# Install ARCH Linux with encrypted file-system and UEFI | |
# The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description. | |
# Download the archiso image from https://www.archlinux.org/ | |
# Copy to a usb-drive | |
dd if=archlinux.img of=/dev/sdX bs=16M && sync # on linux | |
# Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration. | |
# Set swedish keymap | |
loadkeys sv-latin1 | |
# This assumes a wifi only system... | |
wifi-menu | |
# Create partitions | |
cgdisk /dev/sdX | |
1 100MB EFI partition # Hex code ef00 | |
2 250MB Boot partition # Hex code 8300 | |
3 100% size partiton # (to be encrypted) Hex code 8300 | |
mkfs.vfat -F32 /dev/sdX1 | |
mkfs.ext2 /dev/sdX2 | |
# Setup the encryption of the system | |
cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sdX3 | |
cryptsetup luksOpen /dev/sdX3 luks | |
# Create encrypted partitions | |
# This creates one partions for root, modify if /home or other partitions should be on separate partitions | |
pvcreate /dev/mapper/luks | |
vgcreate vg0 /dev/mapper/luks | |
lvcreate --size 8G vg0 --name swap | |
lvcreate -l +100%FREE vg0 --name root | |
# Create filesystems on encrypted partitions | |
mkfs.ext4 /dev/mapper/vg0-root | |
mkswap /dev/mapper/vg0-swap | |
# Mount the new system | |
mount /dev/mapper/vg0-root /mnt # /mnt is the installed system | |
swapon /dev/mapper/vg0-swap # Not needed but a good thing to test | |
mkdir /mnt/boot | |
mount /dev/sdX2 /mnt/boot | |
mkdir /mnt/boot/efi | |
mount /dev/sdX1 /mnt/boot/efi | |
# Install the system also includes stuff needed for starting wifi when first booting into the newly installed system | |
# Unless vim and zsh are desired these can be removed from the command | |
pacstrap /mnt base base-devel grub-efi-x86_64 zsh vim git efibootmgr dialog wpa_supplicant | |
# 'install' fstab | |
genfstab -pU /mnt >> /mnt/etc/fstab | |
# Make /tmp a ramdisk (add the following line to /mnt/etc/fstab) | |
tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0 | |
# Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD) | |
# Enter the new system | |
arch-chroot /mnt /bin/bash | |
# Setup system clock | |
ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime | |
hwclock --systohc --utc | |
# Set the hostname | |
echo MYHOSTNAME > /etc/hostname | |
# Update locale | |
echo LANG=en_US.UTF-8 >> /etc/locale.conf | |
echo LANGUAGE=en_US >> /etc/locale.conf | |
echo LC_ALL=C >> /etc/locale.conf | |
# Set password for root | |
passwd | |
# Add real user remove -s flag if you don't whish to use zsh | |
# useradd -m -g users -G wheel -s /bin/zsh MYUSERNAME | |
# passwd MYUSERNAME | |
# Configure mkinitcpio with modules needed for the initrd image | |
vim /etc/mkinitcpio.conf | |
# Add 'ext4' to MODULES | |
# Add 'encrypt' and 'lvm2' to HOOKS before filesystems | |
# Regenerate initrd image | |
mkinitcpio -p linux | |
# Setup grub | |
grub-install | |
In /etc/default/grub edit the line GRUB_CMDLINE_LINUX to GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdX3:luks:allow-discards" then run: | |
grub-mkconfig -o /boot/grub/grub.cfg | |
# Exit new system and go into the cd shell | |
exit | |
# Unmount all partitions | |
umount -R /mnt | |
swapoff -a | |
# Reboot into the new system, don't forget to remove the cd/usb | |
reboot |
This comment has been minimized.
This comment has been minimized.
@ceyhanmolla Suggesting to have a look at http://mattclewell.com/wordpress/2014/install-arch-linux-on-encrypted-lvm/ for non-UEFI systems. I don't plan to write those instructions since I don't use any non-UEFI hardware. |
This comment has been minimized.
