This guide is based on the official Archlinux Installation Guide, Beginners' Guide and my personal experience.
SDD partitions | fs | size | mountpoint |
---|---|---|---|
/dev/nvme0n1p1 | FAT | 512M | - |
/dev/nvme0n1p2 | LUKS | MAX | - |
SDD partition | LVM partition | Btrfs subvolume | mountpoint |
---|---|---|---|
nvme0n1p2 | /dev/lvm/system--vg-swap | - | SWAP |
nvme0n1p2 | /dev/lvm/system--vg-system | @ | / |
nvme0n1p2 | /dev/lvm/system--vg-system | @home | /home |
For an UEFI setup use fdisk to create a 512MB EFI System partition and the LUKS container after that.
Then format the EFI partition as FAT32:
mkfs.fat -F32 /dev/nvme0n1p1
The rest of this howto will assume that your LUKS container is /dev/nvme0n1p2
, so keep that in mind.
Don't use any of the parameters of cryptsetup to control which cipher or hash to use. You probably have no idea how crypto works so just stick with the defaults. Crypto stuff is pretty hard and the guys behind cryptsetup know what they are doing. At least they know better than you. ;)
# cryptsetup luksFormat /dev/nvme0n1p2
# cryptsetup luksOpen --allow-discards /dev/nvme0n1p2 lvm
-
Create the physical volume and the volume group
# pvcreate /dev/mapper/lvm # vgcreate system-vg /dev/mapper/lvm
-
Create the volume for swap and the btrfs partition. Make the swap partition as big as you want, usually is as big as RAM, but here I use 2G.
# lvcreate -L 2G system-vg -n swap # lvcreate -l +100%FREE system-vg -n system
# mkfs.btrfs -L arch /dev/mapper/system--vg-system
# mkswap -L swap /dev/mapper/system--vg-swap
-
Mount btrfs volume and cd into it
# mount /dev/mapper/system--vg-system /mnt && cd /mnt
-
Add subvolumes
# btrfs subvolume create @ # btrfs subvolume create @home
-
Unmount
# cd && umount /mnt
You can enable compression with lzo or zlib on btrfs and enable auto defragmentation.
# mount /dev/mapper/system--vg-system /mnt -o subvol=@,discard,ssd,compress=lzo,autodefrag
# mkdir -p /mnt/{home, host_run}
# mount /dev/mapper/system--vg-system /mnt/home -o subvol=@home,discard,ssd,compress=lzo,autodefrag
# swapon -d /dev/mapper/vg-swap
# mount --bind /run /mnt/host_run
host_run is needed for later when we install grub, see this for more information.
# pacstrap -i /mnt base base-devel bash-completion vim
# genfstab -U -p /mnt >> /mnt/etc/fstab
Change defaults
to defaults,discard
for swap partition entry in fstab if you have a SSD.
# arch-chroot /mnt
# mkdir /run/lvm
# mount --bind /host_run/lvm /run/lvm
# pacman -S grub efibootmgr
# # Add `GRUB_ENABLE_CRYPTODISK=y` to /etc/default/grub
# # Set cryptdevice and resume partition: GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p2:lvm:allow-discards resume=/dev/mapper/system--vg-swap"
# grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck
# umount /run/lvm
Generate 4096 bit key and add it to LUKS:
# dd bs=512 count=8 if=/dev/urandom of=/crypto_keyfile.bin
# cryptsetup luksAddKey /dev/nvme0n1p2 /crypto_keyfile.bin
Nobody except GRUB should read this file. Not even root.
# chmod 000 /crypto_keyfile.bin
- Add crc32c (or crc32c-intel for Intel machines) to the
MODULES
array
MODULES="crc32c-intel"
- Add
btrfs
to the end andencrypt
andresume
betweenkeyboard
andfilesystems
in theHOOKS
array.
HOOKS="... keyboard encrypt lvm2 resume filesystems ... fsck btrfs"
- Add the keyfile for the LUKS partition to the initfamfs so that you only have to unlock the root partition once
FILES="/crypto_keyfile.bin"
Install btrfs-progs to use the btrfs hook:
# pacman -S btrfs-progs
# mkinitcpio -p linux
# grub-mkconfig -o /boot/grub/grub.cfg
-
Edit /etc/locale.conf:
LANG=en_US.UTF-8
-
Edit /etc/locale.gen and uncomment the needed locales:
en_US.UTF-8 UTF-8
-
Generate locales
# locale-gen
-
Set timezone:
# ln -s /usr/share/zoneinfo/Europe/Madrid /etc/localtime
# pacman -S dialog wpa_supplicant networkmanager
Edit /etc/pacman.conf and uncomment [multilib].
Update packages and db:
# pacman -Sy
Add an user and set the password:
# useradd -m -g users -G wheel -s /bin/bash bob
# passwd bob
Run:
# visudo
and uncomment %wheel ALL=(ALL:ALL) ALL
or %wheel ALL=(ALL:ALL) NOPASSWD: ALL
if you don't want to enter your password again when using sudo.
Now remove the root password so that root cannot login (don't lock the account with passwd -l
because than the recovery root login doesn't work anymore):
# passwd -dl root
Exit chroot environment.
Umounting devices:
# umount /mnt/host_run
# umount /mnt/home
# umount /mnt
# swapoff /dev/mapper/system--vg-swap
# cryptsetup luksClose /dev/mapper/lvm
Reboot:
# reboot
Finished! You now have an encrypted Archlinux up and running. If you want to build a server you're pretty much finished and can continue to setup the services you want to host. For a more desktop like setup continue.