How to install Arch Linux with Full Disk Encryption

On this page

  1. Links

In today's tutorial we are going to install Arch Linux with full disk encryption.

Before we proceed, I want you to backup your existing data.

In the previous tutorial we learnt what dm-crypt and LUKS are and how to encrypt single disk partition. While in the post today we will take a slightly different approach to encrypt the whole disk with dm-crypt LUKS and install Archlinux on it.

Let's start with disk erasing. Run lsblk to find your primary disk and replace /dev/sda where needed:

shred --verbose --random-source=/dev/urandom --iterations=3 /dev/sda

I ran the above command with '--iterations=15' on my 120GB SSD overnight and it finished after 7 hours.

Once done, partition the disk. Unless your motherboard is using UEFI firmware, make sure to select 'dos' (msdos) label, otherwise go with the 'gpt' when you type:

cfdisk /dev/sda

After that create boot loader partition:

New-> Partition Size: 100M -> primary -> Bootable

The last one will be the root partition. The partition size should be automatically set to your remaining free space.

New-> Partition Size: xxxGB -> primary

Write the changes and quit from cfdisk.

In order to boot your encrypted root partition, the boot loader partition /dev/sda1 that will be mounted in /boot won't be encrypted. I will place couple links at the end of this post that will guide you how to encrypt and even move the boot partition on a CD/DVD/USB.

Create cryptographic device mapper device in LUKS encryption mode:

cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sda2

Unlock the partition, note that cryptroot will be the device mapper name that we will operate on.

cryptsetup open --type luks /dev/sda2 cryptroot

Create the boot and root file systems:

mkfs.ext4 /dev/sda1
mkfs.ext4 /dev/mapper/cryptroot

Mount them:

mount -t ext4 /dev/mapper/cryptroot /mnt
mkdir -p /mnt/boot
mount -t ext4 /dev/sda1 /mnt/boot

Install the base and base-devel systems:

pacstrap -i /mnt base base-devel

Generate the fstab:

genfstab -U -p /mnt >> /mnt/etc/fstab

Chroot to configure the base system:

arch-chroot /mnt

Uncomment the en_US locale:

sed -i 's/#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/g' /etc/locale.gen

Generate the locale:

locale-gen

Create configuration file that would instruct the system what language locale it should be using:

echo LANG=en_US.UTF-8 > /etc/locale.conf

Export the locale

export LANG=en_US.UTF-8

Create a symbolic link with the desired time zone:

ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime

Set the hardware clock to UTC:

hwclock --systohc --utc

Set the desired hostname:

echo CookieMonster > /etc/hostname

Set the root password:

passwd

Add a system user:

useradd -m -g users -G wheel,games,power,optical,storage,scanner,lp,audio,video -s /bin/bash username

Set the system user password:

passwd username

Install sudo (base-devel) and the boot loader grub and os-prober:

pacman -S sudo grub-bios os-prober

Allow the system user to use sudo and run commands (temporary) as root:

EDITOR=nano visudo

Press CTRL + W and type wheel, then uncomment the following line:

Add the following kernel parameter to be able to unlock your LUKS encrypted root partition during system startup:

Add encrypt hook:

Since we added new hook in the mkinitcpio configuration file, we should re-generate our initrams image (ramdisk):

mkinitcpio -p linux

Install grub and save it's configuration file:

grub-install --recheck /dev/sda
grub-mkconfig --output /boot/grub/grub.cfg

Exit from chroot, unmount the partitions, close the device and reboot (remove the installation media):

exit
umount -R /mnt/boot
umount -R /mnt
cryptsetup close cryptroot
 systemctl reboot

Once you type in your password and login as system user, start dhcpcd.

sudo systemctl start dhcpcd
ping -c2 youtube.com

Install Xorg and copy .xinitrc over your $HOME dir:

sudo pacman -S xorg-server xorg-server-utils xorg-xinit mesa xterm xorg-twm xorg-xclock
cp /etc/X11/xinit/xinitrc ~/.xinitrc

There is a special wiki page that contains useful information for the GPU drivers, check it out https://wiki.archlinux.org/index.php/xorg#Driver_installation and if it happens your GPU brand to be amd/ati, intel or nvidia install the appropriate drivers listed there.

Type startx and you should see couple terminals side-by-side, now type exit

Comment in the following lines in .xinitrc and add some to specify that we want the xfce desktop environment to be started upon successful login:

Install xfce, external display manager and network manager:

sudo pacman -S slim archlinux-themes-slim xfce4 networkmanager network-manager-applet

Exchange the default slim theme:

Stop dhcpcd, enable slim, enable NetworkManager, startx:

sudo systemctl stop dhcpcd
sudo systemctl enable NetworkManager
sudo systemctl enable slim
startx

That was it, hope you enjoyed this post.

