Encrypted Arch Install
Purpose
Section titled “Purpose”I write this quick setup guide just as a way to compile the steps somewhere for myself. I don’t mind it being published, but this is how I do it. Maybe I spice things up with the parameters when running cryptsetup, but this is a good base. I honestly haven’t had the opportunity to make sure that the guide doesn’t miss any steps and actually ends in a complete installation, but if my memory and wiki delving skills doesn’t fail me, it should be fine. Use it at your own risk though.
Pre stuff
Section titled “Pre stuff”loadkeys sv-latin1timedatectliwctlstation wlan0 scanstation wlan0 get-networksstation wlan0 connect skynetexitPartition
Section titled “Partition”I ususally do:
/boot1G - EFI/root>40G - Linux Root/homerest - Linux Home
Also, I like cfdisk better than fdisk. Old habit.
If I want to nuke the drive completely before I start, I do:
sudo dd if=/dev/urandom of=/dev/nvme0n1Ctrl+CThat way we corrupt the drive and trigger cfdisk to create a new partition table.
cfdisk /dev/nvme0n1Now I usually have:
/dev/nvme0n1p1- 1G EFI/dev/nvme0n1p2- >40G - Linux Root/dev/nvme0n1p3- rest - Linux Home
Default luks is good enough.
Format and Encrypt
Section titled “Format and Encrypt”mkfs.fat -F32 /dev/nvme0n1p1
cryptsetup luksFormat /dev/nvme0n1p2cryptsetup luksFormat /dev/nvme0n1p3
cryptsetup luksOpen /dev/nvme0n1p2 rootcryptsetup luksOpen /dev/nvme0n1p3 home
mkfs.ext4 /dev/mapper/rootmkfs.ext4 /dev/mapper/homemount /dev/mapper/root /mnt
mkdir /mnt/bootmount /dev/nvme0n1p1 /mnt/boot
mkdir /mnt/homemount /dev/mapper/home /mnt/homeInstall and chroot
Section titled “Install and chroot”pacstrap -K /mnt base base-devel neovim tmux linux linux-firmware grub efibootmgr networkmanager sudogenfstab -U /mnt >> /mnt/etc/fstabarch-chroot /mntConfigure
Section titled “Configure”ln -sf /usr/share/zoneinfo/Europe/Stockholm /etc/localtime
hwclock --systohc
echo "en_US.UTF-8 UTF-8" > /etc/locale.genlocale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.confecho "KEYMAP=sv-latin1" > /etc/console.confecho "hostname" > /etc/hostname
passwd
useradd tewapasswd tewamkhomedir_helper tewa
EDITOR=nvim visudo # add myself
systemctl enable NetworkManagermkinitcpio
Section titled “mkinitcpio”nvim /etc/mkinitcpio
HOOKS=(base systemd autodetect microcode modconf kms keyboard keymap sd-vconsole block sd-encrypt filesystems fsck)
mkinitcpio -Plsblk -f | grep root >> /etc/fstab # now you have the UUID at the bottom of the filelsblk -f | grep home >> /etc/fstab # now you have the UUID at the bottom of the filenvim /etc/fstab
UUID=**ROOT UUID FROM BOTTOM OF FILE** / ext4 rw,relatime 0 1UUID=**HOME UUID FROM BOTTOM OF FILE** / ext4 rw,relatime 0 1Crypt File and crypttab
Section titled “Crypt File and crypttab”dd bs=512 count=4 if=/dev/random iflag=fullblock | install -m 0600 /dev/stdin /etc/crypthomecryptsetup luksAddKey /dev/nvme0n1p3 /etc/crypthomecryptsetup luksRemoveKey /dev/nvme0n1p3
lsblk -f | grep nvme0n1p3 >> /etc/crypttab # now you have the UUID at the bottom of the filenvim /etc/crypttab
home **UUID FROM BOTTOM OF FILE** /etc/crypthomelsblk -f | grep nvme0n1p2 >> /etc/default/grub # now you have the UUID at the bottom of the filenvim /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet rd.luks.name=**UUID FROM BOTTOM OF FILE**=root root=/dev/mapper/root"Then install and make the config.
grub install --target=x86_64-efi --efi-directory=/boot --bootloader-id=ARCHgrub-mkconfig -o /boot/grub/grub.cfgThen reboot and pray. Haven’t had the chance to try this writeup out yet. Should work though.