How to install encrypted arch linux
17th September 2022

Arch Linux is a simple, lightweight, flexible and minimal Linux distribution which you can customize to your liking. There are many ways you can customize Arch during the installation process so it suits you.
I would like to show you how I install my Arch Linux systems with LUKS encrypted root partition.



Getting the Arch iso


First off you need to acquire the Arch liveboot ISO image from the official Arch Linux website. Simply select the mirror that is closest to you and download the archlinux-[DATE]-x86_64.iso. You can do some signature verification of the file if you want to..

Flashing the iso

Flash the Arch ISO file onto a USB flash drive or DVD disc using Balena Etcher or your other favorite image flashing software.

Booting into Arch install enviroment

Plug in the USB Drive with the Arch Linux iso image, go to boot menu and select the USB drive. Before that make sure you disable Secure Boot in the UEFI settings, Secure Boot is often located in the security tab.


Installing Arch


Now let's get to the fun part! Set up your network and keyboard layout with the help of Arch Wiki!

Prepare the disks

Prepare your disk using gdisk program.
To create the partition press the n key, it will ask you to input partition number, just press the spacekey and it will automaticall asign the number to the partition. Space trough the first sector, it is useless for us. When it will ask you for the last sector size, input the partition size, don't forget to add + in front of the number and the proper letter after the number, M for Megabytes and G for gigabytes. It should look like this: +8G

Run the command:

$ gdisk /dev/sdX

Name Disk Size Code
BOOT /dev/sdX1 550 MiB ef00
SWAP /dev/sdX2 8 GiB 8200
ROOT /dev/sdX3 Remainder 8300

Tip

To set the remainder of the root partition just press space and it will automatically assign the remainder of the disk to the partition.

After you are done with the changes, press the w key and save the changes. If you think you made some mistakes, press the d key and delete the wrong partition, then correct the mistake.


Preparing the LUKS partition

Before you format your partitions and install Arch on them, you first need to create a LUKS container where your root partition data will be stored at. You will need to use the cryptsetup command. After running the command you will need to input "YES" as verification pharse to start creating the LUKS container. After this you will need to input the encrypted container password and input it again to verify it. Make sure to create the container at /dev/sdX3.

$ cryptsetup -yv luksFormat /dev/sdX3

After successful creation of the LUKS container you will need to open it. The partition that is stored in the LUKS container can be found at /dev/mapper/root after running this command:

$ cryptsetup open /dev/sdX3

Formatting the partitions

You will need to format the partitions after completing the previous steps..

$ mkfs.ext4 /dev/mapper/root
$ mkfs.fat -F 32 /dev/sdX1
$ mkswap /dev/sdX3

Mounting the partitions

Mount the root and boot partitions to the /mnt directory so you can later proceed to install Arch Linux on these partitions. After mounting the root partition create a boot direcotry /mnt/boot/ and mount the boot partition there.

$ mount /dev/mapper/root /mnt
$ mkdir /mnt/boot
$ mount /dev/sdX1 /mnt/boot

Installing Linux on the mounted partitions

Install the linux kernel and some important packages.

$ pacstrap /mnt base linux linux-firmware vim

Generating the fstab

Don't forget to generate the fstab configuration!

$ genfstab -U /mnt >> /mnt/etc/fstab

Configuring Arch


Now after you have installed Arch Linux on your disk, you need to chroot into it and configure it.

$ swapon /dev/sdX2
$ arch-chroot /mnt

Configure your locale

You will need to set your keyboard layout, timezone and language of the system. First edit the /etc/locale.gen and comment out your language. After that run this command:

$ locale-gen

Configure your time

To change your timezone, replace the continent and city with your continent and city and run this command.

