-
-
Save mattiaslundberg/8620837 to your computer and use it in GitHub Desktop.
# Install ARCH Linux with encrypted file-system and UEFI | |
# The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description. | |
# Download the archiso image from https://www.archlinux.org/ | |
# Copy to a usb-drive | |
dd if=archlinux.img of=/dev/sdX bs=16M && sync # on linux | |
# Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration. | |
# Set swedish keymap | |
loadkeys sv-latin1 | |
# This assumes a wifi only system... | |
wifi-menu | |
# Create partitions | |
cgdisk /dev/sdX | |
1 100MB EFI partition # Hex code ef00 | |
2 250MB Boot partition # Hex code 8300 | |
3 100% size partiton # (to be encrypted) Hex code 8300 | |
mkfs.vfat -F32 /dev/sdX1 | |
mkfs.ext2 /dev/sdX2 | |
# Setup the encryption of the system | |
cryptsetup -c aes-xts-plain64 -y --use-random luksFormat /dev/sdX3 | |
cryptsetup luksOpen /dev/sdX3 luks | |
# Create encrypted partitions | |
# This creates one partions for root, modify if /home or other partitions should be on separate partitions | |
pvcreate /dev/mapper/luks | |
vgcreate vg0 /dev/mapper/luks | |
lvcreate --size 8G vg0 --name swap | |
lvcreate -l +100%FREE vg0 --name root | |
# Create filesystems on encrypted partitions | |
mkfs.ext4 /dev/mapper/vg0-root | |
mkswap /dev/mapper/vg0-swap | |
# Mount the new system | |
mount /dev/mapper/vg0-root /mnt # /mnt is the installed system | |
swapon /dev/mapper/vg0-swap # Not needed but a good thing to test | |
mkdir /mnt/boot | |
mount /dev/sdX2 /mnt/boot | |
mkdir /mnt/boot/efi | |
mount /dev/sdX1 /mnt/boot/efi | |
# Install the system also includes stuff needed for starting wifi when first booting into the newly installed system | |
# Unless vim and zsh are desired these can be removed from the command | |
pacstrap /mnt base base-devel grub-efi-x86_64 zsh vim git efibootmgr dialog wpa_supplicant | |
# 'install' fstab | |
genfstab -pU /mnt >> /mnt/etc/fstab | |
# Make /tmp a ramdisk (add the following line to /mnt/etc/fstab) | |
tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0 | |
# Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD) | |
# Enter the new system | |
arch-chroot /mnt /bin/bash | |
# Setup system clock | |
ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime | |
hwclock --systohc --utc | |
# Set the hostname | |
echo MYHOSTNAME > /etc/hostname | |
# Update locale | |
echo LANG=en_US.UTF-8 >> /etc/locale.conf | |
echo LANGUAGE=en_US >> /etc/locale.conf | |
echo LC_ALL=C >> /etc/locale.conf | |
# Set password for root | |
passwd | |
# Add real user remove -s flag if you don't whish to use zsh | |
# useradd -m -g users -G wheel -s /bin/zsh MYUSERNAME | |
# passwd MYUSERNAME | |
# Configure mkinitcpio with modules needed for the initrd image | |
vim /etc/mkinitcpio.conf | |
# Add 'ext4' to MODULES | |
# Add 'encrypt' and 'lvm2' to HOOKS before filesystems | |
# Regenerate initrd image | |
mkinitcpio -p linux | |
# Setup grub | |
grub-install | |
In /etc/default/grub edit the line GRUB_CMDLINE_LINUX to GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdX3:luks:allow-discards" then run: | |
grub-mkconfig -o /boot/grub/grub.cfg | |
# Exit new system and go into the cd shell | |
exit | |
# Unmount all partitions | |
umount -R /mnt | |
swapoff -a | |
# Reboot into the new system, don't forget to remove the cd/usb | |
reboot |
Thanks for writing this, it was very helpful.
Great work! 😎
Just some points to notice:
- Newer version of GRUB have a new parameter to enable crypted device to open, so we have to uncomment the line
GRUB_ENABLE_CRYPTODISK=y
- If you generated your fstab with UUIDs, you should do it also for your GRUB command line
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=<UUID_OF_THE_DEVICE>:cryptoluks root=/dev/mapper/volname-devicename quiet"
You can get the UUID of a disk using blkid
on a given disk like
$ blkid /dev/sdb1
Hope this helps some that are in my case when I couldn't seem to make GRUB open the crypted device.
