Skip to content

How to install Arch Linux with full drive encryption

Published by JoeB on December 11, 2022

Base Setup

This tutorial was built using Arch Linux ISO 2022.12.01 image torrent

Boot using Arch Linux LiveUSB, then:

Connect to wifi

iwctl station wlan0 connect "$network_name"
systemctl enable --now systemd-networkd
ping archlinux.org

Partition disk

Find the disk you want to partition using lsblk, then:

fdisk /dev/nvme1n1

Run these fdisk commands:

  1. p to print partitions
  2. d until all existing partitions are deleted
  3. g to create a GPT disklabel
  4. n to create a partition. This will be boot partition. Size it +384M.
  5. n to create encrypted partition. Use the rest of the disk.
  6. t to set the parition type of partition 1 (boot partition) to 1 (EFI System)
  7. w to write changes

Encrypt disk

Reference: https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS

# Encrypt partition and set password
cryptsetup luksFormat /dev/nvme1n1p2

# Open partition and config
cryptsetup open /dev/nvme1n1p2 cryptlvm
pvcreate /dev/mapper/cryptlvm
vgcreate CryptVolGroup /dev/mapper/cryptlvm

# Create logical volumes on encrypted volume. Replace 32G with how much RAM you have.
lvcreate -L 32G CryptVolGroup -n swap
lvcreate -l 100%FREE CryptVolGroup -n root

# Make filesystems
mkfs.ext4 /dev/CryptVolGroup/root
mkswap /dev/CryptVolGroup/swap

Mount filesystem

mount /dev/CryptVolGroup/root /mnt
swapon /dev/CryptVolGroup/swap

Setup boot partition

mkfs.fat -F32 /dev/nvme1n1p1
mount --mkdir /dev/nvme1n1p1 /mnt/boot

Install base system

pacstrap -K /mnt base linux linux-firmware

Base system config

# Generate fstab
genfstab -U/mnt >> /mnt/etc/fstab

# Change root
arch-chroot /mnt

# Make sure intel-ucode and lvm2 are installed
pacman -Syu intel-ucode lvm2 iwd systemd-resolvconf

# Set up DHCP for when we reboot
echo "[Match]
Name=wlan0

[Network]
DHCP=ipv4" > /etc/systemd/network/25-wireless.network

# Set timezone
ln -sf /usr/share/zoneinfo/America/Los_Angeles /etc/localtime

# If dual booting with Windows, set linux to use localtime so that they don't keep fighting over setting the system time
timedatectl set-local-rtc 1 --adjust-system-clock

# Uncomment & generate locale en_US.UTF
sed -Ei 's/^#(en_US\.UTF.+)/\1/' /etc/locale.gen
locale-gen

# Create locale.conf
echo "LANG=en_US.UTF-8" >> /etc/locale.conf

# Set root password
passwd

# Install boot manager
bootctl install

Config mkinitcpio

Edit /etc/mkinitcpio.conf to add encrypt and lvm2 to HOOKS:

HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems fsck)

Create boot loader

Edit /boot/loader/loader.conf:

default arch.conf

Get the $UUID from blkid command. Create /boot/loader/entries/arch.conf:

title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options cryptdevice=UUID="$UUID":cryptlvm root=/dev/CryptVolGroup/root

Reboot!

# Exit chroot
exit

# Reboot into new system!
reboot

Extended Setup

Add Users

useradd -m "$MYUSER"
passwd "$MYUSER" # set a password

Install sudo and add any desired users to wheel group

pacman -Syu sudo
sed -Ei 's/^# (%wheel .+ NOPASSWD.+)/\1/' /etc/sudoers
usermod -aG wheel "$MYSUDOUSER"

Install pikaur

pacman -S --needed base-devel git
su "$MYSUDOUSER"
mkdir -p ~/code/python
cd ~/code/python
git clone 'https://aur.archlinux.org/pikaur.git'
cd pikaur
makepkg -fsri

Install gnome

# Enable parallel downloads
sudo sed -Ei 's/^#(ParallelDownloads.+)/\1/' /etc/pacman.conf

# Download gnome. Note: say yes to all defaults.
pikaur -Syu --noconfirm gnome gnome-tweaks gnome-themes-extra

# Enable gdm
sudo systemctl enable gdm

# (optional) Disable annoying terminal bell sound, haven't found a way to do it in gnome-console settings
sudo sed -Ei 's/^#(set bell-style .+)/\1/' /etc/inputrc

# (optional) Hide any desired users from GDM login screen
echo "[User]
SystemAccount=true" > "/var/lib/AccountsService/users/$MYUSER"

Now reboot and you will boot into a GUI login screen.

Install goodies

pikaur -Syu --noconfirm bash-completion bitwarden bitwarden-cli chromium \
    deluge-gtk easytag ffmpegthumbnailer firefox glow gnome-browser-connector \
    gnome-terminal gnome-themes-extra gst-libav gst-plugins-ugly keepassxc man \
    nmap phpstorm powerline powerline-vim pycharm-professional rsync rubygems \
    syncthing veracrypt vivaldi vivaldi-ffmpeg-codecs vlc

# Ensure we can use veracrypt as non-wheel user
echo "#veracrypt
$MYUSER ALL=(root) NOPASSWD:/usr/bin/veracrypt
" >> "/etc/sudoers.d/$MYUSER"

# Set up powerline for bash and setup .bash_aliases
tee -a ~/.bashrc <<'EOF'
# enable powerline
if [ -f /usr/share/powerline/bindings/bash/powerline.sh ]; then
    powerline-daemon -q
    POWERLINE_BASH_CONTINUATION=1
    POWERLINE_BASH_SELECT=1
    . /usr/share/powerline/bindings/bash/powerline.sh
fi

# parse aliases
if [ -f ~/.bash_aliases ]; then
    . ~/.bash_aliases
fi

# set ruby local env
export GEM_HOME="$(ruby -e 'puts Gem.user_dir')"
export PATH="$PATH:$GEM_HOME/bin"
EOF

# Always show powerline in vim and turn on syntax highlighting
echo "set laststatus=2
syntax on" >> ~/.vimrc

# Add aliases
echo 'alias g=git
alias ls="ls --color=auto --group-directories-first"
alias l="ls -lh"
alias ll="ls -lah"
' >> ~/.bash_aliases
Published inDevelopmentTutorials