Minimal instructions for installing arch linux on an UEFI system with full system encryption using dm-crypt and luks

arch-linux-install

# Install ARCH Linux with encrypted file-system and UEFI
# The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.

# Download the archiso image from https://www.archlinux.org/
# Copy to a usb-drive
dd if=archlinux.img of=/dev/sdX bs=16M && sync # on linux

# Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.

# Set swedish keymap
loadkeys sv-latin1

# This assumes a wifi only system...
wifi-menu

# Create partitions
cgdisk /dev/sdX
1 100MB EFI partition # Hex code ef00
2 250MB Boot partition # Hex code 8300
3 100% size partiton # (to be encrypted) Hex code 8300

mkfs.vfat -F32 /dev/sdX1
mkfs.ext2 /dev/sdX2

# Setup the encryption of the system
cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sdX3
cryptsetup luksOpen /dev/sdX3 luks

# Create encrypted partitions
# This creates one partions for root, modify if /home or other partitions should be on separate partitions
pvcreate /dev/mapper/luks
vgcreate vg0 /dev/mapper/luks
lvcreate --size 8G vg0 --name swap
lvcreate -l +100%FREE vg0 --name root

# Create filesystems on encrypted partitions
mkfs.ext4 /dev/mapper/vg0-root
mkswap /dev/mapper/vg0-swap

# Mount the new system 
mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
swapon /dev/mapper/vg0-swap # Not needed but a good thing to test
mkdir /mnt/boot
mount /dev/sdX2 /mnt/boot
mkdir /mnt/boot/efi
mount /dev/sdX1 /mnt/boot/efi

# Install the system also includes stuff needed for starting wifi when first booting into the newly installed system
# Unless vim and zsh are desired these can be removed from the command
pacstrap /mnt base base-devel grub-efi-x86_64 zsh vim git efibootmgr dialog wpa_supplicant

# 'install' fstab
genfstab -pU /mnt >> /mnt/etc/fstab
# Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)
tmpfs	/tmp	tmpfs	defaults,noatime,mode=1777	0	0
# Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)

# Enter the new system
arch-chroot /mnt /bin/bash

# Setup system clock
ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime
hwclock --systohc --utc

# Set the hostname
echo MYHOSTNAME > /etc/hostname

# Update locale
echo LANG=en_US.UTF-8 >> /etc/locale.conf
echo LANGUAGE=en_US >> /etc/locale.conf
echo LC_ALL=C >> /etc/locale.conf

# Set password for root
passwd

# Add real user remove -s flag if you don't whish to use zsh
# useradd -m -g users -G wheel -s /bin/zsh MYUSERNAME
# passwd MYUSERNAME

# Configure mkinitcpio with modules needed for the initrd image
vim /etc/mkinitcpio.conf
# Add 'ext4' to MODULES
# Add 'encrypt' and 'lvm2' to HOOKS before filesystems

# Regenerate initrd image
mkinitcpio -p linux

# Setup grub
grub-install
In /etc/default/grub edit the line GRUB_CMDLINE_LINUX to GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdX3:luks:allow-discards" then run:
grub-mkconfig -o /boot/grub/grub.cfg

# Exit new system and go into the cd shell
exit

# Unmount all partitions
umount -R /mnt
swapoff -a

# Reboot into the new system, don't forget to remove the cd/usb
reboot

Hello there. Normal ( non- UEFI) installation Can you write ?.

@ceyhanmolla Suggesting to have a look at http://mattclewell.com/wordpress/2014/install-arch-linux-on-encrypted-lvm/ for non-UEFI systems. I don't plan to write those instructions since I don't use any non-UEFI hardware.

Nice job on this

Under 68-71, append via >>, or else subsequent commands will just overwrite the previous.

# Update locale
echo LANG=en_US.UTF-8 >> /etc/locale.conf
echo LANGUAGE=en_US >> /etc/locale.conf
echo LC_ALL=C >> /etc/locale.conf

Extremely nice job indeed! But Devil's in the details.

