Encrypted Arch Installation Guide

What this guide assumes:

• You should have basic familiarity with the process of installing Arch manually (i.e. no install script); this is no hard requirement, but since this guide presents a fairly advanced setup process certain "common" or "basic" commands will not be explained in great detail, if at all. Always know and understand what you are doing.
• You plan to use a single drive for the Arch Linux installation
• The drive you are about to use contains data that will be deleted
• You double-checked that the drive is safe to wipe before you wipe
• You are fine with using GRUB as the bootloader
• You are fine with entering a password on bootup (to decrypt encrypted drives)
• You understand that there is virtually no chance to access your files on an encrypted drive if you forget or lose your password
• You understand that no device or file system encryption can be 100% fool-proof considering there are a myriad of factors at play (e.g. the threat level you are trying to protect yourself against, the safety practices you follow when handling encrypted data once it is decrypted, etc.)

This guide's goal:

• Set up encrypted Boot, Swap, and other paritions using dm-crypt
• Install Arch Linux

What I've done so far:

0. Optional: Establish a remote connection to the target machine via SSH^(Wiki):

It might be desirable to perform operations on the target machine via SSH from an already set up device in order to easily access this guide or other helpful documentation. The following steps assume physical access to the target machine.

1. On the target machine:
1. Follow the steps from Installation guide#Pre-installation up to and including connecting to the internet (setting the keyboard layout and font can be skipped)
2. Set a root password: # passwd
2. On the machine you want to use SSH from:
1. Assuming both machines are on the same local network: $ ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@archiso.local
2. Otherwise: $ ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@ip.address.of.target
1. Drive Preparation (Single drive solution)
1. Destroy GPT (General Partitioning Layout):
1. Indentify drive to be wiped with # lsblk
2. # gdisk /dev/sdX
3. Enter 'x' for 'Expert'
4. Enter 'z' for 'Zap'
5. 'Blank out MBR?' -> Enter 'y'
2. Wipe device^(Wiki):
1. Create a temporary encrypted container on the device to be encrypted: # cryptsetup open --type plain --key-file /dev/urandom --sector-size 4096 /dev/block-device to_be_wiped
2. Verify that it exists: # lsblk
3. Wipe the container with zeros: # dd if=/dev/zero of=/dev/mapper/to_be_wiped status=progress bs=1M
4. Close the temporary container: # cryptsetup close to_be_wiped
3. Preparing the partition layout^(Wiki):
0. # cgdisk /dev/sdX -> The warning / error message is to be expected since we previously destroyed the drives's GPT. 'Press any key to continue' -> '*'
1. BIOS boot partition:
1. 'New' -> Enter
2. 'Default sector' -> Enter
3. 'Size' -> 1024 KiB
4. 'Hexcode or GUID' -> 'EF02'
5. 'Enter new partition name' -> boot
2. EFI system partition:
1. 'New' -> Enter
2. 'Default sector' -> Enter
3. 'Size' -> 1024 MiB
4. 'Hexcode or GUID' -> 'EF00'
5. 'Enter new partition name' -> efi
3. LUKS partition (for Swap and other OS-related partitions):
1. 'New' -> Enter
2. 'Default sector' -> Enter
3. 'Size' -> X MiB
4. 'Hexcode or GUID' -> '8309'
5. 'Enter new partition name' -> linux
4. 'Write' -> Enter
5. 'Are you sure?' -> yes
6. 'Quit' -> Enter
7. LUKS encrypted container (on LUKS partition):
1. # cryptsetup luksFormat --pbkdf pbkdf2 /dev/sdXY
2. 'This will overwrite data on /dev/sdXY irrevocably. Are you sure?' -> YES
3. 'Enter passphrase for /dev/sdX:' -> SuperSecretPassphrase
4. 'Verify passphrase:' -> SuperSecretPassphrase
5. Verify current layout -> # gdisk -l /dev/sdX
6. Open the container -> # cryptsetup open /dev/sdXY cryptlinux
4. Preparing the logical volumes^{(Wiki, steps 1-5)(Wiki, steps 6-)}:
1. Create a physical volume on top of the opened LUKS container -> # pvcreate /dev/mapper/cryptlinux
2. Create a volume group (in this example named MyVolGroup, but it can be whatever you want) and add the previously created physical volume to it -> # vgcreate MyVolGroup /dev/mapper/cryptlinux
3. Create all your logical volumes on the volume group (the following are examples; create your logical volumes according to your own needs):
1. # lvcreate -L 14G -n swap MyVolGroup
2. # lvcreate -L 86G -n root MyVolGroup
3. # lvcreate -l 100%FREE -n assets MyVolGroup
4. If a logical volume will be formatted with Ext4, leave at least 256 MiB free space in the volume group to allow using e2scrub(8). After creating the last volume with '-l 100%FREE', this can be accomplished by reducing its size with # lvreduce -L -256M MyVolGroup/assets
5. Format your file systems on each logical volume. For example, using Ext4 for the root and home volumes:
1. # mkswap /dev/MyVolGroup/swap
2. # mkfs.ext4 /dev/MyVolGroup/root
3. # mkfs.ext4 /dev/MyVolGroup/assets
6. Format EFI system partition (boot partition may remain unformatted) -> # mkfs.fat -F 32 /dev/sdXY
7. For UEFI systems, create a mountpoint for the EFI system partition at /efi for compatibility with 'grub-install' and mount it -> # mount --mkdir /dev/sda2 /mnt/efi
2. Installation
1. Select the mirrors

