Minimal instructions for installing arch linux on an UEFI system with full system encryption using dm-crypt and luks

arch-linux-install

# Install ARCH Linux with encrypted file-system and UEFI

# Useful links --------------------------------------------------------------------
# The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.
# Partitioning (https://wiki.archlinux.org/index.php/partitioning)
# dm-crypt/Device encryption (https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption)
# dm-crypt/Encrypting an entire system (https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system)
# ---------------------------------------------------------------------------------

# Download the archiso image from https://www.archlinux.org/
# Copy to a usb-drive
dd if=archlinux.img of=/dev/sda bs=16M && sync # on linux

# Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.

# Set swedish keymap
loadkeys sv-latin1

# Connect to wifi...
iwctl
# device list
# station device scan
# station device get-networks
# station device connect SSID

# Disk layout 
+---------------+----------------+----------------+----------------+----------------+
|ESP partition: |Boot partition: |Volume 1:       |Volume 2:       |Volume 3:       |
|               |                |                |                |                |
|/boot/efi      |/boot           |root            |swap            |home            |
|               |                |                |                |                |
|               |                |/dev/vg0/root   |/dev/vg0/swap   |/dev/vg0/home   |
|/dev/sdaX      |/dev/sdaY       +----------------+----------------+----------------+
|unencrypted    |unencrypted     |/dev/sdaZ encrypted using LVM on LUKS             |
+---------------+----------------+--------------------------------------------------+

# Create partitions
cgdisk /dev/sda
# sdaX partition
1 100MB EFI partition # Hex code ef00
# sdaY partition
2 250MB Boot partition # Hex code 8300 
# sdaZ partition
3 100% size partiton # (to be encrypted) Hex code 8300 

# Setup the encryption of the system
# Encryption
cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sdaZ
cryptsetup open /dev/sdaZ luks
# Fill with random data or zeros
# Other possible options are "shred -v /dev/mapper/luks", "dd if=/dev/urandom of=/dev/mapper/luks bs=1M status=progress"
dd if=/dev/zero of=/dev/mapper/luks bs=1M status=progress

# Create encrypted partitions
# This creates one partions for root, /home and swap
pvcreate /dev/mapper/luks
vgcreate vg0 /dev/mapper/luks
lvcreate --size 8G vg0 --name swap
lvcreate --size 40G vg0 --name root
lvcreate --extents +100%FREE vg0 --name home

# Create filesystems
# Create filesystems on EFI and /boot
mkfs.vfat -F32 /dev/sdaX
mkfs.ext2 /dev/sdaY
# Create filesystems on encrypted partitions
mkfs.ext4 /dev/mapper/vg0-root
mkfs.ext4 /dev/mapper/vg0-home
mkswap /dev/mapper/vg0-swap

# Mount the new system 
mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
mkdir /mnt/home
mount /dev/mapper/vg0-home /mnt/home
swapon /dev/mapper/vg0-swap # Not needed but a good thing to test
mkdir /mnt/boot
mount /dev/sdaY /mnt/boot
mkdir /mnt/boot/efi
mount /dev/sdaX /mnt/boot/efi

# Install the system
# Unless packages can be removed from the command
pacstrap /mnt base base-devel linux linux-firmware grub efibootmgr lvm2 zsh networkmanager vi vim git man-db tmux

# Configuring fstab
genfstab -pU /mnt >> /mnt/etc/fstab
# Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)
tmpfs	/tmp	tmpfs	defaults,noatime,mode=1777	0	0
# Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)

# Enter the new system
arch-chroot /mnt /bin/bash

# Setup system clock
ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime
hwclock --systohc --utc

# Edit /etc/locale.gen and 
# Run locale-gen
locale-gen

# Update locale
echo LANG=en_US.UTF-8 >> /etc/locale.conf

# Set the console keyboard layout
echo KEYMAP=us >> /etc/vconsole.conf

# Set the hostname
echo MYHOSTNAME > /etc/hostname

# Set password for root
passwd

# Add real user remove -s flag if you don't whish to use zsh
useradd -m -g users -G wheel -s /bin/zsh MYUSERNAME
passwd MYUSERNAME

# Configure mkinitcpio with modules needed for the initrd image
# In /etc/mkinitcpio.conf edit to
# OPTION 1 HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems fsck)
# OPTION 2 HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt lvm2 filesystems fsck)
# NEW HIBERNATION HOOKS=(... filesystems resume fsck ...)
mkinitcpio -p linux

# Setup grub
# In /etc/default/grub edit to
# OPTION 1 GRUB_CMDLINE_LINUX="... cryptdevice=/dev/sdaZ:luks:allow-discards ..."
# OPTION 2 GRUB_CMDLINE_LINUX="... rd.luks.name=device-UUID=cryptlvm rd.luks.options=discard ... "
# NEW HIBERNATION GRUB_CMDLINE_LINUX="... resume=/dev/vg0/swap ... "
# Run "grub-mkconfig ..." each time /etc/default/grub is edited
grub-mkconfig -o /boot/grub/grub.cfg
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=boot
# Some UEFI firmware requires "esp/EFI/boot/bootx64.efi"
mv boot/efi/EFI/boot/grubx64.efi boot/efi/EFI/boot/bootx64.efi

# Exit new system and go into the cd shell
exit

# Unmount all partitions
umount -R /mnt
swapoff -a

# Reboot into the new system, don't forget to remove the cd/usb
reboot

# Install a desktop environment

# Setting keyboard layout
localectl --no-convert set-x11-keymap us,es grp:win_space_toggle

# If Gnome then add languages
# gsettings set org.gnome.desktop.input-sources sources "[('xkb', 'us'), ('xkb', 'es')]"