Arch Linux with Whole Disk Encryption

For some reason, it brings me great joy to reinstall fresh Linuxes on my non-Mac systems. I do that a lot. While my servers usually run Debian, my personal computers almost exclusively run Arch. Arch Linux is bleeding edge, rolling release and just awesome in general. The Arch Way requires you to do it all on your own, with the help of online resources to guide you along the way.

Having said that, this guide will lead you through the installation of Arch Linux. You will also encrypt your whole root volume so it’s safer in every day use. This kind of goes against the Arch Way because a step-by-step instruction makes it way too easy for you. Therefore, I suggest you follow all the links I provide as background information and really read up on the subject matter. If you have no interest in doing that, Arch is not for you. Please leave.

Needless to say, all of this can be done with the help of the wonderful Arch Linux wiki. It is a marvelous resource of Linux computing splendor. If you have a question, you will most likely find the answer there. I’m not kidding. It’s incredibly thorough.

General installation hints can be found at the Arch Wiki - Installation Guide and there’s also a wonderful Arch Wiki - Beginners’ guide.

Installation Media

Prepare an EFI USB drive with Arch Linux. If you need help creating such a contraption, go help yourself at Arch Wiki - USB flash installation media.

Booting into our installation environment

Boot it! This will be different on every system so it’s kind of pointless to make a generic guide for that. Make sure that your system is able to boot from USB. Bring up the boot menu. There should be shortcuts displayed during boot-up, if not, try hitting F12 or F8. Now launch the UEFI boot loader it finds on the installation media you created.

If this is successful, you should end up with a command prompt similar to this:

Arch Linux 4.2.2-1-ARCH (tty1)

archiso login: root (automatic login)
root@archiso ~ #

Locale

Before we continue, we’re assuming a US keyboard layout for the installation. If you however wish to setup a different locale for this short part, you can do so!

Let’s edit /etc/locale.gen. Go through the file and uncomment the line representing your chosen locale.

$ nano /etc/locale.gen

We shall generate the locale!

$ locale-gen

Now that we’re done with that, we just need to set the locale.

$ localectl set-locale LANG=en_US.UTF-8

You can read more on this here: Arch Wiki - Locale.

Partitioning

It is time to partition your drive. Like, the one your old stuff is on. I can’t stress this enough. This guide assumes you only want Arch Linux on your system and will most likely erase everything else you have. You will have to carefully adapt the workflows in here in order to install Arch Linux elsewhere and/or alongside other OSes. If you have old data you need, back it up!

We want to be modern and use GPT, so we’re using gdisk for partitioning:

$ gdisk /dev/sda

gdisk is fun, if you want more information on what it does, type ? and [ENTER].

We’re going for the most simple setup here. We want an EFI boot partition and put all the rest in an LVM partition that will be encrypted. I will assume an EFI partition of 512 MiB in size with the second partition filling the rest of it. I will also assume you want to do all this on the first internal drive there is, this should be /dev/sda.

Here’s a fun list of steps:

  • Hit p and [ENTER] to print all your current partitions. Does it look familiar, does it make sense? If so, good. We’re going to erase them all. THIS WILL DESTROY YOUR DATA ON THESE PARTITIONS!
  • Hit d and [ENTER] to delete partitions, and type in a number to delete it. Do this until all are gone.
  • Hit n and [ENTER] to create the EFI system partition now.
  • Hit [ENTER] again to confirm the default next partition, which is 1. We have no other.
  • Hit [ENTER] once more to confirm the default first sector.
  • Enter 512M and hit [ENTER] to set the size for our partition.
  • To make this an EFI system partition, enter EF00 and hit [ENTER].

Same procedure for our LVM partition.

  • n then [ENTER].
  • [ENTER], confirming the default.
  • [ENTER], confirming the default.
  • [ENTER], confirming the default of maximum size.
  • For type we’re using 8E00 and hit [ENTER].
  • To finalize our changes, hit w and [ENTER].
  • Confirm with y.

You can check what you just did with gdisk -l /dev/sda. It should still make sense. If it doesn’t make sense anymore, stop now.

Creating the encrypted container

Now we’ll create and mount our encrypted container on the partition we created. The wiki has more information on Arch Wiki - Disk Encryption.

Read what’s on your screen in the following steps carefully! You will also have to pick a passphrase for your encrypted volume.

$ cryptsetup -y luksFormat /dev/sda2
$ cryptsetup luksOpen /dev/sda2 lvm

Creating logical volumes and filesystems

Let’s create some filesystems. The EFI boot partition will be a FAT partition.

$ mkfs.vfat /dev/sda1

Now we’ll do some logical volumes inside the encrypted container we just made. I picked 16GB for the swap partition, you can decide differently. Make sure not to mix up upper and lower case here.

