Skip to content

Instantly share code, notes, and snippets.

@mattiaslundberg
Last active October 25, 2024 12:07
Show Gist options
  • Save mattiaslundberg/8620837 to your computer and use it in GitHub Desktop.
Save mattiaslundberg/8620837 to your computer and use it in GitHub Desktop.
Minimal instructions for installing arch linux on an UEFI system with full system encryption using dm-crypt and luks
# Install ARCH Linux with encrypted file-system and UEFI
# The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.
# Download the archiso image from https://www.archlinux.org/
# Copy to a usb-drive
dd if=archlinux.img of=/dev/sdX bs=16M && sync # on linux
# Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.
# Set swedish keymap
loadkeys sv-latin1
# This assumes a wifi only system...
wifi-menu
# Create partitions
cgdisk /dev/sdX
1 100MB EFI partition # Hex code ef00
2 250MB Boot partition # Hex code 8300
3 100% size partiton # (to be encrypted) Hex code 8300
mkfs.vfat -F32 /dev/sdX1
mkfs.ext2 /dev/sdX2
# Setup the encryption of the system
cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sdX3
cryptsetup luksOpen /dev/sdX3 luks
# Create encrypted partitions
# This creates one partions for root, modify if /home or other partitions should be on separate partitions
pvcreate /dev/mapper/luks
vgcreate vg0 /dev/mapper/luks
lvcreate --size 8G vg0 --name swap
lvcreate -l +100%FREE vg0 --name root
# Create filesystems on encrypted partitions
mkfs.ext4 /dev/mapper/vg0-root
mkswap /dev/mapper/vg0-swap
# Mount the new system
mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
swapon /dev/mapper/vg0-swap # Not needed but a good thing to test
mkdir /mnt/boot
mount /dev/sdX2 /mnt/boot
mkdir /mnt/boot/efi
mount /dev/sdX1 /mnt/boot/efi
# Install the system also includes stuff needed for starting wifi when first booting into the newly installed system
# Unless vim and zsh are desired these can be removed from the command
pacstrap /mnt base base-devel grub-efi-x86_64 zsh vim git efibootmgr dialog wpa_supplicant
# 'install' fstab
genfstab -pU /mnt >> /mnt/etc/fstab
# Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)
tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0
# Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)
# Enter the new system
arch-chroot /mnt /bin/bash
# Setup system clock
ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime
hwclock --systohc --utc
# Set the hostname
echo MYHOSTNAME > /etc/hostname
# Update locale
echo LANG=en_US.UTF-8 >> /etc/locale.conf
echo LANGUAGE=en_US >> /etc/locale.conf
echo LC_ALL=C >> /etc/locale.conf
# Set password for root
passwd
# Add real user remove -s flag if you don't whish to use zsh
# useradd -m -g users -G wheel -s /bin/zsh MYUSERNAME
# passwd MYUSERNAME
# Configure mkinitcpio with modules needed for the initrd image
vim /etc/mkinitcpio.conf
# Add 'ext4' to MODULES
# Add 'encrypt' and 'lvm2' to HOOKS before filesystems
# Regenerate initrd image
mkinitcpio -p linux
# Setup grub
grub-install
In /etc/default/grub edit the line GRUB_CMDLINE_LINUX to GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdX3:luks:allow-discards" then run:
grub-mkconfig -o /boot/grub/grub.cfg
# Exit new system and go into the cd shell
exit
# Unmount all partitions
umount -R /mnt
swapoff -a
# Reboot into the new system, don't forget to remove the cd/usb
reboot
@plarabee
Copy link

@JPenuchot I second this. Also, you may need mkinitcpio and lvm2.

@jadeaffenjaeger
Copy link

jadeaffenjaeger commented Jan 23, 2020

I've written an updated and slightly more detailed version of this, if anyone is interested:

https://etrommer.github.io/projects/2020/01/22/arch-linux-encrypted-dual-boot-windows-systemd-boot.html

The key differences are that I use systemd-boot instead of GRUB, don't use any additional partitions and set it up as as an Arch/Windows Dual Boot.

@hirowatari
Copy link

Thanks!

@jherrlin
Copy link

jherrlin commented Jun 2, 2020

@jadeaffenjaeger I know it's been a while but would you like to elaborate on why you did LVM when you only had one partition?

@jadeaffenjaeger
Copy link

@jadeaffenjaeger I know it's been a while but would you like to elaborate on why you did LVM when you only had one partition?

No strong reason, and could certainly be done without. I added LVM because I find that it makes resizing things easier if needed somewhere down the line and isn't a lot of extra effort.

@jherrlin
Copy link

@jadeaffenjaeger I know it's been a while but would you like to elaborate on why you did LVM when you only had one partition?

No strong reason, and could certainly be done without. I added LVM because I find that it makes resizing things easier if needed somewhere down the line and isn't a lot of extra effort.

Thank you for the answer! Makes sense!

@palanthis
Copy link

Touching on one thing someone pointed out. Yes, you need to add linux and linux-firmware to your pacstrap line. Although, firmware can technically be added once in chroot. To clarify, base is now a meta package and base-devel is a group.

And to reiterate what some others have said. This is a good guide, but I highly recommend that you also refer to the wiki as you go and make sure you know why you are taking these particular steps. Remember: If you end up with a working system, but you don't understand how you got there, you didn't really install Arch. You just followed some directions. The essence of Arch is building your system your way and that requires understanding why you made certain decisions (GRUB vs SystemD, LVM or not, fstrim settings for SSDs, etc.)

@dakyskye
Copy link

dakyskye commented Jul 21, 2020

This is perfect guide. However, if anybody is using this instructions to install and configure GRUB, and also has Windows or other system on another drive, and does not wanna break their boot manager, make sure to instead install just grub, and as said on Arch wiki, run grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB /dev/sd<THE DRIVE YOU JUST INSTALLED ARCH ON>.

@nsa
Copy link

nsa commented Apr 2, 2021

what if you add status=progress option to dd at line 6? I believe it would be helpful to see the progress of dd.

@SamSaffron
Copy link

Wi-Fi connection steps need updating wif-menu is no more

https://wiki.archlinux.org/title/Iwd#iwctl

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment