thacoon/arch-linux-uefi-encrypted-install

## arch-linux-uefi-encrypted-install
# Install ARCH Linux with encrypted file-system and UEFI
# The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.
# Based on https://gist.github.com/mattiaslundberg/8620837
# And based on https://wiki.archlinux.de/title/Anleitung_f%C3%BCr_Einsteiger

# Download the archiso image from https://www.archlinux.org/

# Verfiy it (also download the .sig file to verify it)
gpg --keyserver-options auto-key-retrieve --verify archlinux-version-x86_64.iso.sig
# or if you have already arch installed
pacman-key -v archlinux-version-x86_64.iso.sig

# Copy to a usb-drive
sudo dd if=archlinux.img of=/dev/sdX bs=1M && sudo sync # on linux

# Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.

# Set german keymap
loadkeys de-latin1

# This assumes a wifi only system...
wifi-menu

# List your partitions
lsblk

# (Optional) If you want to prevent recovery of previously stored data you need to wipe your disk first.
# Because encryption only use individual sectors on demand and does not encrypt the whole disk.
cat /dev/zero > /etc/sdX
# Or if you even want to hide how much storage you are using use the following. However, this takes significantly longer.
cat /dev/urandom > /etc/sdX

# If you already installed arch with the same setup on the computer there may be still files in /mnt/boot if you did not wipe your disk
# In this case run at least cat /dev/urandom > /etc/sdX1 and /dev/urandom > /etc/sdX2

# Create partitions
cgdisk /dev/sdX
1 100MB EFI partition # Hex code ef00
2 250MB Boot partition # Hex code 8300
3 100% size partiton # (to be encrypted) Hex code 8300
# press d to delete a partition, n to create a new partition
# before creating a new partition select the free space partition type
# for the first sector just press enter, then enter the size and unit e.g. for boot 250M press enter and then add a name to your partition
# for the 100% just press enter when asked for size
# if entered all three partitions press w to write it down and then quit with q

mkfs.vfat -F32 /dev/sdX1
mkfs.ext2 /dev/sdX2

# Setup the encryption of the system
cryptsetup --key-size 512 --hash sha512 --iter-time 5000 -y --use-random luksFormat /dev/sdX3
cryptsetup luksOpen /dev/sdX3 luks

# Create encrypted partitions
# This creates one partions for root and home, modify if /tmp or other partitions should be on separate partitions
pvcreate /dev/mapper/luks
# a 30-50G root partition should be large enough. However if you play a lott with dockers make it bigger, e.g. 80G
vgcreate vg0 /dev/mapper/luks
lvcreate --size 8G vg0 --name swap
lvcreate --size 50G vg0 --name root
lvcreate -l +100%FREE vg0 --name home

# Create filesystems on encrypted partitions
mkfs.ext4 /dev/mapper/vg0-root
mkfs.ext4 /dev/mapper/vg0-home
mkswap /dev/mapper/vg0-swap

# Mount the new system
mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
mkdir /mnt/home
mount /dev/mapper/vg0-home /mnt/home
swapon /dev/mapper/vg0-swap # Not needed but a good thing to test
mkdir /mnt/boot
mount /dev/sdX2 /mnt/boot
mkdir /mnt/boot/efi
mount /dev/sdX1 /mnt/boot/efi

# Edit the mirrorlist to speed up downloading, top ten should be servers near your current location
nano /etc/pacman.d/mirrorlist
# Delete one line with Ctrl+K

# Install the system also includes stuff needed for starting wifi when first booting into the newly installed system
pacstrap /mnt base base-devel linux linux-firmware lvm2 nano grub-efi-x86_64 git efibootmgr netctl dialog dhcpcd wpa_supplicant

# 'install' fstab
genfstab -pU /mnt >> /mnt/etc/fstab
# Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)
tmpfs	/tmp	tmpfs	defaults,noatime,mode=1777	0	0
# Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)

# Enter the new system
arch-chroot /mnt /bin/bash

# Setup system clock
ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime
hwclock --systohc --utc

# Set the hostname
echo MYHOSTNAME > /etc/hostname

# Set keymap
echo KEYMAP=de-latin1 > /etc/vconsole.conf

# Update locale
echo LANG=en_US.UTF-8 >> /etc/locale.conf
echo LANGUAGE=en_US >> /etc/locale.conf
#echo LC_ALL=C >> /etc/locale.conf # not recommended, caused an unicode error in python for me

# Update locales
nano /etc/locale.gen
# Uncomment `de_DE.UTF-8 UTF-8`, `de_DE ISO-8859-1` and `de_DE@euro ISO-8859-15`
locale-gen

# Set password for root
passwd

# Add real user
useradd -m -g users -G wheel,storage,power -s /bin/bash MYUSERNAME
passwd MYUSERNAME
# If you want to use sudo, you need to uncomment `%wheel ALL=(ALL) ALL` in /etc/sudoers

# Configure mkinitcpio with modules needed for the initrd image
nano /etc/mkinitcpio.conf
# Add 'ext4' to MODULES
# Add 'encrypt' and 'lvm2' to HOOKS before filesystems
# Add keymap after keyboard but before filesystems
# MODULES=(ext4)
# HOOKS=(base udev autodetect modconf block keyboard keymap encrypt lvm2 filesystems fsck)

# Regenerate initrd image
mkinitcpio -p linux

# Setup grub
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=arch_grub --recheck
# Even if it shows an error that efibootmgr failed to register the boot entry it still works
nano /etc/default/grub
# Change GRUB_CMDLINE_LINUX to: GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdX3:luks:allow-discards"
grub-mkconfig -o /boot/grub/grub.cfg
mkdir /boot/efi/EFI/boot
cp /boot/efi/EFI/arch_grub/grubx64.efi /boot/efi/EFI/boot/bootx64.efi
# If you reboot and Arch is not booting there is a good chance that you have Legacy mode enabled
# Then reboot, get in the UEFI boot menu and disable Legacy Mode, sometimes it's hard to find the setting but it's somewhere, startpage.com is your friend ;-)

# Exit new system and go into the cd shell
exit

# Unmount all partitions
umount -R /mnt
swapoff -a

# Reboot into the new system, don't forget to remove the cd/usb
reboot

# Processor manufacturers release stability and security updates to the processor microcode.
# These updates provide bug fixes that can be critical to the stability
# of your system. Without them, you may experience spurious crashes or
# unexpected system halts that can be difficult to track down.
# --> see: https://wiki.archlinux.org/index.php/Microcode
# For AMD processors use
pacman -Sy amd-ucode
# For Intel
pacman -Sy intel-ucode
# Then configure grub
grub-mkconfig -o /boot/grub/grub.cfg
	# Install ARCH Linux with encrypted file-system and UEFI
	# The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.
	# Based on https://gist.github.com/mattiaslundberg/8620837
	# And based on https://wiki.archlinux.de/title/Anleitung_f%C3%BCr_Einsteiger

	# Download the archiso image from https://www.archlinux.org/

	# Verfiy it (also download the .sig file to verify it)
	gpg --keyserver-options auto-key-retrieve --verify archlinux-version-x86_64.iso.sig
	# or if you have already arch installed
	pacman-key -v archlinux-version-x86_64.iso.sig

	# Copy to a usb-drive
	sudo dd if=archlinux.img of=/dev/sdX bs=1M && sudo sync # on linux

	# Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.

	# Set german keymap
	loadkeys de-latin1

	# This assumes a wifi only system...
	wifi-menu

	# List your partitions
	lsblk

	# (Optional) If you want to prevent recovery of previously stored data you need to wipe your disk first.
	# Because encryption only use individual sectors on demand and does not encrypt the whole disk.
	cat /dev/zero > /etc/sdX
	# Or if you even want to hide how much storage you are using use the following. However, this takes significantly longer.
	cat /dev/urandom > /etc/sdX

	# If you already installed arch with the same setup on the computer there may be still files in /mnt/boot if you did not wipe your disk
	# In this case run at least cat /dev/urandom > /etc/sdX1 and /dev/urandom > /etc/sdX2

	# Create partitions
	cgdisk /dev/sdX
	1 100MB EFI partition # Hex code ef00
	2 250MB Boot partition # Hex code 8300
	3 100% size partiton # (to be encrypted) Hex code 8300
	# press d to delete a partition, n to create a new partition
	# before creating a new partition select the free space partition type
	# for the first sector just press enter, then enter the size and unit e.g. for boot 250M press enter and then add a name to your partition
	# for the 100% just press enter when asked for size
	# if entered all three partitions press w to write it down and then quit with q

	mkfs.vfat -F32 /dev/sdX1
	mkfs.ext2 /dev/sdX2

	# Setup the encryption of the system
	cryptsetup --key-size 512 --hash sha512 --iter-time 5000 -y --use-random luksFormat /dev/sdX3
	cryptsetup luksOpen /dev/sdX3 luks

	# Create encrypted partitions
	# This creates one partions for root and home, modify if /tmp or other partitions should be on separate partitions
	pvcreate /dev/mapper/luks
	# a 30-50G root partition should be large enough. However if you play a lott with dockers make it bigger, e.g. 80G
	vgcreate vg0 /dev/mapper/luks
	lvcreate --size 8G vg0 --name swap
	lvcreate --size 50G vg0 --name root
	lvcreate -l +100%FREE vg0 --name home

	# Create filesystems on encrypted partitions
	mkfs.ext4 /dev/mapper/vg0-root
	mkfs.ext4 /dev/mapper/vg0-home
	mkswap /dev/mapper/vg0-swap

	# Mount the new system
	mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
	mkdir /mnt/home
	mount /dev/mapper/vg0-home /mnt/home
	swapon /dev/mapper/vg0-swap # Not needed but a good thing to test
	mkdir /mnt/boot
	mount /dev/sdX2 /mnt/boot
	mkdir /mnt/boot/efi
	mount /dev/sdX1 /mnt/boot/efi

	# Edit the mirrorlist to speed up downloading, top ten should be servers near your current location
	nano /etc/pacman.d/mirrorlist
	# Delete one line with Ctrl+K

	# Install the system also includes stuff needed for starting wifi when first booting into the newly installed system
	pacstrap /mnt base base-devel linux linux-firmware lvm2 nano grub-efi-x86_64 git efibootmgr netctl dialog dhcpcd wpa_supplicant

	# 'install' fstab
	genfstab -pU /mnt >> /mnt/etc/fstab
	# Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)
	tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0
	# Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)

	# Enter the new system
	arch-chroot /mnt /bin/bash

	# Setup system clock
	ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime
	hwclock --systohc --utc

	# Set the hostname
	echo MYHOSTNAME > /etc/hostname

	# Set keymap
	echo KEYMAP=de-latin1 > /etc/vconsole.conf

	# Update locale
	echo LANG=en_US.UTF-8 >> /etc/locale.conf
	echo LANGUAGE=en_US >> /etc/locale.conf
	#echo LC_ALL=C >> /etc/locale.conf # not recommended, caused an unicode error in python for me

	# Update locales
	nano /etc/locale.gen
	# Uncomment `de_DE.UTF-8 UTF-8`, `de_DE ISO-8859-1` and `de_DE@euro ISO-8859-15`
	locale-gen

	# Set password for root
	passwd

	# Add real user
	useradd -m -g users -G wheel,storage,power -s /bin/bash MYUSERNAME
	passwd MYUSERNAME
	# If you want to use sudo, you need to uncomment `%wheel ALL=(ALL) ALL` in /etc/sudoers

	# Configure mkinitcpio with modules needed for the initrd image
	nano /etc/mkinitcpio.conf
	# Add 'ext4' to MODULES
	# Add 'encrypt' and 'lvm2' to HOOKS before filesystems
	# Add keymap after keyboard but before filesystems
	# MODULES=(ext4)
	# HOOKS=(base udev autodetect modconf block keyboard keymap encrypt lvm2 filesystems fsck)

	# Regenerate initrd image
	mkinitcpio -p linux

	# Setup grub
	grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=arch_grub --recheck
	# Even if it shows an error that efibootmgr failed to register the boot entry it still works
	nano /etc/default/grub
	# Change GRUB_CMDLINE_LINUX to: GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdX3:luks:allow-discards"
	grub-mkconfig -o /boot/grub/grub.cfg
	mkdir /boot/efi/EFI/boot
	cp /boot/efi/EFI/arch_grub/grubx64.efi /boot/efi/EFI/boot/bootx64.efi
	# If you reboot and Arch is not booting there is a good chance that you have Legacy mode enabled
	# Then reboot, get in the UEFI boot menu and disable Legacy Mode, sometimes it's hard to find the setting but it's somewhere, startpage.com is your friend ;-)

	# Exit new system and go into the cd shell
	exit

	# Unmount all partitions
	umount -R /mnt
	swapoff -a

	# Reboot into the new system, don't forget to remove the cd/usb
	reboot

	# Processor manufacturers release stability and security updates to the processor microcode.
	# These updates provide bug fixes that can be critical to the stability
	# of your system. Without them, you may experience spurious crashes or
	# unexpected system halts that can be difficult to track down.
	# --> see: https://wiki.archlinux.org/index.php/Microcode
	# For AMD processors use
	pacman -Sy amd-ucode
	# For Intel
	pacman -Sy intel-ucode
	# Then configure grub
	grub-mkconfig -o /boot/grub/grub.cfg