OBJECTIVE: Install Arch Linux with encrypted root and swap filesystems and boot from UEFI.
Note this encrypted installation method, while perfectly correct and highly secure, CANNOT support encrypted /boot and also CANNOT be subsequently converted to support an encrypted /boot!!! A CLEAN INSTALL will be required!
Therefore, if you want to have an encrypted /boot or will want an encrypted /boot system at some point in the future, please ONLY follow my encrypted /boot installation guide, which lives here:
https://gist.github.com/killerra/4635a50760d04bbbcb1c85a3d38cf19f
My encrypted /boot guide varies in several different, critically important, ways from the correct and secure encrypted root / and swap installation process I have outlined below.
External USB HDD/SSD Installers Notes: Encrypted Arch installs can be booted and run from an external USB HDD or SSD, but only when the installation is correctly set up. There are several necessary changes to my standard procedure you'll want to make during the install process. Read my External USB HDD/SSD Installation section below before proceeding.
The official Arch installation guide contains details that you should refer to during this installation process. That guide resides at: https://wiki.archlinux.org/index.php/Installation_Guide
Download the archlinux-.iso image from https://www.archlinux.org/download/ and its GnuPG signature. Use gpg --verify to ensure your archlinux-.iso is exactly what the Arch developers intended. For example:
$ gpg --keyserver-options auto-key-retrieve --verify archlinux-2020.03.01-x86_64.iso.sig
gpg: assuming signed data in 'archlinux-2020.03.01-x86_64.iso'
gpg: Signature made So 01 Mär 2020 10:34:17 CET
gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8ACAlternatively, from an existing Arch Linux installation run:
$ pacman-key -v archlinux-2020.03.01-x86_64.iso.sig
==> Checking archlinux-2020.03.01-x86_64.iso.sig... (detached)
gpg: Signature made So 01 Mär 2020 10:34:17 CET
gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg: Note: trustdb not writable
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.de>" [full]Burn the archlinux-*.iso to a 1+ Gb USB stick. On linux, do something like:
dd bs=4M if=archlinux-*.iso of=/dev/sdX status=progress oflag=sync If running Windows, use Rufus to burn the archlinux-*.iso to your USB stick in DD mode. Also, if you are running BitLocker to encrypt your Windows system, read my BitLocker notes below, before proceeding.
UEFI-Boot from your USB stick. If your USB stick fails to boot, ensure that Secure Boot is disabled in your UEFI configuration.
Set your keymap only if not you are not using the default English language.
It is typically wiser to be hard wired to the Net during installation. However, Arch supports WiFi-only installs. Connect to WiFi using:
wifi-menuCreate and size partitions appropriate to your goals using gdisk.
Carefully Note: Multi-OS booters who have an existing EFI partition on their drive should NOT create a new EFI partition.
Instead, we will append Arch as another OS to your existing EFI partition. See my Multi-OS-Booting Notes, below.
gdisk /dev/sdXCreate the partitions you need:
Partition X = 100 MiB EFI partition # Hex code EF00
Partition Y = 250 MiB Boot partition # Hex code 8300
Partition Z = Choose a reasonable size for your encrypted root and swap system partition, or just size it to the last sector of your drive. # Hex code 8300.
Review your partitions with 'p'.
Write your gdisk changes with 'w'.
Reboot, if necessary, so the kernel reads your new partition structure.
cat /dev/zero > /dev/sdXYI recommend to follow the arch guid for Drive preparation for /dev/sdXZ: https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#dm-crypt_specific_methods
Create filesystems for /boot/efi and /boot
mkfs.vfat -F 32 /dev/sdXX
mkfs.ext2 /dev/sdXY # Note that ext4 or btrfs are also fine choices for your /boot partition.Encrypt and open your system partition
cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/sdXZ
cryptsetup luksOpen /dev/sdXZ arch-crypt # (or use any word or phrase you're fond of)Create encrypted LVM partitions
These steps create a required root partition and an optional partition for swap. Note that using a swap file with BTRFS is
a very poor idea. Swap partitions are not controlled by BTRFS so they work fine. Read the BTRFS ArchWiki before proceeding.
Also note that BTRFS fully supports, detects, and properly configures settings for all modern SSDs, which is the drive type
almost everyone should be running when installing ArchLinux! HDDs are only useful for infrequently accessed data, and
for storing your SSD's critical directories as encrypted backups.
