Skip to content

Instantly share code, notes, and snippets.

@ahungry

ahungry/arch-linux-install-encryption

Forked from dust321/arch-linux-install-encryption
Created June 27, 2019 00:43
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ahungry/b37e115a2f28d102b7f6935674f235b2 to your computer and use it in GitHub Desktop.
Save ahungry/b37e115a2f28d102b7f6935674f235b2 to your computer and use it in GitHub Desktop.
Download ZIP
Minimal instructions for installing Arch Linux on an DOS/BIOS system with full system encryption using dm-crypt and luks
Raw
arch-linux-install-encryption
# Install ARCH Linux with encrypted file-system, for BIOS. Dustin dut n ex 5 a t g ma il
# The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.
# Download the archiso image from https://www.archlinux.org/
# Copy to a usb-drive
dd if=archlinux.img of=/dev/sdX # on linux
# Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.
# This assumes a wifi only system...
#wifi-menu
#Use FDISK or you can use cfdisk but select dos.
make 2 partitions in fdisk, a small boot around 500mb and use the rest as a single linux partition.
#Format your boot drive with ext2, you can use ext4 its not a big deal, ext2 should be faster.
mkfs.ext2 /dev/sdX1
# Setup the encryption of the system
#cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sdX2
cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sda2
cryptsetup luksOpen /dev/sdX2 luks
# Create encrypted partitions
# This creates one partions for root, modify if /home or other partitions should be on separate partitions
pvcreate /dev/mapper/luks
vgcreate vg0 /dev/mapper/luks
lvcreate --size 5G vg0 --name swap #Change this depending on your ram
lvcreate -l +100%FREE vg0 --name root
# Create filesystems on encrypted partitions
mkfs.ext4 /dev/mapper/vg0-root
mkswap /dev/mapper/vg0-swap
# Mount the new system
mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
swapon /dev/mapper/vg0-swap # Not needed but a good thing to test
mkdir /mnt/boot
mount /dev/sdX1 /mnt/boot
# Install the system also includes stuff needed for starting wifi when first booting into the newly installed system
# Unless vim and zsh are desired these can be removed from the command
pacstrap /mnt base base-devel
# 'install' fstab
genfstab -pU /mnt >> /mnt/etc/fstab
# Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)
tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0
# Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)
# Enter the new system
arch-chroot /mnt /bin/bash
# Setup system clock
ln -s /usr/share/zoneinfo/America/New_York /etc/localtime
hwclock --systohc --utc
# Set the hostname
echo MYHOSTNAME > /etc/hostname
# Update locale
edit the /etc/locale.conf
# Set password for root
passwd
# Add real user remove -s flag if you don't whish to use zsh
useradd -m -g users -G wheel,storage,power -s /bin/bash MYUSERNAME
passwd MYUSERNAME
# Configure mkinitcpio with modules needed for the initrd image
vim/nano /etc/mkinitcpio.conf
# Add 'ext4' to MODULES
# Add 'encrypt' and 'lvm2' to HOOKS before filesystems
# Regenerate initrd image
mkinitcpio -p linux
# Setup grub
pacman -S grub
grub-install --target=i386-pc --recheck /dev/sdX
In /etc/default/grub edit the line GRUB_CMDLINE_LINUX to GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdX2:luks:allow-discards" then run:
grub-mkconfig -o /boot/grub/grub.cfg
#Enable dhcp for a wired connection
systemcl enable dhcpcd@NameOfWiredDevice
#Add user to sudo
EDITOR=nano visudo
# Exit new system and go into the cd shell
exit
# Reboot into the new system, don't forget to remove the cd/usb
reboot
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment