Christian Bargmann

M.A. student in computer science. Living and working in Hamburg, Germany. Programming addicted. Loves coffee! 🍵❤️⚓

github twitter telegram email
Install encrypted Arch Linux with LVM on EFI
Dec 7, 2018
4 minutes read

Install encrypted Arch Linux with LVM on EFI

I recently switched to Arch Linux and I am very satisfied with this decision. Enclosed I would like to provide you with a setup summary how to install Arch Linux with the Logical Volume Manager (LVM) and an encrypted home partition.

USB flash installation media

First of all, download the latest arch image from here.

On Linux run the following command, replacing /dev/sdx with your drive, e.g. /dev/sdb. (Do not append a partition number, so do not use something like /dev/sdb1):

dd bs=4M if=/path/to/archlinux.iso of=/dev/sdx status=progress oflag=sync

On Windows use a media creation tool like rufus, USBwriter or win32diskimager. I highly recommend to use rufus as the GUI is quite straight forward. Since Rufus does not care if the drive is properly formatted or not and provides a GUI it may be the easiest and most robust tool to use.

Install Arch Linux

  1. Set your keyboard layout localectl --no-convert set-keymap de-latin1-nodeadkeys for german keyboard, or search your keymap using localectl list-keymaps | grep -i search_term. Replace search_term with your language code
  2. Use wifi-menu to connect to network
  3. Visit https://www.archlinux.org/mirrorlist/ on another computer, generate mirrorlist
  4. Edit /etc/pacman.d/mirrorlist on the Arch computer and paste the faster servers
  5. Update package indexes: pacman -Syyy
  6. Create the efi partition, 400MB is totaly fine:

    fdisk /dev/nvme0n1

    * g (to create an empty GPT partition table)
    * n
    * 1
    * enter
    * +400M
    * t
    * 1 (For EFI)
    * w
    
  7. Create the boot partition:

    fdisk /dev/nvme0n1

    • n
    • 2
    • enter
    • +500M
    • w
  8. Create the LVM partition:

    fdisk /dev/nvme0n1

    * n
    * 3
    * enter
    * enter
    * t
    * 3
    * 31
    * w
    

Next, we are going to format our block devices with a file system:

  1. mkfs.fat -F32 /dev/nvme0n1p1
  2. mkfs.ext2 /dev/nvme0n1p2
  3. Set up encryption
    • cryptsetup luksFormat /dev/nvme0n1p3
    • cryptsetup open --type luks /dev/nvme0n1p3 lvm
  4. Set up lvm:
    • pvcreate --dataalignment 1m /dev/mapper/lvm
    • vgcreate tank /dev/mapper/lvm
    • lvcreate -L 50GB tank -n lv_root
    • lvcreate -L 400GB tank -n lv_home
    • modprobe dm_mod
    • vgscan
    • vgchange -ay
  5. mkfs.ext4 /dev/tank/lv_root
  6. mkfs.xfs /dev/tank/lv_home
  7. mount /dev/tank/lv_root /mnt
  8. mkdir /mnt/boot
  9. mkdir /mnt/home
  10. mount /dev/nvme0n1p2 /mnt/boot
  11. mount /dev/tank/lv_home /mnt/home
  12. pacstrap -i /mnt base
  13. genfstab -U -p /mnt >> /mnt/etc/fstab
  14. arch-chroot /mnt
  15. pacman -S base-devel grub efibootmgr dosfstools openssh os-prober mtools linux-headers linux-lts linux-lts-headers
  16. Edit /etc/mkinitcpio.conf and add encrypt lvm2 in between block and filesystems
  17. mkinitcpio -p linux
  18. mkinitcpio -p linux-lts
  19. nano /etc/locale.gen (uncomment en_US.UTF-8, or another language of your choice)
  20. locale-gen
  21. passwd (for setting root password)
  22. Edit /etc/default/grub: add cryptdevice=<PARTUUID>:tank to the GRUB_CMDLINE_LINUX_DEFAULT line If using standard device naming, the option will look like this: cryptdevice=/dev/nvme0n1p3:tank
  23. mkdir /boot/EFI
  24. mount /dev/nvme0n1p1 /boot/EFI
  25. grub-install --target=x86_64-efi --bootloader-id=grub_uefi --recheck
  26. cp /usr/share/locale/en\@quot/LC_MESSAGES/grub.mo /boot/grub/locale/en.mo
  27. grub-mkconfig -o /boot/grub/grub.cfg
  28. Create swap file (with half the size of your physical ram):

    • fallocate -l 4G /swapfile
    • chmod 600 /swapfile
    • mkswap /swapfile
    • echo '/swapfile none swap sw 0 0' | tee -a /etc/fstab
  29. Setup timezoneln -sf /usr/share/zoneinfo/Region/City /etc/localtime

  30. Configure hardware clock hwclock --systohc

  31. Setup network echo myhostname > /etc/hostname

  32. cat << EOF > /etc/hosts
    127.0.0.1 localhost
    ::1       localhost
    27.0.1.1  myhostname.localdomain  myhostname
    EOF
    
  33. Install networkmanagerpacman -S networkmanager network-manager-applet dialog

  34. Enable dhcp client daemon systemctl enable dhcpcd.service

  35. Enable networkmanager daemon systemctl enable NetworkManager.service

  36. Add a dns nameserver, edit /etc/resolv.conf and add a nameserver, for example 8.8.8.8

  37. add a priviliged user groupadd username

  38. useradd -m -g initial_group -G wheel -s /bin/bash username, replace username with your account name

  39. Change password of your new account passwd username

Install sudo and grant users of wheel group the privilige to execute any command

  1. pacman -S sudo
  2. edit etc/sudoers and add/uncomment the line %wheel ALL=(ALL) ALL
  3. (Optional) Install microcode updates, pacman -S intel-ucode for intel processors or amd-ucode for amd processors. More infos here
  4. Update and configure GRUB grub-mkconfig -o /boot/grub/grub.cfg

Finish installation

  1. exit
  2. umount -a
  3. reboot

Congratulations! As soon as you restart your computer you will see a bootloader screen where you can start Arch. Then you can login with your user data after entering your encryption password.

It makes sense to install additional applications at this point, such as a window manager like I3 or another shell like zsh.

Post Installation

Here are some quick steps to install xorg and i3, as well as zsh as an alternate shell:

Install xorg and i3 window manager

  • pacman -S xorg-server xorg-init xorg-xrandr
  • Install video drivers, see here
  • pacman -S i3
  • edit .xinitrc and add exec i3 to start i3 via startx

Install zsh

  • pacman -S zsh
  • chsh -s $(which zsh)


Back to posts