Modify this structure only if you need additional, separate partitions. The sizes used below are only suggestions. The VG and LV labels 'Arch, root and swap' can be changed to anything memorable to you. Use your labels consistently, below!
pvcreate /dev/mapper/arch-crypt
vgcreate Arch /dev/mapper/arch-crypt
lvcreate -L +512M Arch -n swap
lvcreate -l +100%FREE Arch -n rootCreate filesystems on your encrypted partitions
mkswap /dev/mapper/Arch-swap
mkfs.ext4 /dev/mapper/Arch-root Note that Arch Linux fully supports btrfs, and btrfs is also an excellent filesystem choice for your encrypted root.
If you want a btrfs filesystem on your root logical volume, instead of 'mkfs.ext4 /dev/mapper/Arch-root', do this:
mkfs.btrfs /dev/mapper/Arch-rootIf you've created a btrfs root filesystem, do not forget to append 'btrfs-progs' to the pacstrap installation command we use immediately after correctly mounting our partitions below.
Mount the new system
mount /dev/mapper/Arch-root /mnt
swapon /dev/mapper/Arch-swap
mkdir /mnt/boot
mount /dev/sdXY /mnt/boot
mkdir /mnt/boot/efi
mount /dev/sdXX /mnt/boot/efiOptional - Edit the Mirrorlist To Optimize Package Download Speeds
nano /etc/pacman.d/mirrorlistCopy one or two mirrors near your physical location to the top of the mirrorlist.
If you read the contents of https://www.archlinux.org/ you would know the Arch developers made significant changes to the 'base' package in October 2019.
The new base-metapackage does not contain a kernel nor an editor and several other important packages.
We will be addressing those issues in our pacstrap command below.
This installation command provides a decent set of basic system programs which will also support WiFi through
netctl's wifi-menu after initially booting into your Arch system. Having WiFi following installation is particularly
critical for anyone running a modern ultrabook, as most are equipped with WiFi-only access to the Net. Recommended, yet
optional: make and enjoy some fresh java while the following command completes. Once completed, you'll only
be a few minutes away from putting your new system to serious work!
pacstrap /mnt base base-devel linux-headers linux-firmware grub efibootmgr dialog wpa_supplicant linux dkms nano
dhcpcd netctl lvm2 man-db man-pagesCreate and review FSTAB The -U option pulls in all the correct UUIDs for your mounted filesystems.
genfstab -U /mnt >> /mnt/etc/fstab
cat /mnt/etc/fstab # Check your fstab carefully, and modify it, if required.Enter the new system
arch-chroot /mntSet the system clock
ln -s /usr/share/zoneinfo/UTC /etc/localtime # This will harmlessly fail if your system's CMOS clock is already set to UTC.
hwclock --systohc --utcAssign your hostname
echo MyHostName > /etc/hostnameSet or update your locale
If English is your native language, you need to edit exactly two lines to correctly configure your locale language settings:
a. In /etc/locale.gen **uncomment only**: en_US.UTF-8 UTF-8
b. In /etc/locale.conf, you should **only** have this line: LANG=en_US.UTF-8
Now run:
locale-genSet your root password
passwdCreate a User, assign appropriate Group membership, and set a User password. 'Wheel' is just one important Group.
useradd -m -G wheel -s /bin/bash MyUserName
passwd MyUserNameConfigure mkinitcpio with the correct HOOKS required for your initrd image
nano /etc/mkinitcpio.confUse this HOOKS statement:
HOOKS=(base udev autodetect modconf block keymap keyboard encrypt lvm2 resume filesystems fsck)You do not need or want 'resume' in your HOOKS statement if you are not using swap.
Generate your initrd image
mkinitcpio -p linuxThe correct way to install grub on an UEFI computer, irrespective of your use of a HDD or SSD, and whether you are installing dedicated Arch, or multi-OS booting, is:
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchLinuxEdit /etc/default/grub so it includes a statement like this:
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdYZ:MyDevMapperMountpoint resume=/dev/mapper/MyVolGroupName-MyLVSwapName"Maintaining consistency with the examples provided above, you would use something like:
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdXZ:arch-crypt resume=/dev/mapper/Arch-swap"If you are not using swap, eliminate the 'resume' statement above.
Generate Your Final Grub Configuration:
grub-mkconfig -o /boot/grub/grub.cfgExit Your New Arch System
exitUnmount all partitions
umount -R /mnt
swapoff -aReboot and Enjoy Your Encrypted Arch Linux System!
rebootAfter you are satisfied that your Arch system is running well, if you are like most people not running an Arch server, you'll want a Desktop Environment so you can begin using your new system productively. See my: 'Installing a Plasma-KDE Desktop Post Arch Install' section below for some ideas and an efficient DE installation process.
If you ever get dropped to the EFI Shell prompt when powering up Arch Linux, which I most often notice within VirtualBox when running Arch Linux as UEFI-enabled Guest System, do the following:
At the Shell prompt, type the following entries, as indicated (also remember we used --bootloader-id=ArchLinux, above):
Shell> fs0: fs0:> \EFI\ArchLinux\grubx64.efi
Hit Enter and now you should see your graphical grub Arch Linux menu. Note my atypical use of backslashes.