Under 13 "# This assumes a wifi only system... wifi-menu" Yes. Arch linux installing through "wifi-only" is extremely complicated.

I wonder how to present most import things and main information security functions on installing like grafical or visual algorithms and process mapping?

https://www.customermagnetism.com/wp-content/uploads/2015/06/Process-Mapping.jpg
http://www.clker.com/cliparts/6/5/c/6/1356604543475837012complex%20flowchart1.jpg

@tony Thanks, haven't noticed that. Have updated.

@mategit Thanks for the suggestion. Don't have a good idea of how to accomplish this, but will give it some thought.

If you are using a NVMe PCIE SSD based system this install guide won't work. What you need to do is replace GRUB2 with systemdboot a.k.a gummiboot.

Well this was tremendously helpful, LVM on LUKS and everything!

Thanks a lot for the effort m8!

---

I wrote the above 2 days ago when installing arch on my new build, kind of forgot I had things left undone on my laptop, heh.

Just wanted to say thanks for the succinct guide. My intended setup was exactly like the one here and I was up and running in a matter of minutes. The wiki is a bit maze-like when it comes to dm-crypt and I was almost ready to give up on it until I found this. Thanks!

Hej Mattias,

Thanks a lot for sharing these install instructions! I love the succinctness and clarity. No unnecessary information, but everything you need for an encrypted Arch on an UEFI system. <3

Cheers
/u

Thank you very much for writing this guide Mattias ! It helped a lot.

For those who have an NVMe SSD, the instructions to configure systembootd can be found in this fork

This is how to do it with DOS/BIOS aka non-UEFI

https://gist.github.com/dust321/035a568e47e7e575aaa5529e2a5973bd

why do you add 'ext4' to the modules array?

@mattia-b89 if I remember correctly it didn't load without adding it. Probably isn't needed anymore but no harm in keeping it there since it's used when running the system anyway.

Why both and EFI and a boot partition?

EDIT: Nevermind

@mattiaslundberg Thanks for the gist! I followed it, excluding zsh & git, but mkinitcpio did not get installed. So I did a pacman -S mkinitcpio but I still do not have a linux.preset in /etc/mkinicpio.d/. Ideas?

@HazCod linux.preset is owned by the linux package on my system, I would try to reinstall the linux package (sudo pacman -S linux), watching out for any errors, and the it would hopefully work. I don't know how to proceed if that fails.

@mattiaslundberg That did the trick, thanks! Could you edit your gist to installlinux cryptsetup lvm2 in the chroot? That would make everything work again. Thanks!

Thanks for the great gist!
Is there any reason to add the user to the storage and power groups?

@iamlucaswolf, no reason to use them anymore according to https://wiki.archlinux.org/index.php/Users_and_groups#Pre-systemd_groups . Removed from the gist, thanks!

Thank you !! You save my life ! ^^

awesome stuff!

Note: You should add the keymap hook before encrypt, etc. See https://bbs.archlinux.org/viewtopic.php?id=173506.

Works like a charm, thanks a lot.

If you followed these instructions and ever have to downgrade the kernel in case of kernel panic, see
https://gist.github.com/sieste/586f727ac860ee0f896cbb8326846933

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub

super simple and useful - thank you for your help.

when running grub-mkconfig I usually experience this error (it's popped up on 2 separate host systems so far):

/run/lvm/lvmetad.socket: connect failed: No such file or directory

To fix this - as per this article:

• Drop out of the root environment: exit or (Ctrl - d)
• mkdir /mnt/hostrun/
• mount --bind /run /mnt/hostrun
• arch-chroot /mnt /bin/bash
• mkdir /run/lvm
• mount --bind /hostrun/lvm /run/lvm

Then grub-mkconfig will run without a hitch.

Just wanted to also chime in with a "thank you". I've been mostly a Debian / Ubuntu person for the last several years, but have been meaning to try Arch out for some time. This guide was immensely helpful. Thanks again!

