|# Install ARCH Linux with encrypted file-system and UEFI|
|# The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.|
|# Download the archiso image from https://www.archlinux.org/|
|# Copy to a usb-drive|
|dd if=archlinux.img of=/dev/sdX bs=16M && sync # on linux|
|# Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.|
|# Set swedish keymap|
|# This assumes a wifi only system...|
|# Create partitions|
|1 100MB EFI partition # Hex code ef00|
|2 250MB Boot partition # Hex code 8300|
|3 100% size partiton # (to be encrypted) Hex code 8300|
|mkfs.vfat -F32 /dev/sdX1|
|# Setup the encryption of the system|
|cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sdX3|
|cryptsetup luksOpen /dev/sdX3 luks|
|# Create encrypted partitions|
|# This creates one partions for root, modify if /home or other partitions should be on separate partitions|
|vgcreate vg0 /dev/mapper/luks|
|lvcreate --size 8G vg0 --name swap|
|lvcreate -l +100%FREE vg0 --name root|
|# Create filesystems on encrypted partitions|
|# Mount the new system|
|mount /dev/mapper/vg0-root /mnt # /mnt is the installed system|
|swapon /dev/mapper/vg0-swap # Not needed but a good thing to test|
|mount /dev/sdX2 /mnt/boot|
|mount /dev/sdX1 /mnt/boot/efi|
|# Install the system also includes stuff needed for starting wifi when first booting into the newly installed system|
|# Unless vim and zsh are desired these can be removed from the command|
|pacstrap /mnt base base-devel grub-efi-x86_64 zsh vim git efibootmgr dialog wpa_supplicant|
|# 'install' fstab|
|genfstab -pU /mnt >> /mnt/etc/fstab|
|# Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)|
|tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0|
|# Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)|
|# Enter the new system|
|arch-chroot /mnt /bin/bash|
|# Setup system clock|
|ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime|
|hwclock --systohc --utc|
|# Set the hostname|
|echo MYHOSTNAME > /etc/hostname|
|# Update locale|
|echo LANG=en_US.UTF-8 >> /etc/locale.conf|
|echo LANGUAGE=en_US >> /etc/locale.conf|
|echo LC_ALL=C >> /etc/locale.conf|
|# Set password for root|
|# Add real user remove -s flag if you don't whish to use zsh|
|# useradd -m -g users -G wheel -s /bin/zsh MYUSERNAME|
|# passwd MYUSERNAME|
|# Configure mkinitcpio with modules needed for the initrd image|
|# Add 'ext4' to MODULES|
|# Add 'encrypt' and 'lvm2' to HOOKS before filesystems|
|# Regenerate initrd image|
|mkinitcpio -p linux|
|# Setup grub|
|In /etc/default/grub edit the line GRUB_CMDLINE_LINUX to GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdX3:luks:allow-discards" then run:|
|grub-mkconfig -o /boot/grub/grub.cfg|
|# Exit new system and go into the cd shell|
|# Unmount all partitions|
|umount -R /mnt|
|# Reboot into the new system, don't forget to remove the cd/usb|
@ceyhanmolla Suggesting to have a look at http://mattclewell.com/wordpress/2014/install-arch-linux-on-encrypted-lvm/ for non-UEFI systems. I don't plan to write those instructions since I don't use any non-UEFI hardware.
Extremely nice job indeed! But Devil's in the details.
Under 13 "# This assumes a wifi only system... wifi-menu" Yes. Arch linux installing through "wifi-only" is extremely complicated.
I wonder how to present most import things and main information security functions on installing like grafical or visual algorithms and process mapping?
This is how to do it with DOS/BIOS aka non-UEFI
@iamlucaswolf, no reason to use them anymore according to https://wiki.archlinux.org/index.php/Users_and_groups#Pre-systemd_groups . Removed from the gist, thanks!
Works like a charm, thanks a lot.
If you followed these instructions and ever have to downgrade the kernel in case of kernel panic, see
super simple and useful - thank you for your help.
Mattias - Thank you for your effort in creating an UEFI-booting, encrypted Arch installation framework that appears to have attracted a following. I agree with the thrust of several users' comments that the Arch installation wiki, with respect to achieving UEFI booting on an encrypted root and swap Arch system can seem confusing and ambiguous. I can assure you, several other major linux flavors are far worse, in that they are either silent, or lack important information, in support of the vital topic of secure system encryption. Your guide simplifies and eases the Arch Linux installation process for users who care about the maintenance of their privacy.
I'd like to offer some comments which I believe will prove useful to the average user, and particularly to those who are new to Arch Linux, or even to Linux.
N.B.: All of my comments pertain specifically to my tested Arch x86_64 installation process using the 1 January 2017 Arch Linux *.iso, which was the latest media available at the time of this post. That being said, it is highly probable my comments remain pertinent to users of previous, and also likely, to users of future Arch installation media releases.
