # Update locale vi /etc/locale.gen locale-gen echo LANG=en_US.UTF-8 > /etc/locale.conf echo LANGUAGE=en_US >> /etc/locale.conf echo LC_ALL=C >> /etc/locale.conf # Set password for root passwd # Setup crypto_keyfile so no retyping dd if=/dev/urandom of=/crypto_keyfile.bin bs=512 count=4 cryptsetup luksAddKey /dev/nvme0n1p1 /crypto_keyfile.bin # Configure mkinitcpio with modules needed for the initrd image vim /etc/mkinitcpio.conf # Add 'ext4 nvme' to MODULES # Add FILES=/crypto_keyfile.bin # Add 'encrypt' and 'lvm2' to HOOKS before filesystems # Add 'resume' after 'lvm2' # Regenerate initrd image mkinitcpio -p linux # Add real user remove -s flag if you don't whish to use zsh # useradd -m -g users -G wheel -s /bin/zsh MYUSERNAME # passwd MYUSERNAME # In /etc/default/grub edit the line GRUB_CMDLINE_LINUX to: GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=/dev/nvme0n1p6:luks:allow-discards" # GRUB_ENABLE_CRYPTODISK=y # then run: grub-mkconfig -o /boot/grub/grub.cfg grub-install chmod 000 /crypto_keyfile.bin chmod -R g-rwx,o-rwx /boot # Exit new system and go into the cd shell exit # Unmount all partitions umount -R /mnt swapoff -a # Reboot into the new system, don't forget to remove the cd/usb reboot