wimdupont.com

Source code for www.wimdupont.com
git clone git://git.wimdupont.com/wimdupont.com.git
Log | Files | Refs | LICENSE

Arch Linux encrypted installation.adoc (5148B)


      1 Installation steps with information taken from the https://wiki.archlinux.org/title/Installation_guide[official installation guide] to assist the process with encryption. Be aware
      2 that this guide may become outdated and/or contain bugs. Also, this guide only covers a specific installation, so no swapfile, only with EFI system partition, etc. 
      3 
      4 == Setup
      5 
      6 . https://archlinux.org/download[Download ISO file]
      7 
      8 . Verify signature
      9 +
     10 --
     11 [source,bash]
     12 ----
     13 $ gpg --keyserver-options auto-key-retrieve --verify archlinux-version-x86_64.iso.sig
     14 ----
     15 or from existing arch installation:
     16 [source,bash]
     17 ----
     18 $ pacman-key -v archlinux-version-x86_64.iso.sig
     19 ----
     20 --
     21 . Prepare USB flash drive
     22 +
     23 --
     24 [source,bash]
     25 ----
     26 $ dd bs=4M if=path/to/archlinux-version-x86_64.iso of=/dev/x conv=fsync oflag=direct status=progress
     27 ----
     28 --
     29 
     30 . Boot from USB file (UEFI)
     31 
     32 == Installation
     33 
     34 . Verify boot mode
     35 +
     36 --
     37 [source,bash]
     38 ----
     39 $ ls /sys/firmware/efi/efivars
     40 ----
     41 If the command shows directory without error: booted in UEFI mode.
     42 --
     43 . Connect to the internet
     44 +
     45 --
     46 [source,bash]
     47 ----
     48 $ ip link
     49 $ ping archlinux.org
     50 ----
     51 --
     52 . Update the system clock
     53 +
     54 --
     55 [source,bash]
     56 ----
     57 $ timedatectl status
     58 ----
     59 --
     60 . Partition the disks
     61 +
     62 --
     63 [source,bash]
     64 ----
     65 $ fdisk -l
     66 or
     67 $ lsblk
     68 $ fdisk /dev/the_disk_to_be_partitioned
     69 ----
     70 --
     71 .. Delete all existing partitions
     72 .. Create 2 new primary partitions on main disk
     73 .. Defaults except first partition endsize, type: +600M
     74 .. Optional: secure erase:
     75 +
     76 --
     77 [source,bash]
     78 ----
     79 $ dd if=/dev/urandom of=/dev/sdX# bs=4096 status=progress
     80 ----
     81 --
     82 . Encrypt main partition (and others if multiple disks)
     83 +
     84 --
     85 [source,bash]
     86 ----
     87 $ cryptsetup luksFormat /dev/sdX#
     88 ----
     89 --
     90 . Open encrypted partition (name is needed for reference but not permanent)
     91 +
     92 --
     93 [source,bash]
     94 ----
     95 $ cryptsetup open /dev/sdX# {name}
     96 ----
     97 --
     98 . Format the partitions
     99 +
    100 --
    101 [source,bash]
    102 ----
    103 $ mkfs.fat -F 32 /dev/boot_partition
    104 $ mkfs.ext4 /dev/mapper/{name}
    105 ----
    106 --
    107 . Mount the file systems
    108 +
    109 --
    110 [source,bash]
    111 ----
    112 $ mount /dev/mapper/{name} /mnt
    113 $ mkdir /mnt/boot
    114 $ mount /dev/boot_partition /mnt/boot
    115 ----
    116 --
    117 . Optional: sort mirrors on geographical location
    118 +
    119 --
    120 [source,bash]
    121 ----
    122 $  vim /etc/pacman.d/mirrorlist
    123 ----
    124 --
    125 . Install (essential) packages
    126 +
    127 --
    128 [source,bash]
    129 ----
    130 $ pacstrap -K /mnt base base-devel linux linux-firmware grub networkmanager cryptsetup lvm2 vim
    131 ----
    132 --
    133 . Generate fstab (define how partitions should be mounted)
    134 +
    135 --
    136 [source,bash]
    137 ----
    138 $ genfstab -U /mnt >> /mnt/etc/fstab
    139 ----
    140 --
    141 . Change root into new system
    142 +
    143 --
    144 [source,bash]
    145 ----
    146 $ arch-chroot /mnt
    147 ----
    148 --
    149 . Time zone (region and city variables)