$ pvcreate /dev/mapper/lvm
$ vgcreate vg /dev/mapper/lvm
$ lvcreate --name cryptswap -L 16GB vg
$ lvcreate --name cryptroot -l 100%FREE vg

Let’s make a swap partition and an ext4 partition for the rest.

$ mkswap /dev/mapper/vg-cryptswap
$ swapon /dev/mapper/vg-cryptswap
$ mkfs.ext4 /dev/mapper/vg-cryptroot

Mount what we have

And mount it all.

$ mount /dev/mapper/vg-cryptroot /mnt
$ mkdir /mnt/boot
$ mount /dev/sda1 /mnt/boot

Finally, the installation

We’ll do a default Arch Linux installation on our new system now. If you need a wireless network connection supported by the current Linux kernel, you can simply connect to one with:

$ wifi-menu

Remember that if you’re connected via Ethernet, you most likely already have networking running. Try pinging something on the Internet with ping.

If you rely on wireless networking, make sure to include necessary packages. The wifi-menu that just worked so flawlessly will otherwise not be there when you reboot. There is help for you at Arch Wiki - Wireless network configuration.

$ pacstrap -i /mnt base base-devel
$ genfstab -U -p /mnt >> /mnt/etc/fstab

Hooray! Let’s chroot into our new system.

$ arch-chroot /mnt /bin/bash

We’re at that point again where we want to setup our system-wide locale(s). As before, we’re going to edit /etc/locale.gen. Go through the file and uncomment the locales you want.

$ nano /etc/locale.gen

Locales, but now persistently

We’re generating the locales again:

$ locale-gen

We could use the wonderful new localectl to set our locale but since we’re chrooted, we have no DBus and thus it doesn’t work. Bummer.

Let’s do it the old way (put your locale after LANG= accordingly):

$ echo LANG=en_US.UTF-8 > /etc/locale.conf
$ export LANG=en_US.UTF-8

Once again, you can read more on this here on the Arch Wiki - Locale.

Time zones

I expect systems to be running UTC, because time zones are bad inventions of humankind. You can pick a default timezone that suits you better of course. There’s lots to choose from in /usr/share/zoneinfo/, just have a look around.

$ ln -s /usr/share/zoneinfo/UTC /etc/localtime
$ hwclock --systohc --utc

Root password

Set your root password:

$ passwd

Do I need to say it? Make at least one non-privileged user to work in. More on this at Arch Wiki - Users and Groups and Arch Wiki - Sudo.

Host name

And a fun hostname:

$ echo "funhostname" > /etc/hostname

Boot manager

systemd comes with its own boot manager by default, which is based on gummiboot. We don’t need to install it ourselves anymore, it’s just there. For our configuration, it works perfectly.

All you do is:

$ bootctl install

For more information on systemd-boot, refer to the Arch Wiki - systemd-boot.

We need to find the UUID of /dev/sda2, which is the partition hosting our encrypted container. That is, if you followed the guide. If you made modifications, partitioned things differently, you need to adapt this to your specifications.

Just like gummiboot did before, systemd-boot has its boot loader entries at /boot/loader/entries and that’s where we’re going to put our arch.conf.

First, we’ll use blkid to filter out our UUID and put it in the arch.conf we want:

$ blkid -s UUID -o value /dev/sda2 > /boot/loader/entries/arch.conf

We should edit the boot entry now. Make sure the UUID wanders in place of putUUIDhere.

title       Arch Linux
linux       /vmlinuz-linux
initrd      /initramfs-linux.img
options     cryptdevice=UUID=putUUIDhere:lvm resume=/dev/mapper/vg-cryptswap root=/dev/mapper/vg-cryptroot quiet rw

Now we should update our systemd-boot:

$ bootctl update

In order to boot with the necessary kernel modules loaded for decrypting our fancy container, edit the mkinitcpio.conf:

$ nano /etc/mkinitcpio.conf

Find the line starting with HOOKS and edit it as follows:

HOOKS="base udev autodetect modconf block keymap encrypt lvm2 resume filesystems keyboard fsck"

Have mkinitcpio create its ramdisk environment again:

$ mkinitcpio -p linux

Done

And that’s it! Reboot.

$ exit
$ umount /mnt/boot
$ umount /mnt
$ shutdown -r now

This should be all. Enjoy your new encrypted system.

Note: Once you’re done, the /boot partition will still not be encrypted. There are ways around this, please consult the Arch Wiki - dm-crypt/Specialties Securing the unencrypted boot partition. If you go this far, also consider how you could make your system tamper-evident—this means once you notice a tamper event, you can toss the whole computer.