sylvain durand

Arch Linux with full encryption

Over the past years, I have installed Arch Linux several dozen times on different devices. This article allows me to easily find the steps to install the distribution on a Dell XPS 9300, with UEFI and full encryption of the whole computer.

Warning: the Arch Linux installation guide should remain your reference if you try to install on your own machine. Not only can the instructions evolve over time, but it alone will allow you to adapt the steps to your needs. It is, finally, something very instructive!

Creating the installation disk

Download the installation image from the Arch Linux website.

Then, insert a USB stick or micro SD card, find its address with fdisk -l. You can then copy the image of the key (every data on it will be lost) with:

sudo dd bs=4M if=<image.iso> of=/dev/<sdx> oflag=sync

Booting from the installation disk

After making sure you have disabled Secure Boot from the BIOS for the most recent computers, you turn on the computer from the USB key: once launched, the installer consists of a simple terminal.

Keyboard layout

The keyboard uses an American layout by default. Being French, I use:

loadkeys fr-latin9

Network

For the rest of the installation, we will need the Internet to retrieve the packages. To connect to a wifi network, we use (where [ssid] is the name of your access point):

iwctl station wlan0 connect [ssid]

Clock

To avoid any synchronization problems, we will also update the computer’s clock with it:

timedatectl set-ntp true

Partitioning

I choose to format the computer to create two partitions: a 100 MB boot partition, and a second one containing the system filling the rest of the space. Of course, all data will be deleted!

You can see which disks and partitions exist with parted -l.

First of all, in my case, I delete the previous UEFI entry:

efibootmgr -b 0 -B

In my case, the name of the main disk is /dev/nvme0n1. To partition it, I run:

wipefs -af /dev/nvme0n1
parted -s /dev/nvme0n1 mklabel gpt
parted -s /dev/nvme0n1 mkpart primary fat32 1MiB 100MiB
parted -s /dev/nvme0n1 set 1 esp on
parted -s /dev/nvme0n1 mkpart primary ext4 100MiB 100%

Formatting

These two partitions are then formatted, creating an encrypted space on the second one:

mkfs.fat -F32 /dev/nvme0n1p1
cryptsetup -y -v luksFormat --iter-time 100 /dev/nvme0n1p2
cryptsetup open /dev/nvme0n1p2 cryptroot
mkfs.ext4 /dev/mapper/cryptroot

Finally, we mount these partitions with:

mount /dev/mapper/cryptroot /mnt
mkdir /mnt/boot
mount /dev/nvme0n1p1 /mnt/boot

Installation

We use pacstrap to install the minimal system on our partition, and create the fstab file. I add iwd to have wifi on reboot, and intel-ucode for Intel processors:

pacstrap /mnt base linux linux-firmware iwd intel-ucode
genfstab -U /mnt >> /mnt/etc/fstab

You then enter the newly created system with:

arch-chroot /mnt

Localization

You choose your time zone, language, and keyboard with commands like this:

ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime
hwclock --systohc
echo "LANG=fr_FR.UTF-8" > /etc/locale.conf
echo "KEYMAP=fr-latin9" > /etc/vconsole.conf
echo "en_US.UTF-8 UTF-8
fr_FR.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen

Network

We then activate the different services to benefit from wifi and DNS at startup:

systemctl enable systemd-networkd systemd-resolved iwd
echo "[General]
EnableNetworkConfiguration=True" >> /etc/iwd/main.conf

We also need to specify our hostname:

echo "xps" > /etc/hostname
echo "127.0.0.1 localhost
::1             localhost
127.0.1.1       xps.localdomain>xps" >> /etc/hosts

Initramfs

The following instructions are added to request the password at startup:

sed -i 's/keyboard/keyboard keymap encrypt/' /etc/mkinitcpio.conf
mkinitcpio -P

Root password

Create a root password with:

passwd

Bootloader

We simply use efibootmgr to create a simple UEFI boot entry without any bootloader:

UUID1=$(blkid /dev/nvme0n1p2 -o value -s UUID)
UUID2=$(blkid /dev/mapper/cryptroot -o value -s UUID)
efibootmgr -d /dev/nvme0n1 -p 1 -c -L "Arch Linux" \
  -l /vmlinuz-linux -u "cryptdevice=UUID=${UUID1}:cryptroot \
  root=UUID=${UUID2} rw quiet \
  initrd=\intel-ucode.img initrd=\initramfs-linux.img"

The end!

You can leave the installation and reboot with:

exit
reboot