Installing Arch Linux with Full Disk Encryption (LVM on LUKS)

install-arch.md

References:

• https://gist.github.com/mattiaslundberg/8620837
• https://wiki.archlinux.org/index.php/Installation_guide
• http://www.muktware.io/arch-linux-guide-the-always-up-to-date-arch-linux-tutorial/ (Link is broken)

There are 2 choices:

• UEFI/GPT mode: UEFI boot mode / GPT partition table
• BIOS/MBR mode: Legacy boot mode / MBR partition table

I tried to install in UEFI mode, but my laptop (Acer E5-475-336H) had problems with it, and didn't boot after installation. This is how I installed arch linux in BIOS/MBR mode with full disk encryption (using LUKS), and LVM on LUKS.

Assumptions

I assume that /dev/sda is the system's disk, and /dev/sdb is USB drive.

Steps

1. Download arch iso image from https://www.archlinux.org/download/ and copy to a USB drive.

   # dd if=arch.iso of=/dev/sdb
   

2. Set boot mode to "Legacy" in BIOS configuration, and boot from USB.

3. Connect to internet. Wired connection is preferred since it's easier to connect. See arch wiki.

4. Partitioning

   A drive should first be partitioned and afterwards the partitions should be formatted with a file system. Use fdisk to create MBR partitions.

   # fdisk /dev/sda
   

   First, create an empty MBR partition table (WARNING: This will erase entire disk)

   (fdisk) o
   

   We are going to create 2 main partitions (/dev/sda1 and /dev/sda2):

   Device     Boot     Start       End   Sectors   Size Type
   /dev/sda1            2048    526335    524288   256M Linux      /boot
   /dev/sda2          526336 765986815 765460480   365G Linux      Encrypted with LUKS, 3 LVM partitions:
       swap  vg0 -wi-ao----   8.00g                                   swap
       root  vg0 -wi-ao----  80.00g                                   /
       anbar vg0 -wi-ao---- 277.00g
   /dev/sda3       765986816 976773167 210786352 100.5G Linux      (Optional) Other partitions if you need... You can encrypt them separately with another password
   

   Create partitions:

   (fdisk) n
   (fdisk) p
   (fdisk) 1
   (fdisk) <Enter>
   (fdisk) +256M
   (fdisk) t
   (fdisk) linux
   
   (fdisk) n
   (fdisk) p
   (fdisk) 2
   (fdisk) <Enter>
   (fdisk) +365G
   (fdisk) t
   (fdisk) linux
   
   (fdisk) n
   (fdisk) p
   (fdisk) 3
   (fdisk) <Enter>
   (fdisk) <Enter>
   (fdisk) t
   (fdisk) linux
   
   (fdisk) w (Write Changes)
   

   Format Partitions:

   mkfs.ext2 /dev/sda1
   

5. Setup encryption

   # cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sda2
   # cryptsetup luksOpen /dev/sda2 luks
   

6. Create LVM Partitions This creates one partions for root, modify if /home or other partitions should be on separate partitions

   # pvcreate /dev/mapper/luks
   # vgcreate vg0 /dev/mapper/luks
   # lvcreate --size 8G vg0 --name swap
   # lvcreate --size 80G vg0 --name root
   # lvcreate -l +100%FREE vg0 --name anbar
   

7. Format LVM partitions

   # mkfs.ext4 /dev/mapper/vg0-root
   # mkfs.ext4 /dev/mapper/vg0-anbar
   # mkswap /dev/mapper/vg0-swap
   

8. Mount the new system

   # mount /dev/mapper/vg0-root /mnt
   # mkdir /mnt/boot
   # mount /dev/sda1 /mnt/boot
   # swapon /dev/mapper/vg0-swap
   

9. Install the base system

   # pacstrap -i /mnt base base-devel linux linux-firmware openssh git vim
   

10. Generate /etc/fstab. This file can be used to define how disk partitions, various other block devices, or remote filesystems should be mounted into the filesystem.

    # genfstab -pU /mnt >> /mnt/etc/fstab
    

    (Optional) For making /tmp a ramdisk, add following line to /mnt/etc/fstab:

    tmpfs	/tmp	tmpfs	defaults,noatime,mode=1777	0	0
    

11. Enter the new system

    # arch-chroot /mnt /bin/bash
    

12. Set TimeZone

    See available timezones:
    # ls /usr/share/zoneinfo/
    
    Set timezone:
    # ln -s /usr/share/zoneinfo/Asia/Tehran /etc/localtime
    

13. Set Locale

    # vim /etc/locale.gen (uncomment en_US.UTF-8 UTF-8)
    # locale-gen
    # echo LANG=en_US.UTF-8 > /etc/locale.conf
    # export LANG=en_US.UTF-8
    

14. Set the hardware clock mode uniformly between your operating systems. Otherwise, they may overwrite the hardware clock and cause time shifts.