To prevent being dropped to the EFI Shell prompt in the future, enter your Arch Linux system, become root, and do:
# nano /boot/efi/startup.nshIn your startup.nsh file, add these two lines:
fs0:
\EFI\ArchLinux\grubx64.efi Save and exit nano. To test that you will no longer be dropped to the EFI Shell prompt, poweroff, not reboot, and fire up your Arch Linux system again.
If you simply cannot bear the agony of the EFI Shell's five second wait prior to its loading of startup.nsh, hit any key, except for 'esc', and you should be immediately directed to your (hopefully, beautifully configured) grub graphical Arch Linux boot screen.
This solution also works when you have installed Arch Linux as an UEFI-enabled Guest system within VirtualBox.
External USB HDD/SSD Encrypted Arch Installation:
Almost all of my standard Arch install procedure can be followed without modification when installing Arch to an external device.
However, if you already have an encrypted Arch installation on a system HDD/SSD, you must ensure the names assigned to your PV, VG and LVs are different than whatever you used on your system drive's Arch installation. Failure to use different names will cause major udev and therefore, /dev/mapper, assignment problems for you, especially when you try to mount your multiple encrypted Arch drives!
Additionally, we don't want to instruct grub to use standard device names as these are very likely to change when using an external USB drive. For example, our external SSD may be assigned /dev/sdc by udev during installation, but when we try to initially boot from it, udev may assign that external SSD to /dev/sdb, resulting in an unbootable system.
The solution is to use PARTUUID, as opposed to a standard device name, in the cryptdevice statement in /etc/default/grub.
Therefore, instead of using this example from above:
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdXZ:arch-crypt resume=/dev/mapper/Arch-swap"Run 'blkid' as root, and find the correct PARTUUID for your external device's encryted partition.
N.B.: PARTUUIDs are completely unrelated to UUIDs.
Substitute the correct PARTUUID for the standard device name. You should end up with a statement that looks similar to this:
GRUB_CMDLINE_LINUX="cryptdevice=PARTUUID=4d2aed94-92d4-7b5e-b8df-81d7554495cf4:ArchUSBSSD resume=/dev/mapper/ArchSSD-swap"Now regardless of the device name assigned by udev to your external drive, the kernel will be able to find the correct cryptdevice.
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchLinux --removableAll other parts of my installation procedure should be followed without modification.
Installing a Plasma-KDE Desktop Post Arch Install
After you have rebooted into your new Arch system, and are satisfied that every aspect of your system is running correctly, if you're like most people not running an Arch server, you will likely want to install a desktop so you can utilize your new Arch system productively.
Your choice of desktop environment is entirely up to you. Personally, I have tried them all. It is my opinion that if you are running a modern, reasonably powered PC or laptop you are doing yourself a significant disservice by running any of the 'lightweight desktops.' I also think the Gnome DE is best suited for children, or unskilled users. Keep in mind that you can install multiple desktops, and then choose which one to fire up at each login, but that is beyond the scope of this guide.
I prefer the Plasma5-KDE environment over all the others. If you would like to efficiently install a full Plasma5-KDE environment, do the following, in this order:
Log in as root, and not as a user
Fully update your Arch system:
pacman -Syu # If a new kernel becomes available and is now installed, reboot, before proceeding.If you don't have network connectivity in your Arch system, run:
systemctl start dhcpcd <ethernet or wlan interface name>Now that you have an updated system, do:
pacman -S linux-headers
pacman -S dkms # This will automatically rebuild your kernel modules as new upstream kernels are released.
pacman -S xorg # This will install a mandatory X server.
pacman -S xorg-apps
rebootLog in as root, and not as a user, and do:
pacman -S plasma-meta # This large package set will also provide us with sddm, the recommended Plasma5 login manager.
systemctl enable sddm
systemctl enable NetworkManager # After your next reboot you will have full, correct, networking support from boot.
pacman -S kde-applications-meta
pacman -S xdg-user-dirsIf you want full (US English) spelling support for all of your applications, do:
pacman -S hunspell-en_US hyphen-en libmythes mythes-en aspell-enEveryone has their own font preferences, but I agree with Arch's initial ttf-font recommendations because they look great!:
pacman -S ttf-dejavu ttf-liberation
rebootLog in to sddm's GUI as your user
Your first stop is System Settings. Tweak 'all the things' into full compliance with 'your way.'
Go ROCK your fully enabled Plasma DE, and your properly encrypted Arch Linux system!!!