Install Arch Linux with full encrypted file-system using dm-crypt and luks

inst-arch-linux-full-enc

# Install Arch Linux with full encrypted file-system using dm-crypt and luks
# The official guide: https://wiki.archlinux.org/index.php/Installation_Guide

# SSD specials
# http://ggarcia.me/2016/10/11/arch-linux-ssd-trim.html

# Download the archiso image from https://www.archlinux.org/download/
# Copy to a usb-drive
dd bs=16M if=archlinux.iso of=/dev/sdx status=progress oflag=sync # on linux

# Boot from the usb.
# Set spanish keymap
loadkeys es

# This assumes a wifi only system...
wifi-menu

# Create a primary partition - entire disk
parted -s /dev/sda mklabel msdos
parted -s /dev/sda mkpart primary 2048s 100%

# Create and open LUKS container
cryptsetup luksFormat /dev/sda1
cryptsetup luksOpen /dev/sda1 lvm

# Create volume group and logical volumes
pvcreate /dev/mapper/lvm
vgcreate vg /dev/mapper/lvm
lvcreate -L 40G vg -n root
lvcreate -L 8G vg -n swap
lvcreate -l +100%FREE vg -n home

# Create filesystems
mkswap -L swap /dev/mapper/vg-swap
mkfs.ext4 /dev/mapper/vg-root
mkfs.ext4 /dev/mapper/vg-home

# Activate swap and mount lv's
swapon /dev/mapper/vg-swap
mount /dev/mapper/vg-root /mnt
mkdir /mnt/home
mount /dev/mapper/vg-home /mnt/home

# Install the system, wifi and some tools
pacstrap /mnt base base-devel grub vim dialog wpa_supplicant mlocate htop

# Create fstab
genfstab -p /mnt >> /mnt/etc/fstab

# 'install' fstab
genfstab -pU /mnt >> /mnt/etc/fstab
# Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)
tmpfs	/tmp	tmpfs	defaults,noatime,mode=1777	0	0
# Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)

# Change relatime on all non-boot partitions to noatime

# Enter the new system
arch-chroot /mnt /bin/bash

# Setup system clock
ln -s /usr/share/zoneinfo/Europe/Madrid /etc/localtime
hwclock --systohc --utc

# Set the hostname
echo MYHOSTNAME > /etc/hostname

# Update locale
echo LANG=en_US.utf8 >> /etc/locale.conf
echo LANGUAGE=en_US >> /etc/locale.conf
echo LC_ALL=C >> /etc/locale.conf

# Set virtul console lang and font
echo KEYMAP=es > /etc/vconsole.conf
echo FONT=Lat2-Terminus16 >> /etc/vconsole.conf

# Set password for root
passwd

# Add real user
useradd -m -g users -G wheel,storage,power -s /bin/bash MYUSERNAME
passwd MYUSERNAME

# Configure mkinitcpio with modules needed for the initrd image
vim /etc/mkinitcpio.conf
# Add 'encrypt' and 'lvm2' to HOOKS before filesystems

# Regenerate initrd image
mkinitcpio -p linux

# Setup grub
In /etc/default/grub add GRUB_ENABLE_CRYPTODISK=y
and change GRUB_CMDLINE_LINUX to GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:lvm:allow-discards rd.luks.options=discard" # if SSD
and GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:lvm" # for HDD
run:
grub-mkconfig -o /boot/grub/grub.cfg
grub-install /dev/sda
# Exit new system and go into the cd shell
exit

# Unmount all partitions
umount -R /mnt
swapoff -a

# Reboot into the new system, don't forget to remove the cd/usb
reboot

# Create keyfile for paswordless login
dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
and add to /etc/mkinitcpio.conf
FILES=/crypto_keyfile.bin
run:
mkinitcpio -p linux
# Reboot again, you’ll only need to enter your password once.
reboot

# Secure keyfile and /boot
chmod 000 /crypto_keyfile.bin  # actually, even root doesn't need to access this
chmod -R g-rwx,o-rwx /boot     # just to be safe

# TODO:
# post installation, install X and DE, optimize performance and power (laptops)
# END