Mattias - Thank you for your effort in creating an UEFI-booting, encrypted Arch installation framework that appears to have attracted a following. I agree with the thrust of several users' comments that the Arch installation wiki, with respect to achieving UEFI booting on an encrypted root and swap Arch system can seem confusing and ambiguous. I can assure you, several other major linux flavors are far worse, in that they are either silent, or lack important information, in support of the vital topic of secure system encryption. Your guide simplifies and eases the Arch Linux installation process for users who care about the maintenance of their privacy.

I'd like to offer some comments which I believe will prove useful to the average user, and particularly to those who are new to Arch Linux, or even to Linux.

N.B.: All of my comments pertain specifically to my tested Arch x86_64 installation process using the 1 January 2017 Arch Linux *.iso, which was the latest media available at the time of this post. That being said, it is highly probable my comments remain pertinent to users of previous, and also likely, to users of future Arch installation media releases.

I UEFI boot and run more than five operating systems from my SSD. All of my OSes UEFI boot from my single, 100 MiB, EFI partition. All of my OSes have encrypted root and swap, utilizing my SSD's native hardware-based AES-256-bit encryption support with BitLocker or Linux's software-based LUKS on LVM encryption to secure my data, when at rest. My Arch Linux install is just another encrypted Linux OS installation that happens to reside on my SSD.

My comments are targeted toward those interested in encrypted multi-OS booting, as well as to those who just want to install encrypted Arch. I hope my experience and insights prove beneficial:

1. Mattias's guide will work, as published, but it is not ideal for all users. In several important areas, the guide offers incorrect or unnecessary advice, which I've addressed below. Blindly following guides on the Net and hoping for a successful outcome without understanding the implications is never a recommended practice. Tremendous effort by many tremendous people has been expended publishing the superlative ArchWiki over the years, so use it to your advantage: Read, Think, and only then, Install.

2. The partioning and filesystems advice are correct. If you multi-boot, be sure you mount Arch's /boot/efi at your existing ESP partition. If you installed Windows 10 first, your EFI partition is likely to be /dev/sda2.

3. I would never use the term 'luks' as a /dev/mapper mount point, as it can prove confusing with several cryptsetup commands, as in:

   a. cryptsetup luksOpen /dev/sdX3 luks. Instead, use a unique, memorable mount point. I'm currently fond of:
   b. cryptsetup luksOpen /dev/sdXY 2016-Global-OpSec-Champion-LyingHillary

Y can be set to any integer value appropriate to your system drive's partition structure.

4. On modern, capable, computers, including laptops, with sufficient DRAM, allocating 8 GiB of drive space dedicated to swap is simply a waste of system resources. 512 MiB of encrypted swap drive space is more than sufficient, if you even need swap.

5. Your chosen VG and LV names are completely arbitrary. The terms: vg0, root and swap can be 'swapped out' for any names memorable to you. Arch, as a volume group label, works for me.

6. The mounting instructions are correct. Multi-OS UEFI-booters will need to adjust their partition mounts, as appropriate to their drive layout, keeping in mind that /boot, /boot/efi, and '/' root-owned mount points are required for correct Arch system installation.

7. I disagree that adding a tmpfs mount point is required, or whether it is even advantageous to add a RAM disk, particularly if you plan on installing a DE later. Adding tmpfs to /etc/fstab is not necessary, at all.

8. The locales advice offered, once chrooted, is not correct, especially if you are an English speaker. If English is your native language, you need to edit exactly two lines to correctly configure your language settings:

   a. In /etc/locale.gen uncomment only: en_US.UTF-8 UTF-8
   b. In /etc/locale.conf, you should only have this line: LANG=en_US.UTF-8

These language settings are critical to the proper operation of your Arch system, and incorrect language settings can prevent a DE from even launching a terminal if they are not set correctly! If you install a DE, you should configure additional languages through its Region/Language settings to ensure the correct dependencies get installed. Most users will benefit by reading up on how to properly enable spell-checking support, post-installation.

