Site Overlay

arch linux encrypted installation

Step by step installation of Arch Linux on my Dell Inspiron with the following hardware:

  • 11th Gen Intel Core i5-1135G7 @ 2.40GHz x8 (Tiger Lake)
  • 15.4GB DDR4 Memory
  • Mesa Intel Xe Graphics (TGL GT2)
  • 1TB SSD (replaced the 250GB nvme drive)

My complete lspci output is:

00:00.0 Host bridge: Intel Corporation 11th Gen Core Processor Host Bridge/DRAM Registers (rev 01)
00:02.0 VGA compatible controller: Intel Corporation UHD Graphics (rev 01)
00:04.0 Signal processing controller: Intel Corporation Device 9a03 (rev 01)
00:0a.0 Signal processing controller: Intel Corporation Device 9a0d (rev 01)
00:14.0 USB controller: Intel Corporation Tiger Lake-LP USB 3.2 Gen 2x1 xHCI Host Controller (rev 20)
00:14.2 RAM memory: Intel Corporation Tiger Lake-LP Shared SRAM (rev 20)
00:15.0 Serial bus controller [0c80]: Intel Corporation Tiger Lake-LP Serial IO I2C Controller #0 (rev 20)
00:15.1 Serial bus controller [0c80]: Intel Corporation Tiger Lake-LP Serial IO I2C Controller #1 (rev 20)
00:16.0 Communication controller: Intel Corporation Tiger Lake-LP Management Engine Interface (rev 20)
00:17.0 SATA controller: Intel Corporation Device a0d3 (rev 20)
00:1d.0 PCI bridge: Intel Corporation Tiger Lake-LP PCI Express Root Port #9 (rev 20)
00:1d.1 PCI bridge: Intel Corporation Device a0b1 (rev 20)
00:1f.0 ISA bridge: Intel Corporation Tiger Lake-LP LPC Controller (rev 20)
00:1f.3 Multimedia audio controller: Intel Corporation Tiger Lake-LP Smart Sound Technology Audio Controller (rev 20)
00:1f.4 SMBus: Intel Corporation Tiger Lake-LP SMBus Controller (rev 20)
00:1f.5 Serial bus controller [0c80]: Intel Corporation Tiger Lake-LP SPI Controller (rev 20)
01:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller (rev 15)
02:00.0 Network controller: Qualcomm Atheros QCA9377 802.11ac Wireless Network Adapter (rev 31)

#1 Download Arch Linux and write it to a USB drive – https://www.archlinux.org

#2 Boot Arch Live – too many variables to tell you how your system launches the boot menu – check DuckDuckGo or StartPage.com to more on your computer. On my Dell Inspiron I have to press F12 at boot to get a menu of devices. Your mileage may vary.

#3 Connect to the internet – If you’re on a wired connect, this is usually automatic (assuming your hardware is supported). For wireless, I used the iwctl utility, which is simple and fairly intuitive. As of mid-2020, it seems like the old wifi-menu utility was no longer included.

#4 Create your partitions and setup your encryption – For this installation, I chose to have two paritions on my 1TB SSD. One for the boot files (/dev/sda1) and one for the encrypted system and user files (/dev/sda2). I used cfdisk, but you can do the same with cgdisk or fdisk. /dev/sda1 gets 512M of space, while /dev/sda2 gets all the rest.

Now let’s setup the encryption (note that anything preceded with # is a comment of mine and not something to type):

# Encrypt the partition.  You will be prompted to accept the changes by typing 'YES', and to enter a unique passphrase.  DO NOT FORGET THIS PASSPHRASE.

cryptsetup -y -v --use-random luksFormat /dev/sda2

# Now let's decrypt the partition os that we can format it and install the operating system and applications.  

cryptsetup luksOpen /dev/sda2 crypt

# We need to create our logical volume management infrastructure, so let's create some root and swap volumes.

pvcreate /dev/mapper/crypt
vgcreate vg0 /dev/mapper/crypt
lvcreate --size 8G vg0 --name swap
lvcreate -l 100%FREE vg0 -n root

# Format your root, boot, and swap partitions

mkfs.vfat -F32 /dev/sda1
mkfs.ext4 /dev/mapper/vg0-root
mkswap /dev/mapper/vg0-swap

#5 Mount the partitions

# Mount the root partition first

mount /dev/mapper/vg0-root /mnt

# Now create a directory for the boot partition and mount it

mkdir /mnt/boot
mount /dev/sda1 /mnt/boot

#6 Install the base system and enter it for next steps

# We need to have at least the following packages in order to have usable basic installation, though one or two is my personal preference
# If you are using an Intel processor like I am, then use the below as is.  If AMD, then substitute "intel-ucode" with "amd-ucode"
# Also, if you have a TIger Lake based system, then you will likely need to install the "sof-firmware" package as listed below in order to have audio working, otherwise omit it.  