I UEFI boot and run more than five operating systems from my SSD. All of my OSes UEFI boot from my single, 100 MiB, EFI partition. All of my OSes have encrypted root and swap, utilizing my SSD's native hardware-based AES-256-bit encryption support with BitLocker or Linux's software-based LUKS on LVM encryption to secure my data, when at rest. My Arch Linux install is just another encrypted Linux OS installation that happens to reside on my SSD.
My comments are targeted toward those interested in encrypted multi-OS booting, as well as to those who just want to install encrypted Arch. I hope my experience and insights prove beneficial:
Y can be set to any integer value appropriate to your system drive's partition structure.
These language settings are critical to the proper operation of your Arch system, and incorrect language settings can prevent a DE from even launching a terminal if they are not set correctly! If you install a DE, you should configure additional languages through its Region/Language settings to ensure the correct dependencies get installed. Most users will benefit by reading up on how to properly enable spell-checking support, post-installation.
Furthermore, users should carefully consider this warning prior to setting 'LC_ALL=C', as suggested. See: https://wiki.archlinux.org/index.php/Locale
HOOKS="base udev autodetect modconf block keymap encrypt lvm2 resume filesystems keyboard fsck"
If you've made changes, re-run 'mkinitcpio -p linux' as root.
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchLinux
Note that bootloader-id can also be set to any label of memorable value to you. The suggested ArchWiki label of '--bootloader-id=grub' is a non-descriptive, non-creative, and a generally poor, idea.
There exist better SSD solutions, without the security implications. Read https://wiki.archlinux.org/index.php/Solid_State_Drives, first.
I hope these comments provide further insight, flexibility and utility to those interested. Best of luck, enjoy running and continuously learning about new ways to optimize your UEFI-booting, properly encrypted Arch Linux system!
@HardenedArray Thanks for the feedback on the instructions. I will update the instructions as soon as I have more time to try everything out.
The reason for sharing this in the first place was the effort I had to put in to install my system 3 years ago, and I tried to keep it as short as possible. Some configuration (multiboot for example) are missing and others are specific (setting zsh as a shell) to fit my personal needs. At some parts it looks like I have made mistakes as sometimes happens. I'm glad that you and others have pointed this out as I get an opportunity to learn new things about my system.
I would hope that this is used as a start for customizing to every users custom needs (as many have done in the many forks). I agree that every user following this should understand what they are doing in every step and the Arch Wiki documents this.
I appreciate your thoughtful comments. I know you had your heart in the right place, which is always the most important character trait.
As I previously mentioned, there exist several far more poorly documented, yet purportedly 'secure' OSes, especially when it concerns the critically important matters of proper root and swap encryption, and correct UEFI booting.
I won't mention any names to protect The Guilty, but they know who they are, and all of them are very likely to burn in Hell in return for the immense suffering they caused on my end, at least until I figured out the correct encryption and booting procedures on my own!
As opposed to expecting future installers to continuously flip between your guide and my comments, I've composed a clean Arch installation guide which incorporates my comments above.
You, or anyone else interested, are welcome to test my encrypted, UEFI-booting, Arch installation procedure at:
Obviously, all users should adapt my instructions to their drive constraints, preferences and intended outcomes.
Feedback and suggested improvements are always welcome.
Please continue your good work Mattias!
All the best,
Has this piece been updated with the feedback taken into consideration?
Since you're a beginner and don't need to install Arch Linux on an actual system, I would recommend to install without UEFI and encryption as outlined in Install instructions. Then if you choose to move on and install Arch Linux directly on your mac these instructions should make more sense!
Just some points to notice:
You can get the UUID of a disk using
$ blkid /dev/sdb1
Hope this helps some that are in my case when I couldn't seem to make GRUB open the crypted device.
Hey, hey! Thanks for sharing.
This is a nice step by step gist. Thanks you very much!
A few notes / remarks:
The issue of
Just in case this is useful to someone: I had to move
I've written an updated and slightly more detailed version of this, if anyone is interested:
The key differences are that I use systemd-boot instead of GRUB, don't use any additional partitions and set it up as as an Arch/Windows Dual Boot.
No strong reason, and could certainly be done without. I added LVM because I find that it makes resizing things easier if needed somewhere down the line and isn't a lot of extra effort.
Thank you for the answer! Makes sense!
Touching on one thing someone pointed out. Yes, you need to add linux and linux-firmware to your pacstrap line. Although, firmware can technically be added once in chroot. To clarify, base is now a meta package and base-devel is a group.
And to reiterate what some others have said. This is a good guide, but I highly recommend that you also refer to the wiki as you go and make sure you know why you are taking these particular steps. Remember: If you end up with a working system, but you don't understand how you got there, you didn't really install Arch. You just followed some directions. The essence of Arch is building your system your way and that requires understanding why you made certain decisions (GRUB vs SystemD, LVM or not, fstrim settings for SSDs, etc.)
This is perfect guide. However, if anybody is using this instructions to install and configure GRUB, and also has Windows or other system on another drive, and does not wanna break their boot manager, make sure to instead install just