Furthermore, users should carefully consider this warning prior to setting 'LC_ALL=C', as suggested. See: https://wiki.archlinux.org/index.php/Locale

LC_ALL: troubleshooting
The locale set for this variable will always override LANG and all the other LC_* variables, whether they are set or not.
LC_ALL is the only LC_* variable, which cannot be set in locale.conf files: it is meant to be used only for testing or troubleshooting purposes, for example in /etc/profile.

9. The vast majority of users will find the (default) BASH terminal far more intuitive than using zsh, but personal preferences vary. Default programs don't make it into major Linux distributions without thoughtful reasoning, especially when it comes to something as critical as a terminal.

10. There is no need to add 'ext4' to MODULES. I run an ext4 encrypted Arch Linux root filesystem without issue. There is no 'ext4' in my MODULES statement.

11. This hooks statement (in /etc/mkinitcpio.conf) is known to work well:

HOOKS="base udev autodetect modconf block keymap encrypt lvm2 resume filesystems keyboard fsck"

If you've made changes, re-run 'mkinitcpio -p linux' as root.

12. The correct way to install grub on an UEFI computer, irrespective of your use of a HDD or SSD, and whether you are installing dedicated Arch, or multi-OS booting, is:

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchLinux

Note that bootloader-id can also be set to any label of memorable value to you. The suggested ArchWiki label of '--bootloader-id=grub' is a non-descriptive, non-creative, and a generally poor, idea.

13. Even if you use a SSD, do not enable 'allow-discards' in /etc/default/grub, specifically:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdX3:luks:allow-discards"

There exist better SSD solutions, without the security implications. Read https://wiki.archlinux.org/index.php/Solid_State_Drives, first.

14. You also may want to consider adding something like 'resume=/dev/mapper/MyVolGroupName-MyLVSwapName' to your GRUB_CMDLINE_LINUX.

15. As always, following any change to /etc/default/grub: re-run: 'grub-mkconfig -o /boot/grub/grub.cfg' as root, and reboot.

I hope these comments provide further insight, flexibility and utility to those interested. Best of luck, enjoy running and continuously learning about new ways to optimize your UEFI-booting, properly encrypted Arch Linux system!

HardenedArray

@HardenedArray Thanks for the feedback on the instructions. I will update the instructions as soon as I have more time to try everything out.

The reason for sharing this in the first place was the effort I had to put in to install my system 3 years ago, and I tried to keep it as short as possible. Some configuration (multiboot for example) are missing and others are specific (setting zsh as a shell) to fit my personal needs. At some parts it looks like I have made mistakes as sometimes happens. I'm glad that you and others have pointed this out as I get an opportunity to learn new things about my system.

I would hope that this is used as a start for customizing to every users custom needs (as many have done in the many forks). I agree that every user following this should understand what they are doing in every step and the Arch Wiki documents this.

Halloj Mattias,

I appreciate your thoughtful comments. I know you had your heart in the right place, which is always the most important character trait.

As I previously mentioned, there exist several far more poorly documented, yet purportedly 'secure' OSes, especially when it concerns the critically important matters of proper root and swap encryption, and correct UEFI booting.

I won't mention any names to protect The Guilty, but they know who they are, and all of them are very likely to burn in Hell in return for the immense suffering they caused on my end, at least until I figured out the correct encryption and booting procedures on my own!

As opposed to expecting future installers to continuously flip between your guide and my comments, I've composed a clean Arch installation guide which incorporates my comments above.

You, or anyone else interested, are welcome to test my encrypted, UEFI-booting, Arch installation procedure at:

https://gist.github.com/HardenedArray/31915e3d73a4ae45adc0efa9ba458b07

Obviously, all users should adapt my instructions to their drive constraints, preferences and intended outcomes.

Feedback and suggested improvements are always welcome.

Please continue your good work Mattias!