Tip

To view all the availible timezones, run this command:

$ timedatectl list-timezones
$ ln -sf /usr/share/zoneinfo/Europe/Bratislava /etc/localtime

After running this command, make sure that the change has been done and that your time is correct. This is how to check the time on your system and how the output should look like:

$ timedatectl status
[waffelo@woof ~]$ timedatectl status
               Local time: Mon 2022-08-01 16:43:24 CEST
           Universal time: Mon 2022-08-01 14:43:24 UTC
                 RTC time: Mon 2022-08-01 14:43:24
                Time zone: Europe/Bratislava (CEST, +0200)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no
          
Tip

If you want your system to read your hardware clock, run this command:

$ hwclock --systohc

Configuring your hostname

Set your hostname by editing the /etc/hostname file, this will give a name ti your computer. My system's name is "woof" so I will write into that file only that.

Now set your local host name resolution by editing the /etc/hosts. In this example of the file is my username "woof". Don't forget to replace it with your own hostname!!

# Static table lookup for hostnames.
# See hosts(5) for details.

127.0.0.1       localhost
::1             localhost
127.0.1.1       woof.localdomain        woof
          

Configuring root and users

Now change your root password, this will be your administrator password, keep in mind that because of security reasons you SHOULD NOT use root user as your daily user.

$ passwd

After this create an user that will be used by you. Give it a wheel user group so you can use the sudo to run programs that require root priviledges.

$ useradd -mG wheel [your_username]

At last, change the user's password.

$ passwd [your_username]

Installing the bootloader

From this point some parts get very complicated, so be very carefuly look at what you write, small mistakes like one wrong letter in the wrong place can make your system useless. However you can fix that later in the liveboot...
Install these packages with the pacman:

$ pacman -S efibootmgr grub linux-headers

After installing these packages, install the grub bootloader using this command:

$ grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB

Warning!

The command in this codeblock is configured to install grub for x86_64 system. Tweak the command to your system if you need to.


Generate the grub config.

$ grub-mkconfig -o /boot/grub/grub.cfg

Run the blkid command and get the UUID of the /dev/sdX3. To obtain it more easily, output the command into some file and then go to the file with vim and copy the UUID.

$ blkid >> file
Tip

If you don't know how to copy in vim.. With your cursor in visual mode, go to the start of the UUID and press v. It should highlight the area you are selecting. Now move with hjkl or arrow keys to the and of the UUID while it is getting highlighted and press y to copy the selected text.

Now go to the /etc/default/grub file and put the UUID inside of GRUB_CMDLINE_LINUX. Don't forget to add the :root after the UUID!
This is how it should look like:

After that, regenerate the grub config.

$ grub-mkconfig -o /boot/grub/grub.cfg

Configuring the mkinitcpio

Don't forget to edit the /etc/mkinitcpio.conf. You need to edit the HOOKS in that file.. After the autodetect add keyboard and keymap. And after block add encrypt parameters.
It should look like this:

HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)

After you have saved the changes, rebuild the mkinitcpio.

$ mkinitcpio -p linux

Configuring bluetooth and internet

You need to activate two services to use the internet and bluetooth after you boot to your system for the first time. Simply install thes packages:

$ pacman -S networkmanager bluez bluez-utils pulseaudio-bluetooth

After installing these packages, enable them with systemctl (yes SystemD is stinky and bad.)

$ systemctl enable NetworkManager
$ systemctl enable bluetooth

Configuring Sudo

To you can properly use sudo with root priviledges, you need to uncomment a line with %wheel in the /etc/sudoers.


Configuring pacman

You will probably want to install application such as steam or discord, for that you will need to enable multilib. You need to edit /etc/pacman.conf and uncomment the multilib repository lines. I recommend you to uncomment the color parameter, it looks a lot nicer that way.

After that run this command to refresh the pacman.

$ pacman -Syy

Leaving the chroot

After you made all the changes needed. Leave the chroot.

$ exit

Now unmount all the drives.

$ umount -a

And now finally reboot...

Post installation


After you have finished all the previous steps, your base Arch Linux installation should be complete! Now the only things to do are configuring the DEs or WMs and some other stuff... Have fun.