This comment has been minimized.
tony
commented
Dec 29, 2015
Nice job on this Under 68-71, append via # Update locale
echo LANG=en_US.UTF-8 >> /etc/locale.conf
echo LANGUAGE=en_US >> /etc/locale.conf
echo LC_ALL=C >> /etc/locale.conf |
This comment has been minimized.
This comment has been minimized.
mategit
commented
Jan 4, 2016
Extremely nice job indeed! But Devil's in the details. Under 13 "# This assumes a wifi only system... wifi-menu" Yes. Arch linux installing through "wifi-only" is extremely complicated. I wonder how to present most import things and main information security functions on installing like grafical or visual algorithms and process mapping? https://www.customermagnetism.com/wp-content/uploads/2015/06/Process-Mapping.jpg |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
ethanwillis
commented
Jan 17, 2016
If you are using a NVMe PCIE SSD based system this install guide won't work. What you need to do is replace GRUB2 with systemdboot a.k.a gummiboot. |
This comment has been minimized.
This comment has been minimized.
ErikBjare
commented
Jan 18, 2016
Well this was tremendously helpful, LVM on LUKS and everything! Thanks a lot for the effort m8! I wrote the above 2 days ago when installing arch on my new build, kind of forgot I had things left undone on my laptop, heh. |
This comment has been minimized.
This comment has been minimized.
hssm
commented
Jan 24, 2016
Just wanted to say thanks for the succinct guide. My intended setup was exactly like the one here and I was up and running in a matter of minutes. The wiki is a bit maze-like when it comes to dm-crypt and I was almost ready to give up on it until I found this. Thanks! |
This comment has been minimized.
This comment has been minimized.
mewmew
commented
Feb 5, 2016
Hej Mattias, Thanks a lot for sharing these install instructions! I love the succinctness and clarity. No unnecessary information, but everything you need for an encrypted Arch on an UEFI system. <3 Cheers |
This comment has been minimized.
This comment has been minimized.
binaerbaum
commented
Mar 27, 2016
Thank you very much for writing this guide Mattias ! It helped a lot. For those who have an NVMe SSD, the instructions to configure systembootd can be found in this fork |
This comment has been minimized.
This comment has been minimized.
dust321
commented
Apr 15, 2016
This is how to do it with DOS/BIOS aka non-UEFI https://gist.github.com/dust321/035a568e47e7e575aaa5529e2a5973bd |
This comment has been minimized.
This comment has been minimized.
mattia-b89
commented
May 12, 2016
why do you add 'ext4' to the modules array? |
This comment has been minimized.
This comment has been minimized.
@mattia-b89 if I remember correctly it didn't load without adding it. Probably isn't needed anymore but no harm in keeping it there since it's used when running the system anyway. |
This comment has been minimized.
This comment has been minimized.
mon0theist
commented
Aug 10, 2016
•
Why both and EFI and a boot partition? EDIT: Nevermind |
This comment has been minimized.
This comment has been minimized.
HazCod
commented
Aug 17, 2016
•
@mattiaslundberg Thanks for the gist! I followed it, excluding zsh & git, but |
This comment has been minimized.
This comment has been minimized.
@HazCod |
This comment has been minimized.
This comment has been minimized.
HazCod
commented
Aug 18, 2016
@mattiaslundberg That did the trick, thanks! Could you edit your gist to install |
This comment has been minimized.
This comment has been minimized.
iamlucaswolf
commented
Aug 18, 2016
Thanks for the great gist! |
This comment has been minimized.
This comment has been minimized.
@iamlucaswolf, no reason to use them anymore according to https://wiki.archlinux.org/index.php/Users_and_groups#Pre-systemd_groups . Removed from the gist, thanks! |
This comment has been minimized.
This comment has been minimized.
ston3o
commented
Aug 26, 2016
Thank you !! You save my life ! ^^ |
This comment has been minimized.
