-
-
Save joekiller/ba8cb3b8932226364ec70b6d9b3923d4 to your computer and use it in GitHub Desktop.
Minimal instructions for installing arch linux on an UEFI system with full system encryption using dm-crypt, luks, grub-git, nvme
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Install ARCH Linux with encrypted file-system and UEFI | |
# The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description. | |
# Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration. | |
# This assumes a wifi only system... | |
wifi-menu | |
# sync the clock | |
timedatectl set-ntp true | |
# Create partitions | |
sgdisk --zap-all /dev/nvme0n1 | |
# Create partitions | |
cgdisk /dev/nvme0n1 | |
1 512MB EFI partition # Hex code ef00 | |
2 512MB Boot partition # Hex code 8300 | |
3 100% size partiton # (to be encrypted) Hex code 8300 | |
# Create EFI partition | |
mkfs.vfat -F32 /dev/nvme0n1p1 | |
mkfs.ext2 /dev/nvme0n1p2 | |
# Setup the encryption of the system | |
# cryptsetup -c aes-xts-plain64:sha256 -y --use-random luksFormat /dev/nvme0n1p3 | |
cryptsetup luksFormat /dev/nvme0n1p3 | |
cryptsetup luksOpen /dev/nvme0n1p3 luks | |
# Create encrypted partitions | |
# This creates one partions for root, modify if /home or other partitions should be on separate partitions | |
pvcreate /dev/mapper/luks | |
vgcreate vg0 /dev/mapper/luks | |
lvcreate -L 18G vg0 -n swap | |
lvcreate -L 30G vg0 -n root | |
lvcreate -L 300G vg0 -n var | |
lvcreate -l +100%FREE vg0 -n home | |
#check to ensure the volumes are there | |
lvscan | |
# Create filesystems on encrypted partitions | |
mkfs.ext4 /dev/mapper/vg0-root | |
mkfs.ext4 /dev/mapper/vg0-var | |
mkfs.ext4 /dev/mapper/vg0-home | |
mkswap /dev/mapper/vg0-swap | |
# Mount the new system | |
mount /dev/mapper/vg0-root /mnt # /mnt is the installed system | |
swapon /dev/mapper/vg0-swap # Not needed but a good thing to test | |
mkdir /mnt/var | |
mount /dev/mapper/vg0-var /mnt/var | |
mkdir /mnt/home | |
mount /dev/mapper/vg0-home /mnt/home | |
mkdir /mnt/boot | |
mount /dev/nvme0n1p2 /mnt/boot | |
mkdir /mnt/boot/efi | |
mount /dev/nvme0n1p1 /mnt/boot/efi | |
# Install the system also includes stuff needed for starting wifi when first booting into the newly installed system | |
# Unless vim and zsh are desired these can be removed from the command | |
pacstrap /mnt base base-devel vim less sudo grub efibootmgr dialog wpa_supplicant | |
# 'install' fstab | |
genfstab -pU /mnt > /mnt/etc/fstab | |
# Make /tmp a ramdisk (add the following line to /mnt/etc/fstab) | |
tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0 | |
# Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD) | |
# Enter the new system | |
arch-chroot /mnt /bin/bash | |
# Setup system clock | |
ln -s /usr/share/zoneinfo/America/New_York /etc/localtime | |
hwclock --systohc --utc | |
# Set the hostname | |
echo myhostname > /etc/hostname | |
# Update hosts | |
vim /etc/hosts | |
... | |
127.0.0.1 localhost | |
::1 localhost | |
127.0.1.1 myhostname.localdomain myhostname | |
# Update locale | |
vi /etc/locale.gen | |
locale-gen | |
echo LANG=en_US.UTF-8 > /etc/locale.conf | |
echo LANGUAGE=en_US >> /etc/locale.conf | |
echo LC_ALL=C >> /etc/locale.conf | |
# Set password for root | |
passwd | |
# Setup crypto_keyfile so no retyping | |
dd if=/dev/urandom of=/crypto_keyfile.bin bs=512 count=4 | |
cryptsetup luksAddKey /dev/nvme0n1p1 /crypto_keyfile.bin | |
# Configure mkinitcpio with modules needed for the initrd image | |
vim /etc/mkinitcpio.conf | |
# Add 'ext4 nvme' to MODULES | |
# Add FILES=/crypto_keyfile.bin | |
# Add 'encrypt' and 'lvm2' to HOOKS before filesystems | |
# Add 'resume' after 'lvm2' | |
# Regenerate initrd image | |
mkinitcpio -p linux | |
# Add real user remove -s flag if you don't whish to use zsh | |
# useradd -m -g users -G wheel -s /bin/zsh MYUSERNAME | |
# passwd MYUSERNAME | |
# In /etc/default/grub edit the line GRUB_CMDLINE_LINUX to: | |
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=/dev/nvme0n1p6:luks:allow-discards" | |
# GRUB_ENABLE_CRYPTODISK=y | |
# then run: | |
grub-mkconfig -o /boot/grub/grub.cfg | |
grub-install | |
chmod 000 /crypto_keyfile.bin | |
chmod -R g-rwx,o-rwx /boot | |
# Exit new system and go into the cd shell | |
exit | |
# Unmount all partitions | |
umount -R /mnt | |
swapoff -a | |
# Reboot into the new system, don't forget to remove the cd/usb | |
reboot |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment