How to install Arch Linux with full drive encryption

Base Setup

This tutorial was built using Arch Linux ISO 2022.12.01 image torrent

Boot using Arch Linux LiveUSB, then:

Connect to wifi

iwctl station wlan0 connect "$network_name"
systemctl enable --now systemd-networkd
ping archlinux.org

Partition disk

Find the disk you want to partition using lsblk, then:

fdisk /dev/nvme1n1

Run these fdisk commands:

1. p to print partitions
2. d until all existing partitions are deleted
3. g to create a GPT disklabel
4. n to create a partition. This will be boot partition. Size it +384M.
5. n to create encrypted partition. Use the rest of the disk.
6. t to set the parition type of partition 1 (boot partition) to 1 (EFI System)
7. w to write changes

Encrypt disk

Reference: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS

# Encrypt partition and set password
cryptsetup luksFormat /dev/nvme1n1p2

# Open partition and config
cryptsetup open /dev/nvme1n1p2 cryptlvm
pvcreate /dev/mapper/cryptlvm
vgcreate CryptVolGroup /dev/mapper/cryptlvm

# Create logical volumes on encrypted volume. Replace 32G with how much RAM you have.
lvcreate -L 32G CryptVolGroup -n swap
lvcreate -l 100%FREE CryptVolGroup -n root

# Make filesystems
mkfs.ext4 /dev/CryptVolGroup/root
mkswap /dev/CryptVolGroup/swap

Mount filesystem

mount /dev/CryptVolGroup/root /mnt
swapon /dev/CryptVolGroup/swap

Setup boot partition

mkfs.fat -F32 /dev/nvme1n1p1
mount --mkdir /dev/nvme1n1p1 /mnt/boot

Install base system

pacstrap -K /mnt base linux linux-firmware

Base system config

# Generate fstab
genfstab -U/mnt >> /mnt/etc/fstab

# Change root
arch-chroot /mnt

# Make sure intel-ucode and lvm2 are installed
pacman -Syu intel-ucode lvm2 iwd systemd-resolvconf

# Set up DHCP for when we reboot
echo "[Match]
Name=wlan0

[Network]
DHCP=ipv4" > /etc/systemd/network/25-wireless.network

# Set timezone
ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime

# If dual booting with Windows, set linux to use localtime so that they don't keep fighting over setting the system time
timedatectl set-local-rtc 1 --adjust-system-clock

# Uncomment & generate locale en_US.UTF
sed -Ei 's/^#(en_US\.UTF.+)/\1/' /etc/locale.gen
locale-gen

# Create locale.conf
echo "LANG=en_US.UTF-8" >> /etc/locale.conf

# Set root password
passwd

# Install boot manager
bootctl install

Config mkinitcpio

Edit /etc/mkinitcpio.conf to add encrypt and lvm2 to HOOKS:

HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems fsck)

Create boot loader

Edit /boot/loader/loader.conf:

default arch.conf

Get the $UUID from blkid command. Create /boot/loader/entries/arch.conf:

title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options cryptdevice=UUID="$UUID":cryptlvm root=/dev/CryptVolGroup/root

Reboot!

# Exit chroot
exit

# Reboot into new system!
reboot

Extended Setup

Add Users

useradd -m "$MYUSER"
passwd "$MYUSER" # set a password

Install sudo and add any desired users to wheel group

pacman -Syu sudo
sed -Ei 's/^# (%wheel .+ NOPASSWD.+)/\1/' /etc/sudoers
usermod -aG wheel "$MYSUDOUSER"

Install pikaur

pacman -S --needed base-devel git
su "$MYSUDOUSER"
mkdir -p ~/code/python
cd ~/code/python
git clone 'https://aur.archlinux.org/pikaur.git'
cd pikaur
makepkg -fsri

Install gnome

# Enable parallel downloads
sudo sed -Ei 's/^#(ParallelDownloads.+)/\1/' /etc/pacman.conf

# Download gnome. Note: say yes to all defaults.
pikaur -Syu --noconfirm gnome gnome-tweaks gnome-themes-extra

# Enable gdm
sudo systemctl enable gdm

# (optional) Disable annoying terminal bell sound, haven't found a way to do it in gnome-console settings
sudo sed -Ei 's/^#(set bell-style .+)/\1/' /etc/inputrc

# (optional) Hide any desired users from GDM login screen
echo "[User]
SystemAccount=true" > "/var/lib/AccountsService/users/$MYUSER"

Now reboot and you will boot into a GUI login screen.

Install goodies

pikaur -Syu --noconfirm bash-completion bitwarden bitwarden-cli chromium \
    deluge-gtk easytag ffmpegthumbnailer firefox glow gnome-browser-connector \
    gnome-terminal gnome-themes-extra gst-libav gst-plugins-ugly keepassxc man \
    nmap phpstorm powerline powerline-vim pycharm-professional rsync rubygems \
    syncthing veracrypt vivaldi vivaldi-ffmpeg-codecs vlc

# Ensure we can use veracrypt as non-wheel user
echo "#veracrypt
$MYUSER ALL=(root) NOPASSWD:/usr/bin/veracrypt
" >> "/etc/sudoers.d/$MYUSER"

# Set up powerline for bash and setup .bash_aliases
tee -a ~/.bashrc <<'EOF'
# enable powerline
if [ -f /usr/share/powerline/bindings/bash/powerline.sh ]; then
    powerline-daemon -q
    POWERLINE_BASH_CONTINUATION=1
    POWERLINE_BASH_SELECT=1
    . /usr/share/powerline/bindings/bash/powerline.sh
fi

# parse aliases
if [ -f ~/.bash_aliases ]; then
    . ~/.bash_aliases
fi

# set ruby local env
export GEM_HOME="$(ruby -e 'puts Gem.user_dir')"
export PATH="$PATH:$GEM_HOME/bin"
EOF

# Always show powerline in vim and turn on syntax highlighting
echo "set laststatus=2
syntax on" >> ~/.vimrc

# Add aliases
echo 'alias g=git
alias ls="ls --color=auto --group-directories-first"
alias l="ls -lh"
alias ll="ls -lah"
' >> ~/.bash_aliases