EZ Arch Encrypted Installation

Sep 1, 2018

1. Download the Arch ISO.
   • https://www.archlinux.org/download/

2. Find your disk. fdisk -l

3. Partition (zero out the drive first using dd / secure erase if you want to).
   • fdisk /dev/nvme1n1
   • n
   • 1
   • enter
   • +550M
   • n
   • 2
   • enter
   • enter
   • t
   • 1
   • 1
   • w
4. Encrypt. aes-xts should be the fastest if your CPU supports AES instructions. Most modern CPUs do. Also, Grub does not support LUKS2 yet so do not bother trying it.
   • cryptsetup benchmark
   • cryptsetup -v --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-urandom luksFormat /dev/nvme1n1p2
   • cryptsetup luksOpen /dev/nvme1n1p2 rootfs
5. Format.
   • mkfs.vfat -F32 /dev/nvme1n1p1
   • mkfs.ext4 /dev/mapper/rootfs
6. Mount.
   • mount /dev/mapper/rootfs /mnt
   • mkdir /mnt/boot
   • mount /dev/nvme1n1p1 /mnt/boot
7. Install.
   • pacstrap /mnt base base-devel
   • genfstab -U /mnt > /mnt/etc/fstab
   • arch-chroot /mnt bash
8. Grub.
   • pacman -S grub efibootmgr linux linux-firmware
   • Edit /etc/mkinitcpio.conf and add encrypt to the HOOKS field
   • mkinitcpio -p linux
   • Edit /etc/default/grub and uncomment GRUB_ENABLE_CRYPTODISK
   • Change GRUB_CMDLINE_LINUX to GRUB_CMDLINE_LINUX="cryptdevice=UUID=<uuid>:rootfs"
   • Replace the UUID above with the encrypted partition UUID from blkid
   • grub-install --target=x86_64-efi --bootloader-id=arch --efi-directory=/boot --recheck
   • grub-mkconfig -o /boot/grub/grub.cfg
9. Swap. If you have tons of RAM this isn’t really necessary. Having a swap file instead of a partition makes things easier in case you need to remove the swap device or increase/decrease its size. It will also be encrypted since it’s located inside the LUKS partition.
   • dd if=/dev/zero of=/swap bs=1M count=2k
   • chmod 0600 /swap
   • mkswap /swap
   • swapon /swap
   • Edit /etc/fstab and add /swap none swap defaults 0 0
10. Time zone.
    • ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime
11. Locale.
    • Edit /etc/locale.gen and uncomment your locale. Probably en_US.UTF-8.
    • locale-gen
    • Edit /etc/locale.conf and add LANG=en_US.UTF-8
12. Hostname.
    • Edit /etc/hostname and set it to what the machine should be called.
13. User.
    • useradd -m -g users -G wheel,storage,network,power,rfkill -s /bin/bash <username>
    • passwd <username>
    • passwd root
    • Edit /etc/sudoers and uncomment %wheel ALL=(ALL) ALL
14. Reboot.
    • exit
    • reboot

15. If you did everything correctly, you should see a Grub OS selection that will take you to a prompt to enter your password.

16. I’ll be installing GNOME, but you can choose anything you like.
    • sudo systemctl start dhcpcd.service
    • sudo pacman -S xorg xorg-server gnome gnome-extra
    • sudo systemctl enable NetworkManager.service
    • sudo systemctl enable gdm.service
    • reboot

That’s pretty much it. Check out my short guide about improving desktop responsiveness.

linux Related

• Linux 4G LTE Failover

  Aug 22, 2020

• Backing Up VM Images to Wasabi (or S3, B2, etc.)

  May 20, 2020

• Headless Fluxbox / TightVNC

  Apr 21, 2019

• Backup Disks Using Netcat

  Nov 3, 2018

• Benchmarking KVM/ZFS on Ubuntu 18.04 (raidz2)

  Oct 29, 2018

• Hiding Symbols in ELF Binaries

  Jul 4, 2018

• LVM SSD Caching

  Nov 23, 2017

Comments