EZ Arch Encrypted Installation
Sep 1, 2018
  1. Download the Arch ISO.
  2. Find your disk. fdisk -l

  3. Partition (zero out the drive first using dd / secure erase if you want to).
    • fdisk /dev/nvme1n1
    • n
    • 1
    • enter
    • +550M
    • n
    • 2
    • enter
    • enter
    • t
    • 1
    • 1
    • w
  4. Encrypt. aes-xts should be the fastest if your CPU supports AES instructions. Most modern CPUs do. Also, Grub does not support LUKS2 yet so do not bother trying it.
    • cryptsetup benchmark
    • cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom luksFormat /dev/nvme1n1p2
    • cryptsetup luksOpen /dev/nvme1n1p2 rootfs
  5. Format.
    • mkfs.vfat -F32 /dev/nvme1n1p1
    • mkfs.ext4 /dev/mapper/rootfs
  6. Mount.
    • mount /dev/mapper/rootfs /mnt
    • mkdir /mnt/boot
    • mount /dev/nvme1n1p1 /mnt/boot
  7. Install.
    • pacstrap /mnt base base-devel
    • genfstab -U /mnt > /mnt/etc/fstab
    • arch-chroot /mnt bash
  8. Grub.
    • pacman -S grub efibootmgr linux linux-firmware
    • Edit /etc/mkinitcpio.conf and add encrypt to the HOOKS field
    • mkinitcpio -p linux
    • Edit /etc/default/grub and uncomment GRUB_ENABLE_CRYPTODISK
    • Change GRUB_CMDLINE_LINUX to GRUB_CMDLINE_LINUX="cryptdevice=UUID=<uuid>:rootfs"
    • Replace the UUID above with the encrypted partition UUID from blkid
    • grub-install --target=x86_64-efi --bootloader-id=arch --efi-directory=/boot --recheck
    • grub-mkconfig -o /boot/grub/grub.cfg
  9. Swap. If you have tons of RAM this isn’t really necessary. Having a swap file instead of a partition makes things easier in case you need to remove the swap device or increase/decrease its size. It will also be encrypted since it’s located inside the LUKS partition.
    • dd if=/dev/zero of=/swap bs=1M count=2k
    • chmod 0600 /swap
    • mkswap /swap
    • swapon /swap
    • Edit /etc/fstab and add /swap none swap defaults 0 0
  10. Time zone.
    • ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime
  11. Locale.
    • Edit /etc/locale.gen and uncomment your locale. Probably en_US.UTF-8.
    • locale-gen
    • Edit /etc/locale.conf and add LANG=en_US.UTF-8
  12. Hostname.
    • Edit /etc/hostname and set it to what the machine should be called.
  13. User.
    • useradd -m -g users -G wheel,storage,network,power,rfkill -s /bin/bash <username>
    • passwd <username>
    • passwd root
    • Edit /etc/sudoers and uncomment %wheel ALL=(ALL) ALL
  14. Reboot.
    • exit
    • reboot
  15. If you did everything correctly, you should see a Grub OS selection that will take you to a prompt to enter your password.

  16. I’ll be installing GNOME, but you can choose anything you like.
    • sudo systemctl start dhcpcd.service
    • sudo pacman -S xorg xorg-server gnome gnome-extra
    • sudo systemctl enable NetworkManager.service
    • sudo systemctl enable gdm.service
    • reboot

That’s pretty much it. Check out my short guide about improving desktop responsiveness.