Minimal instructions for installing arch linux on an UEFI NVMe system with full system encryption using dm-crypt and luks

arch-linux-install.md

Install ARCH Linux with encrypted file-system and UEFI

The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.

Download the Arch ISO

• Image from https://www.archlinux.org/

Copy to a USB drive

dd if=archlinux.img of=/dev/sdX bs=16M && sync # on linux

Boot from USB drive

If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.

This assumes a wifi only system...

wifi-menu

Create partitions

cgdisk /dev/nvme0n1
1 512MB EFI partition # Hex code ef00
2 100% size partiton # (to be encrypted) Hex code 8300

Create EFI partition

mkfs.vfat -F32 -n EFI /dev/nvme0n1p1

Setup the encryption of the system with 256 bit effective size

Note: Many NVMe drives can exceed 2GB/s, consider your crypto algorithm wisely, review cryptsetup benchmark, the defaults are viewable end of cryptsetup --help, defaults are commonly the fastest with good security from my experience with cryptsetup (AES 256, sha256, 2000ms)

cryptsetup --use-random luksFormat /dev/nvme0n1p2
cryptsetup luksOpen /dev/nvme0n1p2 luks

Create encrypted partitions

This creates one partions for root, modify if /home or other partitions should be on separate partitions

pvcreate /dev/mapper/luks
vgcreate vg0 /dev/mapper/luks
lvcreate --size 16G vg0 --name swap
lvcreate -l +100%FREE vg0 --name root

Create filesystems on encrypted partitions

mkfs.ext4 -L root /dev/mapper/vg0-root
mkswap /dev/mapper/vg0-swap

Mount the new system

mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
swapon /dev/mapper/vg0-swap # Not needed but a good thing to test
mkdir /mnt/boot
mount /dev/nvme0n1p1 /mnt/boot

Install the system

Also includes stuff needed for starting wifi when first booting into the newly installed system Unless vim and zsh are desired these can be removed from the command. Dialog is needed by wifi-menu

pacstrap /mnt base base-devel zsh neovim git sudo efibootmgr dialog wpa_supplicant tmux intel-ucode

Generate fstab

genfstab -pU /mnt | tee -a /mnt/etc/fstab

Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)

#tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0

Also change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)

Enter the new system

arch-chroot /mnt /bin/bash

Setup system clock

ln -s /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
hwclock --systohc --utc

Set the hostname

echo MYHOSTNAME > /etc/hostname

Generate locale

Uncomment wanted locales in /etc/locale.gen

vim /etc/locale.gen
locale-gen
localectl set-locale LANG=en_US.UTF-8

To avoid problems with gnome-terminal set locale system wide Do NOT set LC_ALL=C. It overrides all the locale vars and messes up special characters Pay attention to the UTF-8. Capital letters !

echo LANG=en_US.UTF-8 >> /etc/locale.conf
echo LC_ALL= >> /etc/locale.conf

Set password for root

passwd

Add user

groupadd MYUSERNAME
useradd -m -g MYUSERNAME -G wheel,storage,power,network,uucp -s /bin/zsh MYUSERNAME
passwd MYUSERNAME

Configure mkinitcpio with modules needed for the initrd image

vim /etc/mkinitcpio.conf

• Add 'ext4' to MODULES
• Add 'encrypt' and 'lvm2' to HOOKS before filesystems
• Add 'resume' after 'lvm2' (also has to be after 'udev')

Regenerate initrd image

mkinitcpio -p linux

Setup systembootd (grub will not work on nvme at this moment)

bootctl --path=/boot install

Create loader.conf

echo default arch >> /boot/loader/loader.conf
echo timeout 5 >> /boot/loader/loader.conf

Create arch.conf (or XYZ.conf for default XYZ in loader.conf)

nvim /boot/loader/entries/arch.conf

Add the following content to arch.conf

<UUID> is the the one of the raw encrypted device (/dev/nvme0n1p2). It can be found with the blkid command

title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options cryptdevice=UUID=<UUID>:vg0 root=/dev/mapper/vg0-root resume=/dev/mapper/vg0-swap rw intel_pstate=no_hwp

Exit new system

exit

Unmount all partitions

umount -R /mnt
swapoff -a

Reboot into the new system, don't forget to remove the cd/usb

reboot

Quick question, from the source of your fork:

Add real user remove -s flag if you don't whish to use zsh
useradd -m -g users -G wheel -s /bin/zsh MYUSERNAME
passwd MYUSERNAME

vs to what you chose/changed:

groupadd MYUSERNAME
useradd -m -g MYUSERNAME -G wheel,storage,power,network,uucp -s /bin/zsh MYUSERNAME
passwd MYUSERNAME

Is there a particular advantage to creating a group called "myusername"? Also other than sudo or wheel group, is their any reason to be in storage, power, network, uucp, groups etc?

I'm curious as I forked your gist to do a regular SSD guide rather than nvme since I install arch occasionally for friends and family members.

Thank you for your hard work :)

Wow 🍻 Thank you!

Thanks.
It helped me about EFI and Nvme SSD.
I didn't read anything on Arch wiki about that grub doesn't work with nvme... so it took me hours but now it works !

Right on time! TYVM (granted I haven't completed my install); just mid-way through, but even if I have other questions, thanks for spending the time putting this together.

I believe the pacstrap line needs linux added to it, as they have changed the way base works. Otherwise, no kernel will be installed and mkinitcpio and its conf file will not be present.

Had to add linux and lvm2 to pacstrap, otherwise everything worked. Thanks!

Hi, I followed these instructions and I keep getting the error

ERROR: device /dev/mapper/vg0-root not found. Skipping fsck.
mount: /new_root special device /dev/mapper/vg0-root does not exist.

Then it brings up the initramfs shell, in which no drives are visible when doing blkid and /etc/fstab is empty. I've tried the switching around the ordering of the mkinitcpio hooks, but nothing changes. I'm pretty sure I followed all of these instructions correctly, so has anyone had this issue/knows if anything has changed since this guide was written?

@kmani314 I'm also getting the same error. Did you manage to find a fix for it?

Not sure if the issue was resolved, but did you genfstab? Yours is blank?

…

On Fri, Nov 5, 2021, 16:13 Jon Black ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ @kmani314 <https://github.com/kmani314> I'm also getting the same error. Did you manage to find a fix for it? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <https://gist.github.com/cde147d777d243b82a85e9ac16b85458#gistcomment-3952717>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACVREOMCYG25ZRXZFBNSXMTUKQ3FRANCNFSM4JKZ33KQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

@Nokodoko /etc/fstab is not blank. The contents appear correct.

@jonblack I did find a fix; it's not an issue with the script. In my bootloader, my NVME SSD was set to RAID mode by default instead of AHCI/NVME mode. Once I changed it, everything started working fine.

@kmani314 Thanks. That did the trick indeed!

@kmani314 como lo hiciste?

@kylemanna my fstab is blank :(