Hey, hey! Thanks for sharing.
There is definitely the shred
your device part missing!
It's important since you want to
- Wipe old data on the device.
- Ensure not used/written parts are filled with junk.
https://wiki.archlinux.org/index.php/Securely_wipe_disk#Preparations_for_block_device_encryption
This is a nice step by step gist. Thanks you very much!
A few notes / remarks:
- In line 62 change
ln -s
toln -sf
because/etc/localtime
already exists. - In lines 76-78 you optionally add a user that's in the "wheel" group. However, that user won't be allowed to use
sudo
until they're added in the sudoers file. I suggest to add a line to runvisudo
and uncomment the line%wheel ALL=(ALL) ALL
in the sudoers file.
grub-mkconfig does nothing but hangs... what can i do. there is no terminal output or anything
grub-mkconfig does nothing but hangs... what can i do. there is no terminal output or anything
The issue of grub-mkconfig
hanging is discussed and resolved in https://bbs.archlinux.org/viewtopic.php?id=242594. In summary:
mkdir /mnt/hostlvm
mount --bind /run/lvm /mnt/hostlvm
arch-chroot /mnt
ln -s /hostlvm /run/lvm
After 8 hours trying to replicate an old setup I had with disk encryption, your post just saved me life. I can't thank you enough.
Just in case this is useful to someone: I had to move /boot/efi/EFI/arch/grubx64.efi
to /boot/efi/EFI/boot/bootx64.efi
on my Dell Latitude. Otherwise I got the "no bootable medium found" error. Found this in the german Arch Wiki (https://wiki.archlinux.de/title/UEFI_Installation#GRUB) in the last note.
@duesee YES! Thank you. I needed that for my 2015 MacBook Pro to recognize my external Arch installation.
Read that they changed how the base package is shipped. Seems like it is a group now? How does this affect the installation. Appears to be a more minimal approach missing some extra packages.
Hey! linux
and linux-firmware
need to be added in the pacstrap
command now :)
Thanks for that gist, I've been using it for all my Arch installs since over a year now!
@JPenuchot I second this. Also, you may need mkinitcpio and lvm2.
I've written an updated and slightly more detailed version of this, if anyone is interested:
The key differences are that I use systemd-boot instead of GRUB, don't use any additional partitions and set it up as as an Arch/Windows Dual Boot.
Thanks!
@jadeaffenjaeger I know it's been a while but would you like to elaborate on why you did LVM when you only had one partition?
@jadeaffenjaeger I know it's been a while but would you like to elaborate on why you did LVM when you only had one partition?
No strong reason, and could certainly be done without. I added LVM because I find that it makes resizing things easier if needed somewhere down the line and isn't a lot of extra effort.
@jadeaffenjaeger I know it's been a while but would you like to elaborate on why you did LVM when you only had one partition?
No strong reason, and could certainly be done without. I added LVM because I find that it makes resizing things easier if needed somewhere down the line and isn't a lot of extra effort.
Thank you for the answer! Makes sense!
Touching on one thing someone pointed out. Yes, you need to add linux and linux-firmware to your pacstrap line. Although, firmware can technically be added once in chroot. To clarify, base is now a meta package and base-devel is a group.
And to reiterate what some others have said. This is a good guide, but I highly recommend that you also refer to the wiki as you go and make sure you know why you are taking these particular steps. Remember: If you end up with a working system, but you don't understand how you got there, you didn't really install Arch. You just followed some directions. The essence of Arch is building your system your way and that requires understanding why you made certain decisions (GRUB vs SystemD, LVM or not, fstrim settings for SSDs, etc.)
This is perfect guide. However, if anybody is using this instructions to install and configure GRUB, and also has Windows or other system on another drive, and does not wanna break their boot manager, make sure to instead install just grub
, and as said on Arch wiki, run grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB /dev/sd<THE DRIVE YOU JUST INSTALLED ARCH ON>
.
what if you add status=progress
option to dd at line 6? I believe it would be helpful to see the progress of dd.
Wi-Fi connection steps need updating wif-menu is no more
Thank you so much for this!