If you ever manage to f*ck up your system and have to chroot from removable media, the order is:

cryptsetup open --type luks /dev/sda2 cryptroot
mount -t ext4 /dev/mapper/cryptroot /mnt
mount -t ext4 /dev/sda1 /mnt/boot
arch-chroot /mnt

To unmount them:

umount -R /mnt/boot
 umount -R /mnt
 cryptsetup close cryptroot

The promised links, read the 8th and 9th links carefully if you got SSD:

Share this page:

16 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Norman
Reply  

I will give Arch Linux a try and your tutorial will be really helpful in this case, thank you. Crossing my fingers that I won't screw up any of the above steps :)

By: Martin P.
Reply  

Instead of the above, take a look at MSED:http://www.r0m30.com/msed

By: Norman
Reply  

Hello Martin,

What you have been promoting is project that is one year old and still in beta and has only one developer, no contributors or whatsoever. If the person decides to abandon the project what are we going to do ? dm-crypt and LUKS became the de facto encryption and part of the kernel developement (citing the guy from the other tutorial) long time ago. If you don't trust the crypto api built-in the kernel, then don't try to invent your own crypto (that is rule number one). We all know that the kernel development is the biggest collaboration projects in existance. If one dev decides to step down he will be replaced pretty quickly. I don't have to mention that a lot huge companies are contributing and even hiring people to work on the kernel development as their products depend a lot on the kernel.

 

I don't have so much personal free time to read the different wiki's, that's why tutorials like this one are godsend.

By: anonymous
Reply  

Using chroot

Mount the temporary api filesystems:

# cd /mnt/arch # mount -t proc proc proc/ # mount --rbind /sys sys/ # mount --rbind /dev dev/

And optionally:

# mount --rbind /run run/

above copied from : https://wiki.archlinux.org/index.php/Change_root

it is a good idea to add them into the mounting section and the /run part, since it's needed for the command "grub-mkconfig" to run smoothly, issued later on, in the installation procedure.

By: Anonymouse
Reply  

 @anonymous

arch-chroot and chroot are two different ways to 'chroot' your file system(s), and it has been well described in the link provided by you.

Even in Gentoo you have the same options, you can use arch-chroot or chroot, the choice is up to you.

By: PictoPirate
Reply  

Hi,

I've been looking for a good tutorial for setting up full disk encrytion for a while so thanks for this. I'm making an Arch server so I have a whole bunch of partitions rather than just the 2 mentioned above:

 

(parted) mkpart primary ext4 1MiB 200MiB

(parted) set 1 boot on

(parted) mkpart primary ext4 200MiB 40GiB

(parted) mkpart primary linux-swap 40GiB 50GiB

(parted) mkpart primary ext4 50GiB 150GiB

(parted) mkpart primary ext4 150GiB 100%

 

So my question is how do I need to modify the "cryptsetup open --type luks /dev/sda2 cryptroot" command to cover all of my partitions?

 

Cheers

 

Picto

By: Tony
Reply  

This worked perfectly! The only thing I had to do was add the "lvm2" hook since I am using lvm partitions for my system, on top of a LUKS partition.

 

Thank you very much for posting this!

By: David
Reply  

Thanks a lot! :)

By: Jrx
Reply  

Hi,

It is not full disc encryption. Boot part is not encrypted. This art should be fixed, it is possible to make boot partition also encrypted. Dedicated GRUB2 module for luks can be used to prepare real full disc encryption solution.

By: Andrew
Reply  

Maybe you'd be kind of enough to write a tutorial explaining those additional steps for the rest of us. 

By: Andrew
Reply  

I don't know if these steps no longer apply to modern Arch (in which case perhaps it's time to pull this article?) however, none of the partitioning steps match reality for the menus given:

 

"New-> Partition Size: 100M -> primary -> Bootable"

 

Where can I select primary? Bootable? There are no options for that.

By: douglas
Reply  

I just wanted to point out that overwriting your SSD with random data 15 times will serve no purpose except for reducing its life. SSDs are not HDs, if you just write random data once, it's just as good, even if you just write zeroes once it's just as good. But you can go with random if you are paranoid. In fact, I'm not aware of any instances where a single random pass would make it possible to recover data on HDs. Writing predictable patterns is problematic because they are not digital and some expensive equipment might be used to see if it's closer to 0 or 1, then take into account the pattern, then conclude what bit it likely was.

By: dex
Reply  

Hi,

I have full disk encryption working - however AES_NI was disabled in my BIOS for the setup. Is there a way to use AES_NI to decrypt to speed up the boot time?

Cheers,

D

By: Jeremiah
Reply  

This is NOT full disk encryption. You clearly do not encrypt the boot partition at all.

By: Alex.C
Reply  

Hello, good article design, is this up to date 13/07/2019 ?

By: Sergei Morozov
Reply  

> pacstrap -i /mnt base base-devel

Additionally the `linux` and `linux-firmware` will need to be installed. See https://wiki.archlinux.org/title/Installation_guide#Install_essential_packages.