This comment has been minimized.
pascalpoitras
commented
Sep 13, 2016
awesome stuff! |
This comment has been minimized.
This comment has been minimized.
duesee
commented
Oct 29, 2016
•
Note: You should add the |
This comment has been minimized.
This comment has been minimized.
sieste
commented
Nov 14, 2016
•
Works like a charm, thanks a lot. If you followed these instructions and ever have to downgrade the kernel in case of kernel panic, see |
This comment has been minimized.
This comment has been minimized.
acharis
commented
Dec 5, 2016
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub |
This comment has been minimized.
This comment has been minimized.
zacacollier
commented
Dec 24, 2016
super simple and useful - thank you for your help. when running
|
This comment has been minimized.
This comment has been minimized.
chrislea
commented
Jan 2, 2017
Just wanted to also chime in with a "thank you". I've been mostly a Debian / Ubuntu person for the last several years, but have been meaning to try Arch out for some time. This guide was immensely helpful. Thanks again! |
This comment has been minimized.
This comment has been minimized.
HardenedArray
commented
Jan 30, 2017
•
Mattias - Thank you for your effort in creating an UEFI-booting, encrypted Arch installation framework that appears to have attracted a following. I agree with the thrust of several users' comments that the Arch installation wiki, with respect to achieving UEFI booting on an encrypted root and swap Arch system can seem confusing and ambiguous. I can assure you, several other major linux flavors are far worse, in that they are either silent, or lack important information, in support of the vital topic of secure system encryption. Your guide simplifies and eases the Arch Linux installation process for users who care about the maintenance of their privacy. I'd like to offer some comments which I believe will prove useful to the average user, and particularly to those who are new to Arch Linux, or even to Linux. N.B.: All of my comments pertain specifically to my tested Arch x86_64 installation process using the 1 January 2017 Arch Linux *.iso, which was the latest media available at the time of this post. That being said, it is highly probable my comments remain pertinent to users of previous, and also likely, to users of future Arch installation media releases. I UEFI boot and run more than five operating systems from my SSD. All of my OSes UEFI boot from my single, 100 MiB, EFI partition. All of my OSes have encrypted root and swap, utilizing my SSD's native hardware-based AES-256-bit encryption support with BitLocker or Linux's software-based LUKS on LVM encryption to secure my data, when at rest. My Arch Linux install is just another encrypted Linux OS installation that happens to reside on my SSD. My comments are targeted toward those interested in encrypted multi-OS booting, as well as to those who just want to install encrypted Arch. I hope my experience and insights prove beneficial:
Y can be set to any integer value appropriate to your system drive's partition structure.
These language settings are critical to the proper operation of your Arch system, and incorrect language settings can prevent a DE from even launching a terminal if they are not set correctly! If you install a DE, you should configure additional languages through its Region/Language settings to ensure the correct dependencies get installed. Most users will benefit by reading up on how to properly enable spell-checking support, post-installation. Furthermore, users should carefully consider this warning prior to setting 'LC_ALL=C', as suggested. See: https://wiki.archlinux.org/index.php/Locale LC_ALL: troubleshooting
HOOKS="base udev autodetect modconf block keymap encrypt lvm2 resume filesystems keyboard fsck" If you've made changes, re-run 'mkinitcpio -p linux' as root.
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchLinux Note that bootloader-id can also be set to any label of memorable value to you. The suggested ArchWiki label of '--bootloader-id=grub' is a non-descriptive, non-creative, and a generally poor, idea.
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdX3:luks:allow-discards" There exist better SSD solutions, without the security implications. Read https://wiki.archlinux.org/index.php/Solid_State_Drives, first.
I hope these comments provide further insight, flexibility and utility to those interested. Best of luck, enjoy running and continuously learning about new ways to optimize your UEFI-booting, properly encrypted Arch Linux system! HardenedArray |
This comment has been minimized.
This comment has been minimized.