pacstrap /mnt base base-devel neovim efobootmgr linux linux-firmware lvm2 mkinitcpio networkmanager intel-ucode git efitools wget python sof-firmware dialog wpa_supplicant

# /etc/fstab is a file that tells the system which disks/partitions to mount and where to do so, so we'll generate one and save it on the new system
# Note that at least once in the past I saw an error that the path doesn't exist, so if that happens then just to a quick mkdir /mnt/etc/ prior to running the below commands again

genfstab -U /mnt >> /mnt/etc/fstab

# Now let's enter the new system.  All commands after this one (well, almost) will be done entirely within your new Arch Linux installation

arch-chroot /mnt

#7 Configure the rest of the system

# Setup your timezone for the clock.  Available options are in the /usr/share/zoneinfo/<country/region> folder.  Since I am in the upper-midwest of the US, here is what I did:

ln -s /usr/share/zoneinfo/America/Chicago /etc/localtime
hwclock --systohc

# We need to set the system locale so that all times, dates, currency, etc. are represented in a manner that is appropriate for your location.
# In this case, I am using en_US.UTF-8 which basically means US English, encoded in UTF-8, so I open the file below and go to the line that says '#en_US.UTF-8' and remove the '#'.  Close the file.

nvim /etc/locale.gen

# Generate the locale so the system can use it

locale-gen

# Set my locale information

echo LANG=en_US.UTF-8 > /etc/locale.conf

# Choose and set a hostname.  Back when I was in IT, we used themes for all the hostnames on a network.  For example, we might have a couple of racks of systems that are all named after characters from a popular movie or cartoon.

echo hostname_I_chose > /etc/hostname

#8 Setup the root password and the user account

# Set the root password.  It will prompt you to enter it twice to make sure you didn't typo

passwd

# Create a user and assign it to the right groups.  Replace myusername with whatever you want to use.  Then assign it a unique password.  DO NOT MAKE THE USER AND ROOT PASSWORDS THE SAME.

useradd -m -G wheel,audio,video myusername
passwd myusername

#9 Setup the system to be able to boot without the USB drive

# Edit the mkinitcpio.conf file to make sure that the boot image built can decrypt the partition
# Make sure that the HOOKS section looks like this 
# HOOKS=(base udev autodetect modconf block keyboard encrypt filesystems fsck)
# Now make sure that the MODULES section contains ext4 and i915

nvim /etc/mkinitcpio.conf

# Generate the boot image
mkinitcpio -p linux

# Install systemd-boot

bootctl --esp-path=/boot install

# Create the loader.conf file

echo 'default arch' >> /etc/loader/loader.conf
echo 'timeout 5' >> /etc/loader/loader.conf

# Create arch.conf with nvim /boot/loader/entries/arch.conf
# First, you need to get the UUID of the encrypted device (/dev/sda2).  Use the 'blkid' command and write down the hexadecimal value for UUID.  In my case, it was a71d3236-b817-4314-9601-17318aefea65
# Add the following entries (substituting your own UUID)

title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img # Substitute amd-ucode.img if you're on AMD
initrd /initramfs-linux.img
options	cryptdevice=UUID=a71d3236-b817-4314-9601-17318aefea65:crypt root=/dev/mapper/vg0-root rw

# Verify the boot options

bootctl status

#10 Install any remaining packages and reboot into your new Arch Linux installation

This part is really up to you. Most people are going to opt for installing some kind of Desktop Environment (Gnome, Mate, KDE, etc.) or Window Manager (i3wm, bspwm, etc.)

A Desktop Environment gives a holistic experience with a low learning curve. If you’ve ever tried Ubuntu, then you’ve seen a customized version of Gnome.

A Window Manager is just that – it manages the open windows, their placement, shortcuts, etc., but allows you to setup all the other niceties such as a dock or panel, applets, or menus.

# For this example, we're going to install Gnome, a web browser (though it includes one by default, I prefer Firefox), zsh (my preferred shell)

# First, update the packages information so the system knows what the latest/greatest available is

pacman -Sy

# Now install the Desktop Environment and applications

pacman -S gnome firefox xorg-xinit zsh

#11 Exit the system and reboot into your newly installed operating system and desktop environment

# Exit the system and unmount the partitions so that we can cleanly reboot

exit
umount -R /mnt

# Reboot the system (Don't forget to remove the USB drive when the system reboots, not before and not too late so that it doesn't boot back in to USB again.

reboot

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.