Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Minimal instructions for installing Arch Linux on an DOS/BIOS system with full system encryption using dm-crypt and luks
# Install ARCH Linux with encrypted file-system, for BIOS. Dustin dut n ex 5 a t g ma il
# The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.
# Download the archiso image from https://www.archlinux.org/
# Copy to a usb-drive
dd if=archlinux.img of=/dev/sdX # on linux
# Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.
# This assumes a wifi only system...
#wifi-menu
#Use FDISK or you can use cfdisk but select dos.
make 2 partitions in fdisk, a small boot around 500mb and use the rest as a single linux partition.
#Format your boot drive with ext2, you can use ext4 its not a big deal, ext2 should be faster.
mkfs.ext2 /dev/sdX1
# Setup the encryption of the system
#cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sdX2
cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sda2
cryptsetup luksOpen /dev/sdX2 luks
# Create encrypted partitions
# This creates one partions for root, modify if /home or other partitions should be on separate partitions
pvcreate /dev/mapper/luks
vgcreate vg0 /dev/mapper/luks
lvcreate --size 5G vg0 --name swap #Change this depending on your ram
lvcreate -l +100%FREE vg0 --name root
# Create filesystems on encrypted partitions
mkfs.ext4 /dev/mapper/vg0-root
mkswap /dev/mapper/vg0-swap
# Mount the new system
mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
swapon /dev/mapper/vg0-swap # Not needed but a good thing to test
mkdir /mnt/boot
mount /dev/sdX1 /mnt/boot
# Install the system also includes stuff needed for starting wifi when first booting into the newly installed system
# Unless vim and zsh are desired these can be removed from the command
pacstrap /mnt base base-devel
# 'install' fstab
genfstab -pU /mnt >> /mnt/etc/fstab
# Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)
tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0
# Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)
# Enter the new system
arch-chroot /mnt /bin/bash
# Setup system clock
ln -s /usr/share/zoneinfo/America/New_York /etc/localtime
hwclock --systohc --utc
# Set the hostname
echo MYHOSTNAME > /etc/hostname
# Update locale
edit the /etc/locale.conf
# Set password for root
passwd
# Add real user remove -s flag if you don't whish to use zsh
useradd -m -g users -G wheel,storage,power -s /bin/bash MYUSERNAME
passwd MYUSERNAME
# Configure mkinitcpio with modules needed for the initrd image
vim/nano /etc/mkinitcpio.conf
# Add 'ext4' to MODULES
# Add 'encrypt' and 'lvm2' to HOOKS before filesystems
# Regenerate initrd image
mkinitcpio -p linux
# Setup grub
pacman -S grub
grub-install --target=i386-pc --recheck /dev/sdX
In /etc/default/grub edit the line GRUB_CMDLINE_LINUX to GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdX2:luks:allow-discards" then run:
grub-mkconfig -o /boot/grub/grub.cfg
#Enable dhcp for a wired connection
systemcl enable dhcpcd@NameOfWiredDevice
#Add user to sudo
EDITOR=nano visudo
# Exit new system and go into the cd shell
exit
# Reboot into the new system, don't forget to remove the cd/usb
reboot
@dust321

This comment has been minimized.

Copy link
Owner Author

commented Apr 15, 2016

I have tested this on a ssd laptop and a ssd desktop.

@dust321

This comment has been minimized.

Copy link
Owner Author

commented Apr 17, 2016

Just a note I turned off compression in etc/mkinitcpio read the comments in the file on how to do it and it is way faster on my ssd...

@tirk182

This comment has been minimized.

Copy link

commented Aug 30, 2016

line 87 should read systemctl enable dhcpcd@NameOfWiredDevice
Small typo I think.

@dust321

This comment has been minimized.

Copy link
Owner Author

commented Sep 28, 2016

Thanks Tirk

@pascalpoitras

This comment has been minimized.

Copy link

commented Nov 15, 2016

thanks a lot for this!

but I think you miss to add GRUB_ENABLE_CRYPTODISK=y to /etc/default/grub

@pascalpoitras

This comment has been minimized.

Copy link

commented Nov 15, 2016

no it is my mistake sorry

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.