@HardenedArray Thanks for the feedback on the instructions. I will update the instructions as soon as I have more time to try everything out. The reason for sharing this in the first place was the effort I had to put in to install my system 3 years ago, and I tried to keep it as short as possible. Some configuration (multiboot for example) are missing and others are specific (setting zsh as a shell) to fit my personal needs. At some parts it looks like I have made mistakes as sometimes happens. I'm glad that you and others have pointed this out as I get an opportunity to learn new things about my system. I would hope that this is used as a start for customizing to every users custom needs (as many have done in the many forks). I agree that every user following this should understand what they are doing in every step and the Arch Wiki documents this. |
This comment has been minimized.
This comment has been minimized.
HardenedArray
commented
Feb 1, 2017
•
Halloj Mattias, I appreciate your thoughtful comments. I know you had your heart in the right place, which is always the most important character trait. As I previously mentioned, there exist several far more poorly documented, yet purportedly 'secure' OSes, especially when it concerns the critically important matters of proper root and swap encryption, and correct UEFI booting. I won't mention any names to protect The Guilty, but they know who they are, and all of them are very likely to burn in Hell in return for the immense suffering they caused on my end, at least until I figured out the correct encryption and booting procedures on my own! As opposed to expecting future installers to continuously flip between your guide and my comments, I've composed a clean Arch installation guide which incorporates my comments above. You, or anyone else interested, are welcome to test my encrypted, UEFI-booting, Arch installation procedure at: https://gist.github.com/HardenedArray/31915e3d73a4ae45adc0efa9ba458b07 Obviously, all users should adapt my instructions to their drive constraints, preferences and intended outcomes. Feedback and suggested improvements are always welcome. Please continue your good work Mattias! All the best, HardenedArray |
This comment has been minimized.
This comment has been minimized.
CyberManifest
commented
Feb 15, 2017
•
Has this piece been updated with the feedback taken into consideration? |
This comment has been minimized.
This comment has been minimized.
@CyberManifest Since you're a beginner and don't need to install Arch Linux on an actual system, I would recommend to install without UEFI and encryption as outlined in Install instructions. Then if you choose to move on and install Arch Linux directly on your mac these instructions should make more sense! |
This comment has been minimized.
This comment has been minimized.
angvp
commented
Mar 2, 2017
Hi @mattiaslundberg I found that I need to update the grub line to this
Otherwise is going to have issues after introducing the password. |
This comment has been minimized.
This comment has been minimized.
thiagotome
commented
Mar 13, 2017
Finally! Thank you! |
This comment has been minimized.
This comment has been minimized.
msebolt
commented
Jun 13, 2017
Blown away! |
This comment has been minimized.
This comment has been minimized.
dbio
commented
Sep 20, 2017
Thank you so much for this! |
This comment has been minimized.
This comment has been minimized.
joseph4321
commented
Sep 29, 2017
Thanks for writing this, it was very helpful. |
This comment has been minimized.
This comment has been minimized.
aminnairi
commented
Feb 21, 2018
Great work! Just some points to notice:
You can get the UUID of a disk using $ blkid /dev/sdb1 Hope this helps some that are in my case when I couldn't seem to make GRUB open the crypted device. |
This comment has been minimized.
This comment has been minimized.
ellcs
commented
Feb 24, 2018
Hey, hey! Thanks for sharing.
https://wiki.archlinux.org/index.php/Securely_wipe_disk#Preparations_for_block_device_encryption |
This comment has been minimized.
This comment has been minimized.
MarkusH
commented
Oct 4, 2018
This is a nice step by step gist. Thanks you very much! A few notes / remarks:
|
This comment has been minimized.
This comment has been minimized.
thomhughes
commented
Dec 26, 2018
grub-mkconfig does nothing but hangs... what can i do. there is no terminal output or anything |
This comment has been minimized.
This comment has been minimized.
cdolan
commented
Jan 5, 2019
•
The issue of
|
This comment has been minimized.
ceyhanmolla commentedOct 22, 2015
Hello there. Normal ( non- UEFI) installation Can you write ?.