Efficient Encrypted Arch Linux Guest Installation in VirtualBox with a Full Plasma/KDE Environment. Perfect for Arch Linux Evaluation and Experimentation!

Encrypted Arch Linux VirtualBox Guest Installation Procedure

# OBJECTIVES:  Install Arch Linux as a VirtualBox Guest with a complete Plasma5/KDE environment.  
# Provide encrypted root and swap filesystems and UEFI boot our Arch Guest from within VirtualBox.

# Note:  This install method is specific to VirtualBox (VBox) to allow non-Arch users and Arch testers to evaluate a properly 
# configured and secure Arch OS while running a fully enabled Plasma/KDE system, and also by concurrently taking advantage 
# of the multiple isolation safeguards inherently provided by the VBox environment.  

# For those who want to install Arch on bare metal in a way that supports both dedicated Arch installations and Arch 
# installation on a SSD/HDD multi-OS-UEFI-booting system, please refer to my Arch System Installation Guide, here:

https://gist.github.com/HardenedArray/31915e3d73a4ae45adc0efa9ba458b07

# VirtualBox Installers Note:  You **must** have UEFI-booting enabled in VBox's Guest System Settings prior to 
# Arch installation.  I also recommend you fully update your Host OS, VBox, and VBox's Extension Pack prior to proceeding.
 
# The official Arch installation guide contains details that you should refer to during this installation process.
# That guide resides at:  https://wiki.archlinux.org/index.php/Installation_Guide

# If you want to minimize installation, security, and package synchronization issues, **always** download the most recent
# archlinux-*.iso image from https://www.archlinux.org/download/ and its GnuPG signature.  Feel free to ignore this advice at
# your own peril!  Use gpg --verify to ensure your archlinux-*.iso is exactly what the Arch developers intended.  For example:

$ gpg -v archlinux-2019.11.01-x86_64.iso.sig
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: assuming signed data in 'archlinux-2019.11.01-x86_64.iso'
gpg: Signature made Fri Nov  1 16:34:35 2019 UTC
gpg:                using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg: using pgp trust model
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE  28B7 7F2D 434B 9741 E8AC
gpg: binary signature, digest algorithm SHA256, key algorithm rsa2048

# Since we are installing Arch in VBox, there is no need to burn the archlinux-*.iso  to an USB stick.  You only need to
# attach the verified archlinux-*.iso to your Arch VBox Guest's CD-ROM.

# Make sure you have one NAT adapter enabled in your Guest, with the Cable Connected option checked, even if your Host 
# is connected via WiFi. 

# UEFI-Boot from your Guest's CD-ROM.  It takes several minutes to load the *.iso. 

# Create and size partitions appropriate to your goals using gdisk.

gdisk /dev/sdX

# Create the partitions you need:

Partition X = 100 MiB EFI partition # Hex code EF00
Partition Y = 250 MiB Boot partition # Hex code 8300
Partition Z = Choose a reasonable size for your encrypted root and swap system partition, or just size it to the 
last sector of your virtual drive. # Hex code 8300.  

# Review your partitions with 'p'.
# Write your gdisk changes with 'w'.  
# Reboot, if necessary, so the kernel reads your new partition structure.

# Create filesystems for /boot/efi and /boot

mkfs.vfat -F 32 /dev/sdXX
mkfs.ext2 /dev/sdXY  # ext3/4 are also fine here.  This small /boot partition only holds our unencrypted kernel(s) and initramfs.

# Encrypt and open your system partition

cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/sdXZ

cryptsetup luksOpen /dev/sdXZ SecureGoodness # (or use any word or phrase you're fond of)

# Create and allocate space for your encrypted LVM partitions

# These steps create a required root partition and an optional partition for swap.
# Modify this structure only if you need additional, separate partitions.  The sizes used below are only suggestions.
# The VG and LV labels 'Arch, root and swap' can be changed to anything memorable to you.  Use your labels consistently, below!

pvcreate /dev/mapper/SecureGoodness
vgcreate Arch /dev/mapper/SecureGoodness
lvcreate -L +512M Arch -n swap
lvcreate -l +100%FREE Arch -n root

# Create filesystems on your encrypted Logical Volumes

mkswap /dev/mapper/Arch-swap
mkfs.ext4 /dev/mapper/Arch-root  

# Note that Arch Linux fully supports btrfs, and btrfs is also an excellent filesystem choice for your encrypted root.  
# If you want a btrfs filesystem on your root logical volume, instead of 'mkfs.ext4 /dev/mapper/Arch-root', do this:

mkfs.btrfs /dev/mapper/Arch-root

# If you've created a btrfs root filesystem, do not forget to append 'btrfs-progs' to the pacstrap installation command
# we use immediately after correctly mounting our partitions below.  This is not critical, as btrfs-progs is already included
# in the archlinux-*.iso.  However, unlike ext4, new filesystem management features are added to btrfs frequently, so it's
# always a good idea to run the latest version of btrfs-progs from the official repos. 

# Mount the new system 

mount /dev/mapper/Arch-root /mnt
swapon /dev/mapper/Arch-swap
mkdir /mnt/boot
mount /dev/sdXY /mnt/boot
mkdir /mnt/boot/efi
mount /dev/sdXX /mnt/boot/efi

# Install your Arch system

# If you read the contents of https://www.archlinux.org/ you would know the Arch developers made significant
# changes to the 'base' package in October 2019.

# The new base-metapackage does not contain a kernel nor an editor and several other important packages.  
# We will be addressing those issues in our pacstrap command below.

