-
-
Save drejohnson/00f2365b932b1921adddd6d8a1d144b4 to your computer and use it in GitHub Desktop.
Efficient UEFI Encrypted Root and Swap Arch Linux Installation Procedure with an ENCRYPTED BOOT using KDE Plasma 5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This guide will be using LVM on LUKS, see https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS | |
| # Download the archlinux-*.iso image from https://www.archlinux.org/download/ and its GnuPG signature. | |
| # Use gpg --verify to ensure your archlinux-*.iso is exactly what the Arch developers intended. For example: | |
| $ gpg -v archlinux-2019.11.01-x86_64.iso.sig | |
| # Burn the archlinux-*.iso to a 1+ Gb USB stick. On Mac, do something like: | |
| $ diskutil unmountDisk /dev/disk4 | |
| $ sudo dd bs=4m of=/dev/rdisk4 if=archlinux-2020.01.01-x86_64.iso | |
| ----------------------------------- | |
| # Set your keymap only if not you are not using the default English language. | |
| $ loadkeys dk | |
| # Connect to WiFi using: | |
| $ wifi-menu | |
| # Fix partition of the host | |
| $ cfdisk /dev/sda | |
| # We need ONLY two partitions! | |
| # Partition Y = 100 MiB EFI partition # Hex code EF00 | |
| # Partition Z = Just size it to the last sector of your drive. # Hex code 8300. | |
| # Zero-out each of of your new partitions prior to creating filesystems on them. | |
| $ cat /dev/zero > /dev/sda1 | |
| # followed by | |
| $ cat /dev/zero > /dev/sda2 | |
| # Create a filesystem for /efi | |
| $ mkfs.vfat -F 32 -n EFI /dev/sda1 | |
| # Encrypt and open your system partition | |
| $ cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random --type luks1 luksFormat /dev/sda2 | |
| # Note our use of the critical '--type luks1' encryption switch. The default Type 2 LUKS encryption PREVENTS Grub from | |
| # being able to properly decrypt an encrypted /boot. This is also precisely why an existing encrypted Arch system which used | |
| # standard LUKS Type 2 encryption CANNOT be converted into an encrypted /boot system. A clean install is necessary! | |
| $ cryptsetup luksOpen /dev/sda2 luks | |
| # Create encrypted LVM partitions | |
| # Modify this structure only if you need additional, separate partitions. The sizes used below are only suggestions. | |
| # The VG and LV labels 'Arch, root and swap' can be changed to anything memorable to you. Use your labels consistently, below! | |
| $ pvcreate /dev/mapper/luks | |
| $ vgcreate luks /dev/mapper/luks | |
| $ lvcreate -L 8G luks -n swap | |
| $ lvcreate -l 100%FREE luks -n root | |
| # Create filesystems on your encrypted partitions | |
| $ mkswap /dev/mapper/luks-swap | |
| $ mkfs.xfs /dev/mapper/luks-root | |
| # Mount the new system | |
| $ mount /dev/mapper/luks-root /mnt | |
| $ swapon /dev/mapper/luks-swap | |
| $ mkdir /mnt/boot | |
| $ mkdir /mnt/efi | |
| $ mount /dev/sda1 /mnt/efi | |
| # Optional - Select the 10 most recently synchronized HTTPS mirrors, sort them by download speed, and overwrite the file /etc/pacman.d/mirrorlist: | |
| $ pacman -Sy | |
| $ pacman -S reflector | |
| $ reflector --latest 10 --protocol https --sort rate --save /etc/pacman.d/mirrorlist | |
| # Install your Arch system | |
| $ pacstrap /mnt base base-devel grub-efi-x86_64 efibootmgr dialog wpa_supplicant linux linux-headers dkms dhcpcd netctl lvm2 linux-firmware iw vim reflector | |
| # Create and review FSTAB | |
| $ genfstab -U /mnt >> /mnt/etc/fstab | |
| # Make /tmp a ramdisk (add the following line to /mnt/etc/fstab) | |
| tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0 | |
| # Enter the new system | |
| $ arch-chroot /mnt /bin/bash | |
| # Set the system clock | |
| $ ln -s /usr/share/zoneinfo/Europe/Copenhagen /etc/localtime | |
| $ hwclock --systohc --utc | |
| $ timedatectl set-ntp true | |
| $ localectl set-keymap dk | |
| # Assign your hostname | |
| $ hostnamectl set-hostname x1-carbon | |
| $ echo x1-carbon > /etc/hostname | |
| # Set or update your locale | |
| If English is your native language, you need to edit exactly two lines to correctly configure your locale language settings: | |
| a. In /etc/locale.gen **uncomment only**: en_US.UTF-8 UTF-8 | |
| b. In /etc/locale.conf, you should **only** have this line: LANG=en_US.UTF-8 | |
| # Now run: | |
| $ locale-gen | |
| # Set your root password | |
| $ passwd | |
| # Create a User, assign appropriate Group membership, and set a User password. 'Wheel' is just one important Group. | |
| $ useradd -m -G wheel,storage,power,network,uucp -s /bin/bash MyUserName | |
| $ passwd MyUserName | |
| # Type: visudo and find this line: # %wheel ALL=(ALL) ALL and delete # character | |
| # Let's create our crypto keyfile: | |
| cd / | |
| dd bs=512 count=4 if=/dev/random of=crypto_keyfile.bin iflag=fullblock | |
| chmod 000 /crypto_keyfile.bin | |
| chmod 600 /boot/initramfs-linux* | |
| cryptsetup luksAddKey /dev/sda2 /crypto_keyfile.bin | |
| # Configure mkinitcpio with the correct FILES statement and proper HOOKS required for your initrd image: | |
| vim /etc/mkinitcpio.conf | |
| # SET THE FOLLOWING OPTIONS | |
| MODULES(xfs) | |
| FILES=(/crypto_keyfile.bin) | |
| HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems resume fsck) | |
| # Generate your initrd image | |
| $ mkinitcpio -p linux | |
| # Install and Configure Grub-EFI | |
| # Since we need grub to decrypt our encrypted /boot, we first need to configure grub so that it knows we are working with | |
| # a LUKS encrypted disk. | |
| vim /etc/default/grub | |
| # UNCOMMENT this line: | |
| GRUB_ENABLE_CRYPTODISK=y | |
| # The correct way to install grub on an UEFI computer, irrespective of your use of a HDD or SSD, and whether you are | |
| # installing dedicated Arch, or multi-OS booting, for our encrypted /boot purposes is: | |
| $ grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=ArchLinux --recheck | |
| # Edit /etc/default/grub so it includes a statement like this: | |
| GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:luks root=/dev/mapper/luks-root resume=/dev/mapper/luks-swap cryptkey=rootfs:/crypto_keyfile.bin" | |
| # If you are not using swap, eliminate the 'resume' statement above. | |
| # Generate Your Final Grub Configuration: | |
| $ grub-mkconfig -o /boot/grub/grub.cfg | |
| # Exit Your New Arch System | |
| $ exit | |
| # Backup your headers | |
| $ cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file=/mnt/efi/luks-header | |
| $ cp /mnt/etc/lvm /mnt/efi/lvm-backup -Rafv | |
| # Unmount all partitions | |
| $ umount -R /mnt | |
| $ swapoff -a | |
| # Reboot and Enjoy Your Encrypted BOOT Arch Linux System! | |
| $ reboot | |
| __________________________ | |
| # If you have problems connecting to wifi, try start disable power save on the netcard: | |
| $ iw dev wlan0 set power_save off | |
| # Reconnect to wifi | |
| $ wifi-menu | |
| __________________________ | |
| # Log in as root, and not as a user, and setup Plasma: | |
| # Setup reflector again | |
| $ reflector --latest 10 --protocol https --sort rate --save /etc/pacman.d/mirrorlist | |
| $ pacman -Sy | |
| $ pacman -S plasma-desktop sddm networkmanager plasma-nm fwupd intel-ucode xf86-video-intel | |
| # Install applications | |
| $ pacman -S openvpn networkmanager-openvpn plasma-pa pulseaudio bluez bluez-utils throttled cryfs dnscrypt-proxy dnsmasq git sudo zsh wget powertop tlp konsole | |
| # Install fonts | |
| $ pacman -S ttf-dejavu ttf-liberation | |
| # Finalize setup | |
| $ systemctl enable sddm NetworkManager lenovo_fix.service tlp dnscrypt-proxy dnsmasq | |
| $ pacman -R netctl dhcpcd | |
| $ reboot | |
| __________________________ | |
| # Log in to sddm's GUI as your user | |
| __________________________ | |
| # Complete the setup , by opening the Konsole and start | |
| $ git clone https://aur.archlinux.org/yay.git | |
| $ cd yay | |
| $ makepkg -si | |
| $ git clone https://github.com/kwin-scripts/kwin-tiling.git | |
| $ cd kwin-tiling/ | |
| $ plasmapkg2 --type kwinscript -i . | |
| # Install the last applications | |
| $ yay -S google-chrome spotify visual-studio-code-bin teamviewer slack-desktop dropbox polybar dolphin redshift vlc spectacle kwalletmanager kinfocenter ark thunderbird terminator latte-dock | |
| $ yay -Yc | |
| # Install themes | |
| $ yay -S papirus-icon-theme-kde | |
| ------------------------------------------- | |
| Dotfiles with Dotbot | |
| # Make sure reflector updates the mirrorlist | |
| $ cat /etc/systemd/system/reflector.service | |
| [Unit] | |
| Description=Pacman mirrorlist update | |
| Wants=network-online.target | |
| After=network-online.target | |
| [Service] | |
| Type=oneshot | |
| ExecStart=/usr/bin/reflector --protocol https --latest 30 --number 20 --sort rate --save /etc/pacman.d/mirrorlist | |
| [Install] | |
| RequiredBy=multi-user.target | |
| $ cat /etc/systemd/system/reflector.timer | |
| [Unit] | |
| Description=Run reflector weekly | |
| [Timer] | |
| OnCalendar=Mon *-*-* 7:00:00 | |
| RandomizedDelaySec=15h | |
| Persistent=true | |
| [Install] | |
| WantedBy=timers.target |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment