Skip to content

Instantly share code, notes, and snippets.

@ansulev
Last active February 2, 2022 06:56
Show Gist options
  • Save ansulev/4e56401c05afccbf221e55e886eb5838 to your computer and use it in GitHub Desktop.
Save ansulev/4e56401c05afccbf221e55e886eb5838 to your computer and use it in GitHub Desktop.
Install Arch Linux with full encrypted file-system using dm-crypt and luks
# Install Arch Linux with full encrypted file-system using dm-crypt and luks
# The official guide: https://wiki.archlinux.org/index.php/Installation_Guide
# SSD specials
# http://ggarcia.me/2016/10/11/arch-linux-ssd-trim.html
# Download the archiso image from https://www.archlinux.org/download/
# Copy to a usb-drive
dd bs=16M if=archlinux.iso of=/dev/sdx status=progress oflag=sync # on linux
# Boot from the usb.
# Set spanish keymap
loadkeys es
# This assumes a wifi only system...
wifi-menu
# Create a primary partition - entire disk
parted -s /dev/sda mklabel msdos
parted -s /dev/sda mkpart primary 2048s 100%
# Create and open LUKS container
cryptsetup luksFormat /dev/sda1
cryptsetup luksOpen /dev/sda1 lvm
# Create volume group and logical volumes
pvcreate /dev/mapper/lvm
vgcreate vg /dev/mapper/lvm
lvcreate -L 40G vg -n root
lvcreate -L 8G vg -n swap
lvcreate -l +100%FREE vg -n home
# Create filesystems
mkswap -L swap /dev/mapper/vg-swap
mkfs.ext4 /dev/mapper/vg-root
mkfs.ext4 /dev/mapper/vg-home
# Activate swap and mount lv's
swapon /dev/mapper/vg-swap
mount /dev/mapper/vg-root /mnt
mkdir /mnt/home
mount /dev/mapper/vg-home /mnt/home
# Install the system, wifi and some tools
pacstrap /mnt base base-devel grub vim dialog wpa_supplicant mlocate htop
# Create fstab
genfstab -p /mnt >> /mnt/etc/fstab
# 'install' fstab
genfstab -pU /mnt >> /mnt/etc/fstab
# Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)
tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0
# Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)
# Change relatime on all non-boot partitions to noatime
# Enter the new system
arch-chroot /mnt /bin/bash
# Setup system clock
ln -s /usr/share/zoneinfo/Europe/Madrid /etc/localtime
hwclock --systohc --utc
# Set the hostname
echo MYHOSTNAME > /etc/hostname
# Update locale
echo LANG=en_US.utf8 >> /etc/locale.conf
echo LANGUAGE=en_US >> /etc/locale.conf
echo LC_ALL=C >> /etc/locale.conf
# Set virtul console lang and font
echo KEYMAP=es > /etc/vconsole.conf
echo FONT=Lat2-Terminus16 >> /etc/vconsole.conf
# Set password for root
passwd
# Add real user
useradd -m -g users -G wheel,storage,power -s /bin/bash MYUSERNAME
passwd MYUSERNAME
# Configure mkinitcpio with modules needed for the initrd image
vim /etc/mkinitcpio.conf
# Add 'encrypt' and 'lvm2' to HOOKS before filesystems
# Regenerate initrd image
mkinitcpio -p linux
# Setup grub
In /etc/default/grub add GRUB_ENABLE_CRYPTODISK=y
and change GRUB_CMDLINE_LINUX to GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:lvm:allow-discards rd.luks.options=discard" # if SSD
and GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:lvm" # for HDD
run:
grub-mkconfig -o /boot/grub/grub.cfg
grub-install /dev/sda
# Exit new system and go into the cd shell
exit
# Unmount all partitions
umount -R /mnt
swapoff -a
# Reboot into the new system, don't forget to remove the cd/usb
reboot
# Create keyfile for paswordless login
dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
and add to /etc/mkinitcpio.conf
FILES=/crypto_keyfile.bin
run:
mkinitcpio -p linux
# Reboot again, you’ll only need to enter your password once.
reboot
# Secure keyfile and /boot
chmod 000 /crypto_keyfile.bin # actually, even root doesn't need to access this
chmod -R g-rwx,o-rwx /boot # just to be safe
# TODO:
# post installation, install X and DE, optimize performance and power (laptops)
# END
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment