Arch Linux installation with some encryption

Here you can find not so profound notes on Arch Linux installation. It covers base system installation on LVM partitions with some storage encryption. Probably everything you can find here, you can also find on ArchWiki. If you are looking for more in-depth installation guide for Arch Linux, go here.

download image

Download the Arch Linux image and rip it to the bootable storage. For a USB flash drive, you might use dd tool. Example command:

$ dd if=archlinux.iso of=/dev/XXX bs=4M conv=fsync oflag=direct status=progress

Boot the image.

prepare storage

The following volume arrangment is proposed:

├─boot      256M
├─swap      16G
├─root      32G
└─home      remainder

Logical arangement:

Create two partitions x1 and x2 on device x using fdisk. Note that fdisk is limited in managment to 2TB stoage device for bigger we need to use for example parted

$ fdisk /dev/x

create LVM containers

Create physical volume

$ pvcreate /dev/x2

Create volume group named base using physical volume /dev/x2:

$ vgcreage base /dev/x2

Create three logical volumns on base for swap memory, root direcotry /, and home folder /home:

$ lvcreate -L 16G -n cswap base
$ lvcreate -L 32G -n croot base
$ lvcreate -l 100%FREE -n chome base

prepare core partitions


$ mkfs.fat -F32 /dev/x1
$ cryptsetup benchmark

encrypt root partition with passpharse

$ cryptsetup luksFormat /dev/base/croot

open encrypted

$ cryptsetup open /dev/base/croot root

create ext4 filesystem

$ mkfs.ext4  /dev/mapper/root

and mount

$ mount /dev/mapper/root /mnt

create mounting point for boot and mount it

$ mkdir -p /mnt/boot
$ mount /dev/x1 /mnt/boot

ship the Arch Linuxs operating system

right now we need are ready to ship OS

$ pacstrap /mnt base linux linux-firmware

generate fstab for root and boot

$ genfstab -U /mnt >> /mnt/etc/fstab

basic configuration of raw system

Let's go into our new system

$ arch-chroot /mnt

At this point we can configure basic system utilities

install base texteditor

$ pacman -S neovim
$ ln -sf /usr/share/zoneinfo/Region/City /etc/localtime

Synchronize your local system datetime from reference uisng ntp

$ timedatectr set-ntp true

synchronize systeam datetime with hardware RTC

$ hwclock --systohc

Select your desired locales

$ nvim /etc/locale.gen

for me it's

en_DK.UTF-8 UTF-8
en_US.UTF-8 UTF-8
pl_PL.UTF-8 UTF-8

generate locales

$ locale-gen

and set some vars LC_* at /etc/locale.conf


set vconsole keymap, for me it will be pl

$ echo "KEYMAP=pl" > /etc/vconsole.conf

set hostname of your OS

$ echo HOSTNAME > /etc/hostname

and and /etc/hosts

$ cat > /etc/hosts	localhost
::1		localhost

Set passpharse for root

$ passwd

and we are done with some basic configration of the system

set up the bootloader

right now we need to set up bootloader

modifi HOOKS at /etc/mkinitcpio.conf

HOOKS=(base *udev* autodetect *keyboard* *keymap* modconf block *lvm2* *encrypt* filesystems fsck)

and install lvm2 and create new initramfs

$ pacman -S lvm2
$ mkinitcpio -P

install microcodes (for intel or amd), GRUB and efibootmgr

$ pacman -S intel-ucode grub efibootmgr

and lets install bootloader

$ grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUBasek

modifi GRUB_CMDLINE_LINUX var in /etc/default/grub to enable decruption of the root partiotion

GRUB_CMDLINE_LINUX="cryptdevice=/dev/base/croot:root root=/dev/mapper/root"

create GRUB config

$ grub-mkconfig -o /boot/grub/grub.cfg

an your system should be bootable right now, but install

$ pacman -S networkmanager

and reboot and log as root into your fresh system

enable and start NetworkManager

$ systemctr enable NetworkManager.service
$ systemctr start NetworkManager.service

internet should be available (at least ethernet with DHCP)

fianl home and swap

final ting to do is deal with encrypting home and SWAP. System will be not fully encrypted since RAM is not ecrypted, but whatever at this point.

create entries for home and swap in /etc/crypttab

home /dev/base/chome /etc/luks-keys/home
swap /dev/base/cswap /dev/urandom  swap,cipher=aes-cbc-essiv:sha256,size=256

Create directory for luks keys

$ mkdir -m 700 /etc/luks-keys

Create random key for home

$ dd if=/dev/random of=/etc/luks-keys/home bs=1 count=256 status=progress

backup this key in the case of suddent failure of your storage device.

Create encrypted container encrypted with

$ cryptsetup luksFormat -v /dev/base/chome /etc/luks-keys/home

open and mount this container

$ cryptsetup -d /etc/luks-keys/home open /dev/MyVolGroup/crypthome home
$ mkfs.ext4 /dev/mapper/home
$ mount /dev/mapper/home /home

Add entries in /etc/fstab

/dev/mapper/home        /home   ext4        rw,relatime     0   2
/dev/mapper/swap        none    swap        defaults        0   0


And that's makes your system almose ready to use, reboot and check if everything works

additional packages installed during installation:

RAW system is ready to use