Minimal instructions for installing arch linux on an UEFI system with full system encryption using dm-crypt and luks

arch-linux-install

# Install ARCH Linux with encrypted file-system and UEFI
# The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.

# Download the archiso image from https://www.archlinux.org/
# Copy to a usb-drive
dd if=archlinux.img of=/dev/sdX bs=16M && sync # on linux

# Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.

# Optionally set another keyboard layout. E.g. German
loadkeys de-latin1

# This assumes a wifi only system...
iwctl devices list
iwctl station <wlan0> scan
iwctl station <wlan0> get-networks
iwctl station <wlan0> connect <SSID>
ip a s
ping 8.8.8.8

# Create partitions
cgdisk /dev/sdX
# OR
cgdisk /dev/nvmeXnY

1 100MB EFI partition # Hex code ef00
2 250MB Boot partition # Hex code 8300
3 100% size partiton # (to be encrypted) Hex code 8300

mkfs.vfat -F32 /dev/sdX1  # or /dev/nvmeXnYp1
mkfs.ext4 /dev/sdX2  # or /dev/nvmeXnYp2

# Setup the encryption of the system
cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sdX3  # or /dev/nvmeXnYp3
cryptsetup luksOpen /dev/sdX3 luks  # or /dev/nvmeXnYp3

# Create encrypted partitions
# This creates one partions for root, modify if /home or other partitions should be on separate partitions
pvcreate /dev/mapper/luks
vgcreate main /dev/mapper/luks
lvcreate --size 25G main --name root
lvcreate --size 50G main --name home
lvcreate --size 25G main --name var

# Create filesystems on encrypted partitions
mkfs.ext4 /dev/mapper/main-root
mkfs.ext4 /dev/mapper/main-home
mkfs.ext4 /dev/mapper/main-var

# Mount the new system 
mount /dev/mapper/main-root /mnt # /mnt is the installed system
mkdir /mnt/{boot,home,var}
mount /dev/sdX2 /mnt/boot  # or /dev/nvmeXnYp2
mkdir /mnt/boot/efi
mount /dev/sdX1 /mnt/boot/efi  # or /dev/nvmeXnYp1
mount /dev/mapper/main-home /mnt/home
mount /dev/mapper/main-var /mnt/var

# Install the system also includes stuff needed for starting wifi when first booting into the newly installed system
# Unless vim and zsh are desired these can be removed from the command
pacstrap /mnt base base-devel linux linux-firmware lvm2 grub efibootmgr  # optional zsh vim git dialog wpa_supplicant

# 'install' fstab
genfstab -pU /mnt >> /mnt/etc/fstab
# Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)
tmpfs	/tmp	tmpfs	defaults,noatime,mode=1777	0	0
# Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)

# Enter the new system
arch-chroot /mnt /bin/bash

# Setup system clock
ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime
hwclock --systohc --utc

# Set the hostname
echo MYHOSTNAME > /etc/hostname

# Update locale
echo LANG=en_US.UTF-8 >> /etc/locale.conf
echo LANGUAGE=en_US >> /etc/locale.conf
echo LC_ALL=C >> /etc/locale.conf

# Set password for root
passwd

# Add real user remove -s flag if you don't whish to use zsh
# useradd -m -g users -G wheel -s /bin/zsh MYUSERNAME
# passwd MYUSERNAME

# Enable discared for LVM
vim /etc/lvm/lvm.conf
# set `issue_discards = 1`

# Configure mkinitcpio with modules needed for the initrd image
vim /etc/mkinitcpio.conf
# Add 'ext4' to MODULES
# Add 'encrypt' and 'lvm2' to HOOKS before filesystems

# Regenerate initrd image
mkinitcpio -p linux

# Setup grub
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB
# In /etc/default/grub edit the line GRUB_CMDLINE_LINUX to GRUB_CMDLINE_LINUX="cryptdevice=/dev/disk/by-uuid/...:luks:allow-discards" then run:
grub-mkconfig -o /boot/grub/grub.cfg

# Exit new system and go into the cd shell
exit

# Unmount all partitions
umount -R /mnt
swapoff -a

# Reboot into the new system, don't forget to remove the cd/usb
reboot