Welcome to this guide (again). Unlike previous blog blogs/arch-installation-guide, this time I'll be covering how to install Arch Linux with multiple drive encrypted using LUKS and cryptsetup.
Note: Make sure you're on a UEFI system and connected to the internet.
You can also refer the official installation guide for more information.
- Download the latest Arch ISO from the official website.
- Create a bootable USB using Rufus (Windows) or
dd (Linux/macOS).
- Disable Secure Boot in UEFI settings.
- Boot into the USB and open the terminal.
You're likely already connected.
Use iwctl:
iwctl
device list
station <device> scan
station <device> get-networks
station <device> connect <SSID>
exit
Test the connection:
Use lsblk to get the disk name:
Use cfdisk on your disk (replace /dev/sdX):
Create the following partitions:
- EFI - 512MiB (type: EFI System)
- Root - Remaining space
- Swap - (RAM size + 0.5GiB)
mkfs.fat -F32 /dev/sdX1 # EFI
cryptsetup luksFormat /dev/sdX2 # Encrypted root
cryptsetup open /dev/sdX2 cryptroot
mkfs.ext4 /dev/mapper/cryptroot
cryptsetup luksFormat /dev/sdX3 # Encrypted swap
cryptsetup open /dev/sdX3 cryptswap
mkswap /dev/mapper/cryptswap
swapon /dev/mapper/cryptswap
mount /dev/mapper/cryptroot /mnt
mkdir /mnt/boot
mount /dev/sdX1 /mnt/boot
pacstrap -K /mnt base linux linux-firmware vim networkmanager grub efibootmgr os-prober sudo git
genfstab -U /mnt >> /mnt/etc/fstab
ln -sf /usr/share/zoneinfo/Region/City /etc/localtime
hwclock --systohc
echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf
echo "MyLappy" > /etc/hostname
cat <<EOF > /etc/hosts
127.0.0.1 localhost
::1 localhost
127.0.1.1 MyLappy.localdomain MyLappy
EOF
dd bs=512 count=4 if=/dev/random of=/etc/cryptkeyfile.bin iflag=fullblock
chmod 000 /etc/cryptkeyfile.bin
cryptsetup luksAddKey "/dev/sdX3" /etc/cryptkeyfile.bin
echo "cryptswap UUID=$(blkid -s UUID -o value /dev/sdX3) /etc/cryptkeyfile.bin luks" >> /etc/crypttab
Remember to follow the luksAddkey and echo "crypt... for other partitions too if you have created any.
Example
cryptsetup luksAddKey "/dev/sdX4" /etc/cryptkeyfile.bin
echo "crypthome UUID=$(blkid -s UUID -o value /dev/sdX4) /etc/cryptkeyfile.bin luks" >> /etc/crypttab
Remember to create partition before genfstab
echo 'GRUB_CMDLINE_LINUX="cryptdevice=UUID='$(blkid -s UUID -o value /dev/sdX2)':cryptroot root=/dev/mapper/cryptroot"' >> /etc/default/grub
Note: After running this command remove the GRUB_CMDLINE_LINUX variable already in /etc/default/grub and shift your newly added variable to exactly that position
Add encrypt hook before filesystems hook & keyboard must be before encrypt hook.
HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt filesystems fsck)
Note: We did not add the location of /etc/cryptkeyfile.bin in FILES() in mkinitcpio.conf because we are not auto-mounting root partition.
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id="Arch Linux"
grub-mkconfig -o /boot/grub/grub.cfg
systemctl enable NetworkManager
useradd -mG wheel yourusername
passwd yourusername
visudo
Inside the visudo file, uncomment this line:
exit
umount -R /mnt
reboot
If you want to use my dotfile you can view my dotfiles repository.
Or you can simply run these commands after login to rice you linux in my style.
git clone https://github.com/BIGBEASTISHANK/dotfiles
cd dotfiles
chmod +x ./syscopy.sh
./syscopy.sh