Arch/Artix Full Disk Encryption With Encrypted Boot Partition Guide

Guide on how to install Arch/Artix with Full Disk Encryption and with an encrypted /boot partition encryption scheme.

Considerations

Steps

0. Backup your data

This guide assumes that you are working on a blank drive that doesn’t have any important data in it. It is always a good idea to backup your data before you perform any modification to the partitions of your drive.

1. Download your Arch/Artix ISO

If you are reading this guide, you probably already know how to do that. Just make sure to verify the SHA256 checksum to make sure that the ISO is not corrupted.

2. Partition your drive

You can use any software for this, like gparted or gdisk. Just make sure to create a GPT partition table. MBR should work too, but it has a few limitations. You can even partition the drive from another LiveCD that is not Arch or Aritx.

This is the partition scheme that we are going to be working with:

+---------------------+----------------------+----------------------+----------------------+----------------------+
| BIOS boot partition | EFI system partition | Root partition                                                     |
|                     |                      |                                                                    |
|                     | /efi                 | /                                                                  |
|                     |                      |                                                                    |
|                     |                      |                                                                    |
| /dev/sda1           | /dev/sda2            |----------------------+----------------------+----------------------+
| unencrypted         | unencrypted          | /dev/sda3 encrypted LUKS partition                                 |
+---------------------+----------------------+--------------------------------------------------------------------+

(Diagram taken from the Arch wiki with some slight modifications).

If you want to have separate partitions in your system, ie: a separate /home partition, it is recommended to have an LVM layer as the Arch wiki suggests. However, in this guide we are going to ignore LVM just to simplify the guide a little bit (and because I’m lazy to be honest).

We are going to need:

3. Connecting to the internet

If you are going to be installing the Arch or Artix base image, an Internet connection is required. It is recommended to just hook up an Ethernet cable to avoid issues. If you can’t use Ethernet, you can also connect through Wi-Fi. Make sure to check the Arch or Artix guides for that.

You can also give these commands a try:

# connmanctl enable wifi 
# connmanctl scan wifi 
# connmanctl services 
# connmanctl connect [enter the code starting in "wifi_" that is assigned to the desired ssid here]

And check if you have an Internet connection by running:

$ ping francoacg.com

4. Verifying if you are on UEFI or Legacy BIOS

Run

# ls /sys/firmware/efi/efivars

If you see a bunch of files and folders, you are on UEFI. If you see an error, you are on Legacy BIOS.

5. Formatting and mounting partitions

# cryptsetup luksFormat --pbkdf pbkdf2 /dev/sda3
# cryptsetup luksOpen /dev/sda3 cryptroot
# mkfs.ext4 /dev/mapper/cryptroot

In theory, it doesn’t have to be named cryptroot, it can have any name. Just make sure to use the correct name when setting up GRUB.

Remember to also format /dev/sda2 as FAT32

# mkfs.fat -F 32 /dev/sda2

Now, mount the partitions:

# mount /dev/sda3 /mnt
# mkdir /mnt/efi
# mount /dev/sda2 /mnt/efi

6. Generate fstab file

Arch

# genfstab -U /mnt >> /mnt/etc/fstab  

Artix:

# fstabgen -U /mnt >> /mnt/etc/fstab  

7. Installing the system

Arch:

# basestrap /mnt base base-devel linux linux-firmware cryptsetup networkmanager wpa_supplicant wireless_tools lvm2 sudo grub efibootmgr dosfstools os-prober mtools vim

Artix (replace <init> by your init system of preference, like openrc, runit or s6):

basestrap /mnt base base-devel linux linux-firmware <init> elogind-<init> cryptsetup networkmanager networkmanager-<init> wpa_supplicant wireless_tools lvm2 sudo grub efibootmgr dosfstools os-prober mtools vim

Feel free to add your Window Manager or Desktop Environment of preference in the above commands.

8. chroot into the installation

Arch:

# arch-chroot /mnt

Artix:

# arch-chroot /mnt

At this point, you can enable the NetworkManager service. For Arch, you can run systemctl enable NetworkManager. For Artix, it depends on your init system.

9. Preparing kernel for encryption

Edit the /etc/mkinitcpio.conf file, and make sure to add block and encrypt in the HOOKS section in the following order:

HOOKS=(base udev ... block encrypt ...)

Apply the changes:

# mkinitcpio -P

10. System configuration

Timezone:

# ln -sf /usr/share/zoneinfo/Your/Timezone /etc/localtime

Hardware clock:

# hwclock --systohc

Uncomment your locale of preference in the /etc/locale.gen file:

en_US.UTF-8 UTF-8
en_US.ISO-8859-1

Generate locale:

# locale-gen

Update the /etc/locale.conf file with your locale of preference:

LANG=en_US.UTF-8

System hostname (or “the name of your PC”) in the /etc/hostname file:

your-pc-name

Localhost (/etc/hosts file):

127.0.0.1        localhost
::1              localhost
127.0.1.1        your-pc-name.localdomain    your-pc-name

Root password:

# passwd

Creating an user:

# useradd -m -g users -G wheel <your-user>

Setting up a password for that user:

# passwd <your-user>

SUDO privileges for that user:

# EDITOR=vim visudo

and uncomment the following line:

%wheel ALL=(ALL) ALL

Remember to save an quit.

11. Setting up GRUB

Get the UUID of your LUKS partition by running

# blkid /dev/sda3

And save the UUID somewhere.

Edit the /etc/default/grub file, uncomment the GRUB_ENABLE_CRYPTODISK=y and add cryptdevice=UUID=</dev/sda3 partition UUID>:cryptroot root=/dev/mapper/cryptroot

GRUB_CMDLINE_LINUX="cryptdevice=UUID=</dev/sda3 partition UUID>:cryptroot root=/dev/mapper/cryptroot root_trim=yes"
GRUB_ENABLE_CRYPTODISK=y

If you have an SSD, it is also recommend to add the root_trim=yes kernel parameter.

Install the GRUB bootloader. If you have Legacy BIOS:

# grub-install --target=i386-pc --recheck /dev/sda

If you have UEFI:

# grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --recheck

Save the GRUB config by running:

# grub-mkconfig -o /boot/grub/grub.cfg

12. Prevent getting asked for the password twice

Run

# dd bs=512 count=4 if=/dev/random iflag=fullblock | install -m 0600 /dev/stdin /etc/cryptsetup-keys.d/cryptroot.key
# cryptsetup -v luksAddKey /dev/sda3 /etc/cryptsetup-keys.d/cryptroot.key

Update the /etc/mkinitcpio.conf file:

FILES=(/etc/cryptsetup-keys.d/cryptroot.key)

Update the kernel parameters in the /etc/default/grub file:

GRUB_CMDLINE_LINUX="... cryptkey=rootfs:/etc/cryptsetup-keys.d/cryptroot.key"

Remember to re-generate the GRUB config file:

# grub-mkconfig -o /boot/grub/grub.cfg

13. Post-install steps

Updating the system

# pacman -Syu

Creating a Swapfile

# dd if=/dev/zero of=/swapfile bs=1M count=4096 status=progress
# chmod 600 /swapfile
# mkswap /swapfile
# swapon /swapfile
# cp /etc/fstab /etc/fstab.bak
# echo '/swapfile none swap sw 0 0' >> /etc/fstab

Install Paru (AUR helper)

$ sudo pacman -S git
$ git clone https://aur.archlinux.org/paru.git
$ cd paru
$ makepkg -si
$ cd ..
$ rm -rf paru/

Useful programs

Old guide:

https://git.francoacg.com/FranLMSP/artix-install-cheatsheet