    # hwclock --systohc --utc
    

15. Set hostname

    # echo myhostname > /etc/hostname
    

    Add it to /etc/hosts:

    127.0.0.1	localhost
    ::1		localhost
    127.0.1.1	myhostname.localdomain	myhostname
    

16. Create User

    # useradd -m -g users -G wheel -s myusername
    # passwd myusername
    # visudo
    uncomment %wheel ALL=(ALL) ALL
    

17. Configure mkinitcpio with modules needed for the initrd image

    # vim /etc/mkinitcpio.conf
    Add 'ext4' to MODULES
    Add 'encrypt' and 'lvm2' to HOOKS before 'filesystems'
    

    Regenerate initrd image

    # mkinitcpio -p linux
    

18. Setup grub

    # pacman -S grub
    # grub-install --target=i386-pc --recheck /dev/sda
    

    In /etc/default/grub edit the line GRUB_CMDLINE_LINUX to:

    GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:luks:allow-discards"
    

    [Tip] To automatically search for other operating systems on your computer, install os-prober (pacman -S os-prober) before running the next command.

    # grub-mkconfig -o /boot/grub/grub.cfg
    

19. Exit new system and unmount all partitions

    # exit
    # umount -R /mnt
    # swapoff -a
    

20. Reboot into the new system. Don't forget to remove the CD/USB.

    # reboot
    

21. Connect to internet.

    Configure systemd-networkd. Create file /etc/systemd/network/20-wired.network:

    [Match]
    Name=en*
    Name=eth*
    
    [Network]
    DHCP=yes
    

    Restart systemd-networkd and systemd-resolved:

    # systemctl restart systemd-networkd systemd-resolved
    # ping archlinux.org
    

    Restart systemd-networkd and systemd-resolved again if required.

22. System is installed now. If you want to install Gnome desktop, perform following steps.

23. Install Xorg server

    # pacman -S xorg-server xorg-server-utils
    

24. Install graphics driver (Arch wiki). For my laptop, graphics driver is xf86-video-intel.

    # pacman -S xf86-video-intel
    

25. Install Gnome Display Manager and Gnome Desktop.

    # pacman -S gnome gdm
    # pacman -S gnome-extra gnome-system-tools  (Optional)
    

26. Enable GDM service

    # systemctl enable gdm
    

27. Reboot!

I think the root indication in GRUB_CMDLINE_LINUX is missing.
I added "root=/dev/mapper/vg0-root" in order to be able to boot.

Tanks A LOT for your work. I was struggling with Grub config.

You made it so clear. Thanks again!

Thank you a very helpful guide to my first encrypted Arch install!

hi there, everything looks good until i try to install on arch linux 20191001 iso, mkinitcpio not found

@quienesbryan

hi there, everything looks good until i try to install on arch linux 20191001 iso, mkinitcpio not found

I worked around the issue through running "pacman -S mkinicpio linux-firmware linux" idk if there is a better way

I had to manually install lvm2 for the initcpio to be created successfully. Thanks for this guide!

This script helped immensely installing on an old hp probook 6550b with a ssd drive.
I have a problem with the home partition. It is not connected at boot. It is not in the fstab.
When I tried to edit my fstab and add it using the UUID, then while booting up, I get to my login (lightdm) but it no longer accepts my password.
I did run grub-mkconfig and re-checked the file to make sure all was there and not more.
Any ideas, I can do a complete re-install if necessary.?

When I tried to edit my fstab and add it using the UUID, then while booting up, I get to my login (lightdm) but it no longer accepts my password.

try changing your password for your user, sorry for necrobump in case someone else runs into this issue

I noticed a typo in:

8. Create LVM partitions (logical volumes).

vreduce --size -256M vg0/home should be lvreduce --size -256M vg0/home

Thanks for the great work though @mjnaderi !

Thank you for catching that typo! You're absolutely right, it should be lvreduce instead of vreduce. I fixed the typo. And thanks for your kind words! @CoderUni

This is a super useful guide, thanks a lot!

The perfect Arch install doesn't ex-

Great guide, thx!

Thanks, works as expected!