Install Arch with full disk encryption, btrfs and EFI

Updates:

• 2022-06-23 | some minor corrections, added wifi link
• 2018-03-27 | fixed a typo in the HOOKS documentation, clarified kernel boot parameters

Introduction  

I recently had to re-install my beloved Arch Linux. For security I need (and use) full disk encryption. This is a cheatsheet for the whole procedure, because although the Arch Linux Wiki is excellent, it is also huge and sometimes you must pick your stuff together from many pages.

This is what I am doing here 🙂

NOTE: Usually you only have to follow the one subsection I link to!

Overview  

One after another, we will do the following steps

• Download and prepare Arch USB stick (skipped, you should know that 😉
• Prepare the hard disk
• Prepare the disk partitions
• Add LVM “inside” the crypted partition
• Create filesystems & mount partitions
• Install arch
• Configure boot manager

Prepare the hard disk  

Use parted to init the disk and …

1. init the disk using a GPT partitioning scheme, then create
2. a GPT boot partition and put 100% of the remaining space in another partition (the first two actions behind the link)

Prepare the disk partitions  

Basically,

1. use the cryptsetup command to encrypt the main (big) partition,
2. and create a file system on the boot partition (remember: it must be FAT32 for EFI boot, and it must be _un_encrypted!)

Add an LVM “inside” the encrypted partition  

Cause we want “properly” encrypted swap (you can also encrypt swap using a /dev/random key every time, but then you will not persist data between reboots and you can’t do things like suspend-to-disk), we need at least two “partitions” “inside” the crypted volume. Sounds like LVM on LUKS? It does. We already used it 🙂 .

1. Create LVM partitions inside the encrypted volume (Don’t forget to use cryptsetup luksOpen before, usually in step 1 in the last section 🙂

NOTE: Do not follow the above link down to “prepare the boot partition”, cause they use ext2 and we need FAT32 for EFI boot partitions. Just don’t.

I use the name “secure” for the VG, and I use btrfs cause I am so incredibly elite, and so we don’t need to set a specific size for the / and /home “partitions” and can just use btrfs subvolumes, while still being able to wipe the system without the home directories. That’s pretty neat if you need it (I never did, but now I can ;). So that’s the final setup:

/dev/mapper/secure-swap    40 GB, swap
/dev/mapper/secure-system  rest, btrfs with 2 subvols: root & home

Create filesystems & mount partitions  

Of course, Arch has already a wiki page section for that. I did it 3 times in a different way until I found it and had to do it again. So here is my summary.

# CREATE BTRFS & SUBVOLUMES
$ mkfs.btrfs /dev/mapper/secure-system
$ mount /dev/mapper/secure-system /mnt
$ btrfs subvolume create /mnt/@
$ btrfs subvolume create /mnt/@home
$ btrfs subvolume create /mnt/@snapshots
$ umount /mnt

# MOUNT PARTITIONS
$ mount -o subvol=@ /dev/mapper/crypted-system /mnt
$ mkdir -p /mnt/home /mnt/boot
$ mount -o subvol=@home /dev/mapper/crypted-system /mnt/home
$ mount /dev/sda1 /mnt/boot

NOTE: /boot is not on an encrypted partition 😉 , and the leading “@” is a convention for subvolumes which should be mounted somewhere. I also don’t use compress=...  parameters, cause I don’t need / want transparent compression.

Install arch  

Set up networking  

Nowadays nobody uses LAN cables any more. And of course, with Arch you can do it over WiFi as well. This is the short form:

$ iwctl
[iwd] station list
# get the name of your "station" here
[iwd] station wlan0 scan
[iwd] station wlan0 get-networks
# see the list of networks
[iwd] station wlan0 connect NETWORK_NAME

Also useful: IWD docs, connecting to the internet on the arch Wiki.

Install base system  

Then you follow up with the usual installation procedure, but you stop at the “Initramfs” section. Here we will pick up again. In the chroot, this is what is needed and useful. (Yes, we’re installing multiple network managers, Linux “is about choice” …)

pacman -S lvm2 vim \
          iwd netctl dialog wpa_supplicant \
          networkmanager \
          dhcclient \
          udev nano zsh sudo iproute2 net-tools \
          git

Configure boot manager & boot files  

We are using systemd-boot. Or bootctl, as the binary is called. It should be already installed. The procedure is also outlined here. We also enable TRIM support, it seems to lessen security, but it raises SSD performance and life time.

1. First, check if your system EFI is all right.
2. Optionally install the Intel microcode updater package if you have an Intel CPU by doing pacman -S intel-ucode.
3. Then run … bootctl -path=/boot install to install systemd-boot.
   (If you ran into this error File system ... has wrong type for EFI System Partition, then you forgot set 1 esp on on your boot partition in parted during partitioning)

Now create/modify the files below. Remember: /mnt/boot should be a mounted directory, and since you’re in a chroot this should be /boot for you.

FILE: /boot/loader/entries/arch.conf  

title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img       # ONLY FOR INTEL CPUs!!
initrd /initramfs-linux.img
options luks.uuid=FS_UUID root=/dev/mapper/secure-system rootflags=subvol=@ rd.luks.options=discard

Some hints:

• use blkid to get the UUID
  • Note that the FS_UUID is the UUID of the *encrypted luks partition* (/dev/sda2 or similar), and not the filesystem within!
• use a mouse to copy-paste the UUID\
  • gpm -m /dev/input/mice -t imps2; you may have to disable vim’s mouse support using set mouse= and set ttymouse=
  • the list of normal and dm-crypt related kernel parameters … well, is also in the Arch wiki.

FILE: /boot/loader/loader.conf  

default arch    # the file above without .conf extension, can have wildcards!!
timeout 2
editor  0

FILE: /etc/mkinitcpio.conf  

# Just MODIFY that file, to be precisely this line:
HOOKS=(base systemd autodetect modconf keyboard sd-vconsole block sd-encrypt sd-lvm2 filesystems fsck)

The key idea is to use the “systemd” parameters instead of the “normal” ones. The full list of hooks is of course also available, and the order is important.

Install boot manager  

Now execute:

mkinitcpio -p linux

If you run into some vmlinuz-linux - file not found issues, just re-install linux and intel-ucode while making sure /boot is mounted.

Reboot  

We should be done here :) …

… but we’re paranoid:

• did you install lvm2? (if not - install it and run mkinitcpio again)
• did you install iwd? (if not - no wifi in the final system)
• did you set a root password? (if not, set it)

Then you can safely …

$ reboot

Further reading ;)  

• Arch post-installation actions