Skip to content

Latest commit

 

History

History
156 lines (115 loc) · 6.01 KB

INSTALL.md

File metadata and controls

156 lines (115 loc) · 6.01 KB

The following is a brief installation tutorial for Arch Linux. It assumes familiarity with the Arch Beginner's Guide and Installation Guide.

It will provide a system with full-disk encryption using LVM on LUKS. Two methods are presented here, the more traditional "BIOS mode", where there is no separate /boot partition. The entire installation is encrypted and booted via Grub's crypto hooks. The second method is "UEFI mode" which will use a GPT and show you how to make separately-encrypted boot and root partitions, while only /boot/efi is left unecrypted.

Use your system's setup interface to choose UEFI or legacy/BIOS mode as appropriate.

Note that this guide assumes you are performing the install to /dev/sda. In some cases, you may find that your USB install disk claimed /dev/sda and you want to install to /dev/sdb. Confirm which disk is which before proceeding.

On some newer systems (e.g. Dell XPS 15), set SATA operation mode to AHCI.

Boot into the Arch installer.

If your console font is tiny (HiDPI systems), set a new font.

$ setfont sun12x22

Connect to the Internet.

Verify that the system clock is up to date.

$ timedatectl set-ntp true

(BIOS mode) Create a single partition for LUKS.

$ parted -s /dev/sda mklabel msdos
$ parted -s /dev/sda mkpart primary 2048s 100%

(UEFI mode) Create partitions for EFI, boot, and root.

$ parted -s /dev/sda mklabel gpt
$ parted -s /dev/sda mkpart primary fat32 1MiB 513MiB
$ parted -s /dev/sda set 1 boot on
$ parted -s /dev/sda set 1 esp on
$ parted -s /dev/sda mkpart primary 513MiB 100%
$ mkfs.vfat -F32 /dev/nvme0n1p1

Create and mount the encrypted root filesystem. Note that for UEFI systems this will be partition 3.

$ cryptsetup luksFormat --type luks1 /dev/sda1
$ cryptsetup luksOpen /dev/sda1 lvm
$ pvcreate /dev/mapper/lvm
$ vgcreate arch /dev/mapper/lvm
$ lvcreate -L 8G arch -n swap
$ lvcreate -l +100%FREE arch -n root
$ lvdisplay
$ mkswap -L swap /dev/mapper/arch-swap
$ mkfs.ext4 /dev/mapper/arch-root
$ mount /dev/mapper/arch-root /mnt
$ swapon /dev/mapper/arch-swap

(UEFI mode) Encrypt the boot partition using a separate passphrase from the root partition, then mount the boot and EFI partitions.

$ cryptsetup luksFormat --type luks1 /dev/sda2
$ cryptsetup luksOpen /dev/sda2 cryptboot
$ mkfs.ext4 /dev/mapper/cryptboot
$ mkdir /mnt/boot
$ mount /dev/mapper/cryptboot /mnt/boot
$ mkdir /mnt/boot/efi
$ mount /dev/sda1 /mnt/boot/efi

Optionally edit the mirror list.

$ vi /etc/pacman.d/mirrorlist

Install the base system.

$ pacstrap -i /mnt base base-devel net-tools wireless_tools dialog wpa_supplicant git grub ansible
(UEFI mode) $ pacstrap /mnt efibootmgr

Generate and verify fstab.

$ genfstab -U -p /mnt >> /mnt/etc/fstab
$ less /mnt/etc/fstab

Change root into the base install and perform base configuration tasks.

$ arch-chroot /mnt /bin/bash
$ export LANG=en_US.UTF-8
$ echo $LANG UTF-8 >> /etc/locale.gen
$ locale-gen
$ echo LANG=$LANG > /etc/locale.conf
$ ln -fs /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
$ hwclock --systohc --utc
$ echo mymachine > /etc/hostname
$ systemctl enable dhcpcd.service
$ passwd

Set your mkinitcpio encrypt/lvm2 hooks and rebuild.

$ sed -i 's/^HOOKS=.*/HOOKS=(base udev autodetect modconf block keyboard encrypt lvm2 resume filesystems fsck)/' /etc/mkinitcpio.conf
$ mkinitcpio -p linux

(BIOS mode) Add a keyfile to decrypt the root volume and properly set the hooks.

$ dd bs=512 count=8 if=/dev/urandom of=/crypto_keyfile.bin
$ cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin
$ chmod 000 /crypto_keyfile.bin
$ sed -i 's/^FILES=.*/FILES=(\/crypto_keyfile.bin)/' /etc/mkinitcpio.conf
$ mkinitcpio -p linux

(UEFI mode) Add a keyfile to decrypt and mount the boot volume during startup.

$ dd bs=512 count=8 if=/dev/urandom of=/crypto_keyfile.bin
$ cryptsetup luksAddKey /dev/sda2 /crypto_keyfile.bin
$ chmod 000 /crypto_keyfile.bin
$ echo "cryptboot /dev/sda2 /crypto_keyfile.bin luks" >> /etc/crypttab

Configure GRUB.

$ echo GRUB_ENABLE_CRYPTODISK=y >> /etc/default/grub

# BIOS mode - set the UUID of the encrypted root device
$ ROOTUUID=$(blkid /dev/sda1 | awk '{print $2}' | cut -d '"' -f2)
$ sed -i "s/^GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX=\"cryptdevice=UUID="$ROOTUUID":lvm:allow-discards resume=\/dev\/mapper\/arch-swap\"/" /etc/default/grub
$ grub-install /dev/sda
$ grub-mkconfig -o /boot/grub/grub.cfg
$ chmod -R g-rwx,o-rwx /boot

# UEFI mode - set the UUID of the encrypted root device
$ ROOTUUID=$(blkid /dev/sda3 | awk '{print $2}' | cut -d '"' -f2)
$ sed -i "s/^GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX=\"cryptdevice=UUID="$ROOTUUID":lvm:allow-discards root=\/dev\/mapper\/arch-root resume=\/dev\/mapper\/arch-swap\"/" /etc/default/grub
$ grub-mkconfig -o /boot/grub/grub.cfg
$ grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck
$ chmod -R g-rwx,o-rwx /boot

Cleanup and reboot!

$ exit
$ umount -R /mnt
$ reboot

Run ansible!