Scott Greenup

Holder of Coding Trinkets

Install Arch Linux
Published April 13, 2018
Posted by Scott Greenup

Objective

Install Arch Linux with the following features:

  • UEFI
  • GPT
  • Encrypted boot partition (i.e. kernel and initramfs)
  • Encrypted root partition with LVM on LUKS

I've never encrypted the boot partition before and have always wanted to learn how it would work; I decided to see if I could do it. The point of encrypting the boot partition is to defend against an offline attacker, who could replace parts of initramfs. Having it encrypted makes it even harder to attack your system, but still not impossible.

Note for Dell Precision Users

  1. Disable SecureBoot
  2. Change from SATA mode from RAID to AHCI
  3. When you reboot, your are going to have to manually add the EFI as a bootable option in BIOS

Create Partitions

We need to create two partitions:

  1. An EFI System Partition (ESP)
  2. A root partition

Optionally, you can create a home partition in the same fashion we create a root partition; don't forget to mount it and do the normal steps from the Arch Linux Installation Guide. I prefer to not have a seperate home partition, hence my instructions do not consider it.

# Use a GUID Partition Table (GPT)
$ parted /dev/nvme0n1 mklabel gpt

# Create an ESP partiion in the first 512MiB
$ parted /dev/nvme0n1 mkpart primary fat32 2048s 512MiB
$ parted /dev/nvme0n1 set 1 esp on
$ parted /dev/nvme0n1 name 1 esp

# Create our root partition
$ parted /dev/nvme0n1 mkpart primary ext4 512MiB 100%
$ parted /dev/nvme0n1 name 2 root

You can verify using parted <device> print:

$ parted /dev/nvme0n1 print
...
Partition Table: gpt
Disk Flags:

Number  Start   End     Size    File System     Name    Flags    
1       1049kB  537MB   536MB                   esp     boot, esp
2       537MB   512GB   512GB                   root

Note: We have not installed the File System yet, that is why it is currently blank.

We need to format the esp, leave the root partition for now.

# Format the esp partition with FAT32
$ mkfs.fat -F32 /dev/nvme0n1p1

Create the Root File System

We will follow most of the recommendations from the wiki.

important: Do not use luks2, the method for encrypting the bootloader does not support luks2 at the time of writing.

# Create the LUKS encrypted container
$ cryptsetup luksFormat /dev/nvme0n1p2

# Open the container to /dev/mapper/lvm
$ cryptsetup open /dev/nvme0n1p2 lvm

# Create the volumes
$ pvcreate /dev/mapper/lvm
$ vgcreate archvol /dev/mapper/lvm
$ lvcreate -L 8G archvol -n swap
$ lvcreate -l 100%FREE archvol -n root

# Format swap and root
$ mkswap /dev/mapper/archvol-swap
$ mkfs.ext4 /dev/mapper/archvol-root

For more information about LVM you can find plenty of tutorials online, I used this one from Linoxide.

Install Arch

To install Arch we need to mount our system to /mnt and use pacstrap.

# Mount the partitions
$ mount /dev/mapper/archvol-root /mnt
$ swapon /dev/mapper/archvol-swap

# Change your mirrorlist
$ vim /etc/pacman.d/mirrorlist

# Install arch
$ pacstrap /mnt base base-devel

After installing Arch, mount the ESP.

$ mkdir /mnt/boot/esp
$ mount /dev/nvme0n1p1 /mnt/boot/esp

Once that is installed, and you've mounted the ESP, follow the Configure The System part of the Installation Guide up until the Initramfs/mkinitcpio stage.

You should be chroot'd into your new install when you get to the initramfs stage.

Initramfs

We are going to remake the initramfs after chaning the config

Open the configuration file:

$ vim /etc/mkinitcpio.conf

Add the keyboard, encrypt and lvm2 hooks to mkinitcpio.conf:

HOOKS=(... keyboard block encrypt lvm2 ... filesystems ...)

Re-run mkinitcpio

$ mkinitcpio -p linux

Boot Loader

Here is the trickiest bit. I would read this to make sure the information here is not outdated: GRUB#UEFI_systems

We want UEFI to load the ESP, which needs to know how to decrypt Grub, and Grub needs to know how to decrypt the LUKS container and mount the LVM volumes.

Install Grub (make sure you are chroot'd in to your /mnt)

$ pacman -S grub efibootmgr

Let GRUB know about the LUKS encrypted device. We are going to need the UUID of the device, I use blkid to get this.

$ blkid >> /tmp/blkid.out
$ vim -O /tmp/blkid.out /etc/default/grub

In /etc/default/grub we want to change two things:

  1. Add a cryptdeviuce and root argument as kernel paramters
  2. Enable CRYPTODISK

Adding the kernel parameters:

# Change this Line
GRUB_CMDLINE_LINUX=""

# TO something like this, ensuring:
# - you get the right UUID (from the blkid output)
# - use the correct device name (during crypsetup open, and pvcreate)
# - use the correct volume name (during vgcreate)
GRUB_CMDLINE_LINUX="cryptdevice=UUID=<insert-device-uuid-for-nvme0n1p2-here>:lvm root=/dev/mapper/archvol-root"

Install Grub, if you have an intel cpu, install the 'intel-ucode' package before doing this.

$ grub-mkconfig -o /boot/grub/grub.cfg
$ grub-install --target=x86_64-efi --efi-directory=/boot/esp --bootloader-id=grub_arch

Reboot

We can now reboot after we dismount everything.

# Exit the chroot
$ exit

# Close everything
$ swapoff /dev/mapper/archvol-swap
$ umount -R /mnt
$ vgchange -an archvol
$ cryptsetup close /dev/mapper/lvm

# Cross your fingers
$ reboot

You may have to manually add the EFI as a bootable option in BIOS. I had to on a Dell.