Install Arch Linux
Published April 13, 2018
Posted by Scott Greenup
Objective
Install Arch Linux with the following features:
- UEFI
- GPT
- Encrypted boot partition (i.e. kernel and initramfs)
- Encrypted root partition with LVM on LUKS
I've never encrypted the boot partition before and have always wanted to learn how it would work; I decided to see if I could do it. The point of encrypting the boot partition is to defend against an offline attacker, who could replace parts of initramfs. Having it encrypted makes it even harder to attack your system, but still not impossible.
Note for Dell Precision Users
- Disable SecureBoot
- Change from SATA mode from RAID to AHCI
- When you reboot, your are going to have to manually add the EFI as a bootable option in BIOS
Create Partitions
We need to create two partitions:
- An EFI System Partition (ESP)
- A root partition
Optionally, you can create a home partition in the same fashion we create a root partition; don't forget to mount it and do the normal steps from the Arch Linux Installation Guide. I prefer to not have a seperate home partition, hence my instructions do not consider it.
# Use a GUID Partition Table (GPT)
$ parted /dev/nvme0n1 mklabel gpt
# Create an ESP partiion in the first 512MiB
$ parted /dev/nvme0n1 mkpart primary fat32 2048s 512MiB
$ parted /dev/nvme0n1 set 1 esp on
$ parted /dev/nvme0n1 name 1 esp
# Create our root partition
$ parted /dev/nvme0n1 mkpart primary ext4 512MiB 100%
$ parted /dev/nvme0n1 name 2 root
You can verify using parted <device> print
:
$ parted /dev/nvme0n1 print
...
Partition Table: gpt
Disk Flags:
Number Start End Size File System Name Flags
1 1049kB 537MB 536MB esp boot, esp
2 537MB 512GB 512GB root
Note: We have not installed the File System yet, that is why it is currently blank.
We need to format the esp, leave the root partition for now.
# Format the esp partition with FAT32
$ mkfs.fat -F32 /dev/nvme0n1p1
Create the Root File System
We will follow most of the recommendations from the wiki.
important: Do not use luks2, the method for encrypting the bootloader does not support luks2 at the time of writing.
# Create the LUKS encrypted container
$ cryptsetup luksFormat /dev/nvme0n1p2
# Open the container to /dev/mapper/lvm
$ cryptsetup open /dev/nvme0n1p2 lvm
# Create the volumes
$ pvcreate /dev/mapper/lvm
$ vgcreate archvol /dev/mapper/lvm
$ lvcreate -L 8G archvol -n swap
$ lvcreate -l 100%FREE archvol -n root
# Format swap and root
$ mkswap /dev/mapper/archvol-swap
$ mkfs.ext4 /dev/mapper/archvol-root
For more information about LVM you can find plenty of tutorials online, I used this one from Linoxide.
Install Arch
To install Arch we need to mount our system to /mnt and use pacstrap
.
# Mount the partitions
$ mount /dev/mapper/archvol-root /mnt
$ swapon /dev/mapper/archvol-swap
# Change your mirrorlist
$ vim /etc/pacman.d/mirrorlist
# Install arch
$ pacstrap /mnt base base-devel
After installing Arch, mount the ESP.
$ mkdir /mnt/boot/esp
$ mount /dev/nvme0n1p1 /mnt/boot/esp
Once that is installed, and you've mounted the ESP, follow the Configure The System part of the Installation Guide up until the Initramfs/mkinitcpio stage.
You should be chroot'd into your new install when you get to the initramfs stage.
Initramfs
We are going to remake the initramfs after chaning the config
Open the configuration file:
$ vim /etc/mkinitcpio.conf
Add the keyboard, encrypt and lvm2 hooks to mkinitcpio.conf:
HOOKS=(... keyboard block encrypt lvm2 ... filesystems ...)
Re-run mkinitcpio
$ mkinitcpio -p linux
Boot Loader
Here is the trickiest bit. I would read this to make sure the information here is not outdated: GRUB#UEFI_systems
We want UEFI to load the ESP, which needs to know how to decrypt Grub, and Grub needs to know how to decrypt the LUKS container and mount the LVM volumes.
Install Grub (make sure you are chroot'd in to your /mnt)
$ pacman -S grub efibootmgr
Let GRUB know about the LUKS encrypted device. We are going to need the UUID of the device, I use blkid
to get this.
$ blkid >> /tmp/blkid.out
$ vim -O /tmp/blkid.out /etc/default/grub
In /etc/default/grub
we want to change two things:
- Add a cryptdeviuce and root argument as kernel paramters
- Enable CRYPTODISK
Adding the kernel parameters:
# Change this Line
GRUB_CMDLINE_LINUX=""
# TO something like this, ensuring:
# - you get the right UUID (from the blkid output)
# - use the correct device name (during crypsetup open, and pvcreate)
# - use the correct volume name (during vgcreate)
GRUB_CMDLINE_LINUX="cryptdevice=UUID=<insert-device-uuid-for-nvme0n1p2-here>:lvm root=/dev/mapper/archvol-root"
Install Grub, if you have an intel cpu, install the 'intel-ucode' package before doing this.
$ grub-mkconfig -o /boot/grub/grub.cfg
$ grub-install --target=x86_64-efi --efi-directory=/boot/esp --bootloader-id=grub_arch
Reboot
We can now reboot after we dismount everything.
# Exit the chroot
$ exit
# Close everything
$ swapoff /dev/mapper/archvol-swap
$ umount -R /mnt
$ vgchange -an archvol
$ cryptsetup close /dev/mapper/lvm
# Cross your fingers
$ reboot
You may have to manually add the EFI as a bootable option in BIOS. I had to on a Dell.