# This installation command provides a decent set of basic system programs which will also support WiFi through 
# netctl's `wifi-menu` after initially booting into your Arch system.  Having WiFi following installation is particularly
# critical for anyone running a modern ultrabook, as most are equipped with WiFi-only access to the Net.  Recommended, yet 
# optional:  make and enjoy some fresh java while the following command completes.  Once completed, you'll only 
# be a few minutes away from putting your new system to serious work!

pacstrap /mnt base base-devel grub efibootmgr dialog wpa_supplicant linux linux-headers dkms nano 
dhcpcd netctl lvm2 linux-firmware man-pages

# Create and review FSTAB

genfstab -U /mnt >> /mnt/etc/fstab  # The -U option pulls in all the correct UUIDs for your mounted filesystems.
nano /mnt/etc/fstab  # Check your fstab carefully, and modify it, if required.

# Enter the new system

arch-chroot /mnt /bin/bash

# Set the system clock

ln -s /usr/share/zoneinfo/UTC /etc/localtime  # This command is unnecessary if you've already set your VBox Guest to UTC.
hwclock --systohc --utc

# Assign your hostname

echo MyHostName > /etc/hostname

# Set or update your locale

# If English is your native language, you need to edit exactly two lines to correctly configure your locale language settings:

a. In /etc/locale.gen **uncomment only**: en_US.UTF-8 UTF-8
b. In /etc/locale.conf, you should **only** have this line: LANG=en_US.UTF-8

# Now run:

locale-gen

# Set your root password

passwd

# Create a User, assign appropriate Group membership, and set a User password.  'Wheel' is just one important Group.

useradd -m -G wheel -s /bin/bash MyUserName

passwd MyUserName

# Configure mkinitcpio with the correct HOOKS required for your initrd image

nano /etc/mkinitcpio.conf

# Use this HOOKS statement:

HOOKS="base udev autodetect modconf block keymap encrypt lvm2 resume filesystems keyboard fsck"

# Generate your initrd image

mkinitcpio -p linux

# Install and configure Grub-EFI

# The correct way to install grub on an UEFI computer, irrespective of your use of a HDD or SSD, and whether you are
# installing dedicated Arch, or multi-OS booting, is:

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchLinux

# Edit /etc/default/grub so it includes a statement like this:

# GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdYZ:MyDevMapperMountpoint resume=/dev/mapper/MyVolGroupName-MyLVSwapName"

# Maintaining consistency with the examples provided above, you would use something like:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdXZ:SecureGoodness resume=/dev/mapper/Arch-swap"

# Generate Your Final Grub Configuration:

grub-mkconfig -o /boot/grub/grub.cfg

# Exit Your New Arch System

exit

# Unmount all partitions

umount -R /mnt
swapoff -a

# Reboot so we can transform our base encrypted Arch Linux Guest into a powerful production system!

poweroff

then, remove the *.iso from your Arch VBox Guest's CD-ROM.

Fire up Arch!

__________________________ 


When UEFI booting an Arch Guest in VBox, you will get dropped to the EFI Shell prompt when powering up Arch Linux.
Do the following:

At the Shell prompt, type the following entries, as indicated (also remember we used --bootloader-id=ArchLinux, above):

Shell> fs0:
fs0:> \EFI\ArchLinux\grubx64.efi

Hit Enter and now you should see your graphical grub Arch Linux menu.  Note my atypical use of backslashes.

To prevent being dropped to the EFI Shell prompt in the future, enter your Arch Linux system, become root, and do:

# nano /boot/efi/startup.nsh

In your startup.nsh file, add these two lines:

fs0:
\EFI\ArchLinux\grubx64.efi  

Save and exit nano.  To test that you will no longer be dropped to the EFI Shell prompt, poweroff, not reboot, and fire up 
your Arch Linux system again.

If you simply cannot bear the agony of the EFI Shell's five second wait prior to its loading of startup.nsh, hit any key, 
except for 'esc', and you should be immediately directed to your (hopefully, beautifully configured) grub graphical 
Arch Linux boot screen.

__________________________


# Now, it's time to get your Plasma5-KDE system installed correctly.  When complete, your Arch Guest should initially occupy 
# about 8-10 GiB of space on your Host's SSD/HDD.  When you are presented with a choice of repos in the steps below, **always**
# choose the default repository(ies) offered.  Defaults become defaults for damn good reasons!  

# Perform the installation steps below in this order, and not another way!

# Log in as root, and not as a user

# To fully update your Arch Guest, do:

pacman -Syu

# If you don't have network connectivity in your Arch Guest, do this:

systemctl start dhcpcd

systemctl enable dhcpcd

# Now that you have an updated system, do:

pacman -S linux-headers

pacman -S dkms

reboot

__________________________


# Log in as root, and not as a user, and do:

pacman -S virtualbox-guest-utils

pacman -S xorg

pacman -S xorg-apps

pacman -S xorg-server # If pacman asks to reinstall the X Server, there is no need to do this, but X is mandatory!

reboot

__________________________


# Log in as root, and not as a user, and do:

pacman -S plasma-meta  # This large package set will also provide us with sddm, the recommended Plasma5 login manager.

systemctl enable sddm

systemctl enable NetworkManager

pacman -S kde-applications-meta

pacman -S xdg-user-dirs

# If you want full (US English) spelling support for your applications, do:

pacman -S hunspell-en_US hyphen-en libmythes mythes-en aspell-en

# Everyone has their own font preferences, but I agree with Arch's initial ttf-font recommendation because they look great!:

pacman -S ttf-dejavu ttf-liberation

reboot

__________________________


# Log in to sddm's GUI as your user

# Go ROCK your fully enabled Plasma DE, and your properly encrypted Arch Linux system!!!

__________________________