    150 +
    151 --
    152 [source,bash]
    153 ----
    154 $ ln -sf /usr/share/zoneinfo/{Region}/{City} /etc/localtime
    155 $ hwclock --systohc
    156 ----
    157 --
    158 . Localization
    159 +
    160 --
    161 [source,bash]
    162 ----
    163 $ vim /etc/locale.gen
    164 ----
    165 --
    166 .. uncomment lines
    167 +
    168 --
    169 [source,conf]
    170 ----
    171 en_US.UTF-8 UTF-8
    172 en_US ISO-8859-1
    173 ----
    174 [source,bash]
    175 ----
    176 $ locale-gen
    177 ----
    178 --
    179 .. set lang variable
    180 +
    181 --
    182 [source,bash]
    183 ----
    184 $ vim /etc/locale.conf
    185 ----
    186 --
    187 ... add text
    188 +
    189 --
    190 [source,conf]
    191 ----
    192 LANG=en_US.UTF-8
    193 ----
    194 --
    195 . Network configuration
    196 +
    197 --
    198 [source,bash]
    199 ----
    200 $ vim /etc/hostname
    201 ----
    202 --
    203 .. add text
    204 +
    205 --
    206 [source,conf]
    207 ----
    208 myhostname
    209 ----
    210 --
    211 .. Config hosts
    212 +
    213 --
    214 [source,bash]
    215 ----
    216 $ vim /etc/hosts
    217 ----
    218 --
    219 .. add text (myhostname is variable based on /etc/hostname)
    220 +
    221 --
    222 [source,conf]
    223 ----
    224 127.0.0.1	localhost
    225 ::1		localhost
    226 127.0.1.1	{myhostname}.localdomain {myhostname}
    227 ----
    228 --
    229 .. Enable services
    230 +
    231 --
    232 [source,bash]
    233 ----
    234 $ systemctl enable NetworkManager.service
    235 $ systemctl enable systemd-resolved.service
    236 ----
    237 --
    238 . Passwords and users
    239 +
    240 --
    241 [source,bash]
    242 ----
    243 $ passwd
    244 $ useradd -G wheel -m {user}
    245 $ passwd {user}
    246 ----
    247 --
    248 . Initial ramdisk
    249 +
    250 --
    251 [source,bash]
    252 ----
    253 $ vim /etc/mkinitcpio.conf
    254 ----
    255 --
    256 .. Find like that starts with: HOOKS(base udev...) and add near the end but still
    257 inside the brackets:
    258 +
    259 --
    260 [source,conf]
    261 ----
    262 encrypt lvm2
    263 ----
    264 --
    265 .. Create new initramfs
    266 +
    267 --
    268 [source,bash]
    269 ----
    270 $ mkinitcpio -P
    271 ----
    272 --
    273 . Boot loader (GRUB)
    274 .. Exit chroot environment by typing _exit_ or pressing _Ctr+d_.
    275 .. Add partition information to grub file
    276 +
    277 --
    278 [source,bash]
    279 ----
    280 $ lsblk -f >> /mnt/etc/default/grub
    281 ----
    282 --
    283 . Chroot into system and edit grub file
    284 +
    285 --
    286 [source,bash]
    287 ----
    288 $ arch-chroot /mnt
    289 $ vim /etc/default/grub
    290 ----
    291 --
    292 .. Grab output of the previous (lsbblk -f) command at the bottom and move it to the
    293 top.
    294 .. Comment it
    295 .. Add to the GRUB_CMDLINE_LINUX_DEFAULT property to look like this (where {brackets} should be replaced with correct UUID and "cryptname" to preferred name)
    296 +
    297 --
    298 [source,conf]
    299 ----
    300 GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID={uuid-of-/dev/sdX#}:cryptname root=UUID={uuid-of-/dev/mapper/{name}}"
    301 ----
    302 --
    303 . Install GRUB
    304 +
    305 --
    306 [source,bash]
    307 ----
    308 $ pacman -S efibootmgr
    309 $ grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
    310 ----
    311 --
    312 . Microcode (CPU updates), depending on processor manufacturer run following
    313 +
    314 --
    315 [source,bash]
    316 ----
    317 $ pacman -S amd-ucode
    318 $ pacman -S intel-ucode
    319 ----
    320 --
    321 . Generate grub cfg
    322 +
    323 --
    324 [source,bash]
    325 ----
    326 $ grub-mkconfig -o /boot/grub/grub.cfg
    327 ----
    328 --
    329 . Exit chroot, reboot, remove USB, and (hopefully) enjoy.