All the best,

HardenedArray

Has this piece been updated with the feedback taken into consideration?
Forgive me, I'm a n00b when it comes to Arch Linux, Linux, or scripting. I was curious to know (again forgive me of my ignorance), is this a script or simply a guide? If it is a script how may I implement it? I'd like to Install Arch Linux (with UEFI support; securing with cryptography is a bonus) on a Virtual Machine (via VirtualBox) on a macOS host, and I don't know what I'm doing or understand any of it. I found the Arch Linux wiki to be confusing on matters of UEFI (especially regarding a mount point of /boot/efi) and also regarding the partitioning method with the available tools. I'm lead to believe that the efi partition is supposed to be in a FAT32/or compatible format due to the fact of uncertainty if a firmware will support anything else. If I'm sure that VirtualBox can support other file formats can the efi partition be formatted in something more native to Linux? I prefer BASH (as it's the only one I'm generally familiar with) for a command shell, as opposed to ZSH and I would like to have a partition scheme of:
/boot /dev/sdx1 EFI System Partition 1 GiB (with a sub mount for efi as in: /boot/efi)
/ /dev/sdx2 Linux 20.5 GiB
[SWAP] /dev/sdx3 Linux swap 8 GiB
/home /dev/sdx4 Linux 20.5 GiB
Can someone lend this n00b / new beginner some gracious guidance beyond the typical go "rtfm"; I'm a very hands on and visual learner so I'd like to have a system up and running to experiment with and visualize as I'm rtfing the manual and man pages. I find the Arch Linux Wiki just as indispensable as the man pages and other documentation in furthering my knowledge and understanding of this system, regardless of the confusion it sometimes dispenses. If someone is able to lend some assistance and enlighten me on how to implement this information in a way that I'm able to contain my specific customizations, please do not hesitate to contact me at ryan.k.mckee@gmail.com
I would greatly like to achieve the original authors intents as my own but in a why I understand and is meaningful to me specifically.
NOTE: I took a look at the revenge installation tool (a Graphical Installation for Arch Linux) but it said that UEFI is not yet implemented or supported.
EDIT: Can this be implemented like shown in this video: https://www.youtube.com/watch?v=QKoEUpAfLcc ?

@CyberManifest
This is written more as a guide in script form than an actual runnable script. So read it more as a guide.

Since you're a beginner and don't need to install Arch Linux on an actual system, I would recommend to install without UEFI and encryption as outlined in Install instructions. Then if you choose to move on and install Arch Linux directly on your mac these instructions should make more sense!

Hi @mattiaslundberg I found that I need to update the grub line to this

cryptdevice=/dev/sdX3:lvmpool root=/dev/mapper/vg0-root

Otherwise is going to have issues after introducing the password.

Finally! Thank you!
I tried to follow the official guide and it didnt work

Blown away!

Thank you so much for this!

Thanks for writing this, it was very helpful.

Great work! 😎

Just some points to notice:

1. Newer version of GRUB have a new parameter to enable crypted device to open, so we have to uncomment the line

GRUB_ENABLE_CRYPTODISK=y

2. If you generated your fstab with UUIDs, you should do it also for your GRUB command line

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=<UUID_OF_THE_DEVICE>:cryptoluks root=/dev/mapper/volname-devicename quiet"

You can get the UUID of a disk using blkid on a given disk like

$ blkid /dev/sdb1

Hope this helps some that are in my case when I couldn't seem to make GRUB open the crypted device.

Hey, hey! Thanks for sharing.
There is definitely the shred your device part missing!
It's important since you want to

• Wipe old data on the device.
• Ensure not used/written parts are filled with junk.

https://wiki.archlinux.org/index.php/Securely_wipe_disk#Preparations_for_block_device_encryption

This is a nice step by step gist. Thanks you very much!

A few notes / remarks:

• In line 62 change ln -s to ln -sf because /etc/localtime already exists.
• In lines 76-78 you optionally add a user that's in the "wheel" group. However, that user won't be allowed to use sudo until they're added in the sudoers file. I suggest to add a line to run visudo and uncomment the line %wheel ALL=(ALL) ALL in the sudoers file.