For more information, see the official Arch Wiki installation guide section on selecting the mirrors. This step may be skipped or postponed as required or desired.

2. Install essential packages

Use the pacstrap(8) script to install the base package, Linux kernel and firmware for common hardware -> # pacstrap -K /mnt base linux linux-firmware base-devel lvm2 amd-ucode nano fastfetch

3. Configure the system
1. Fstab

Generate an fstab file -> # genfstab -U /mnt >> /mnt/etc/fstab

Check the resulting /mnt/etc/fstab file, and edit it in case of errors

2. Chroot

Change root into the new system -> # arch-chroot /mnt

3. Time

Set the time zone -> # ln -sf /usr/share/zoneinfo/Region/City /etc/localtime

Run hwclock(8) to generate /etc/adjtime -> # hwclock --systohc

To prevent clock drift and ensure accurate time, set up time synchronization, e.g. with systemd-timesyncd -> follow article to set up

4. Localisation

Edit /etc/locale.gen and uncomment needed UTF-8 locales.

Generate the locales by running -> # locale-gen

Create the locale.conf(5) file, and set the LANG variable accordingly -> echo LANG=en_GB.UTF-8 > /etc/locale.conf && export LANG=en_GB.UTF-8

5. Network configuration

Create the hostname file -> # echo yourhostname > /etc/hostname

Install dhcpcd -> pacman -S dhcpcd

Check available network cards -> # ip link

Enable dhcpcd on active network card -> # systemctl enable dhcpcd@enp0s1

Install networkmanager -> pacman -S networkmanager

Enable networkmanager -> systemctl enable NetworkManager.service

6. 32-bit support

Edit pacman configuration -> # nano /etc/pacman.conf

Press CTRL+W and type 'multilib' -> remove '#' sign before '[multilib]' and 'Include'

Press CTRL+X to exit -> Enter 'y' to confirm changes -> Press Enter to confirm file name

Fetch repositories -> pacman -Sy

7. Initramfs^(Wiki)
8. Configure GRUB^(Wiki)
9. Root password

Set a root password -> # passwd

10. Reboot

Exit the chroot environment -> # exit

Unmount all partitions -> # umount -R /mnt

Shut down machine -> poweroff

Remove installation device

Power on the device

???

Congratulations, minimal Arch installed!

Considerations

Encrypted Boot partition (using GRUB) + LVM on LUKS

Include step to set color and parallel downloads in /etc/pacman.conf