Post

Archinstallencrypt

Posted
By Derrek Landauer
13 min read
Archinstallencrypt

📖 Arch Linux Installation Guide with Full Root Encryption

This guide provides a step-by-step process for installing Arch Linux with full root partition encryption using LUKS and GRUB. It covers two methods: a fresh install (recommended, now split into multiple sections) and encrypting an existing installation. It builds on the Arch Wiki Installation Guide.

📋 General Assumptions

  • Installer: Booted into the Arch Linux ISO live environment.
  • Secure Boot: Disabled and in setup mode.
  • Bootloader: GRUB with UEFI.
  • /boot: Unencrypted, separate from root (/).
  • Root Partition (/): Encrypted with LUKS.
  • Hardware: UEFI system with sufficient disk space.
  • Network: Internet access required.
  • Backup: Critical data is backed up.

⚠️ Warning: Partitioning and encryption modify your disk. Backup all data and verify device names (e.g., /dev/nvme0n1pX) with lsblk -f.

🛠️ Section 1: Configure Installer Environment

Set up the Arch ISO live environment.

1.1 Set Console Keyboard Layout and Font

1
2

loadkeys us
setfont ter-116n  # Optional

List options if needed:

1
2

ls /usr/share/kbd/keymaps/**/*.map.gz
ls /usr/share/kbd/consolefonts/

1.2 Verify Boot Mode

Confirm UEFI mode:

1

ls /sys/firmware/efi/efivars

If empty, enable UEFI in BIOS.

1.3 Connect to the Internet

Wired (DHCP):

1

systemctl start dhcpcd

Wi-Fi:

This assumes the device name is wlan0. run iwctl device list for your hardware situation.

1
2
3
4
5
6
7

iwctl
device list
station wlan0 scan
station wlan0 get-networks
station wlan0 connect "SSID"
station wlan0 show
exit

Test:

1

ping archlinux.org

1.4 Update System Clock

1
2

timedatectl set-ntp true
timedatectl status

🗂️ Section 2: Partition the Disk

Configure the disk for UEFI with GPT.

2.1 Partition Layout

Mount PointPartitionPartition TypeSuggested Size
/boot/efi/dev/nvme0n1p1EFI System Partition1 GiB
/boot/dev/nvme0n1p2Linux Filesystem1 GiB
[SWAP]/dev/nvme0n1p3Linux SwapAt least 4 GiB
//dev/nvme0n1p4Linux x86-64 Root (/)23–32 GiB or remainder

2.2 Create Partitions

🗂️ Section 2: Partition the Disk

Partition /dev/nvme0n1 for UEFI with GPT to support LUKS encryption and GRUB. A separate EFI partition is required for UEFI booting.

CRITICAL WARNING: Partitioning erases all data on /dev/nvme0n1. Back up all data to an external drive. Run lsblk -f to confirm /dev/nvme0n1. Wrong disk = data loss. To encrypt existing Arch, skip to Section 8. For recovery, see Section 10.

2.1 Verify Disk

1

lsblk -f

Example:

1
2
3
4
5
6

NAME        FSTYPE       LABEL  UUID                                 MOUNTPOINT
nvme0n1
├─nvme0n1p1 vfat                <UUID>                             [none]
├─nvme0n1p2 ext4                <UUID>                             [none]
├─nvme0n1p3 swap                <UUID>                             [none]
└─nvme0n1p4 crypto_LUKS         <UUID>                             [none]

If partitions exist and you need them, stop. Use Section 8 or 10. Proceed only for fresh install.

2.2 Create Partitions

Here’s your revised section with corrected fdisk commands for GPT, cleaned up formatting, and fixed partition type assignments:

1

fdisk /dev/nvme0n1

In fdisk (GPT setup):

  1. Create a new GPT partition table:

    1

    Command (m for help): g

  2. EFI System Partition (for UEFI bootloader like grubx64.efi):

    1
2
3
4
5
6
7

    Command (m for help): n
Partition number: 1
First sector: (press Enter)
Last sector: +1G
Command (m for help): t
Partition number: 1
Partition type: 1  # or type `L` and select "EFI System"

  3. Boot Partition (for kernel and initramfs, unencrypted):

    1
2
3
4
5
6
7

    Command (m for help): n
Partition number: 2
First sector: (press Enter)
Last sector: +1G
Command (m for help): t
Partition number: 2
Partition type: Linux filesystem

  4. Swap Partition (virtual memory, may be encrypted later):

    1
2
3
4
5
6
7

    Command (m for help): n
Partition number: 3
First sector: (press Enter)
Last sector: +4G
Command (m for help): t
Partition number: 3
Partition type: Linux swap

  5. Root Partition (encrypted root filesystem, /):

    1
2
3
4
5
6
7

    Command (m for help): n
Partition number: 4
First sector: (press Enter)
Last sector: (press Enter to use remaining space)
Command (m for help): t
Partition number: 4
Partition type: Linux filesystem

  6. Write changes and exit:

    1

    Command (m for help): w

Verify layout:

1

fdisk -l /dev/nvme0n1

Expected output:

1
2
3
4

/dev/nvme0n1p1  ... 1G EFI System
/dev/nvme0n1p2  ... 1G Linux filesystem
/dev/nvme0n1p3  ... 4G Linux swap
/dev/nvme0n1p4  ...    Linux filesystem

Partition Layout Summary

Mount PointPartitionTypeSize
/boot/efi/dev/nvme0n1p1EFI System (FAT32)1 GiB
/boot/dev/nvme0n1p2Linux (ext4)1 GiB
[SWAP]/dev/nvme0n1p3Linux Swap4 GiB
//dev/nvme0n1p4Linux (ext4)Remainder

2.3 Format Partitions (Non-Encrypted)

1
2

mkfs.fat -F32 /dev/nvme0n1p1  # EFI
mkfs.ext4 /dev/nvme0n1p2      # Boot

Swap and root will be formatted later (after encryption setup, if used).

Note: A separate /boot/efi (FAT32) is required for UEFI systems to store the bootloader (grubx64.efi). The unencrypted /boot (ext4) holds the kernel and initramfs. A single /boot is not recommended due to UEFI compatibility constraints and FAT32’s 4 GiB file size limitation.

🔐 Section 3: Method 1 – Set Up LUKS Encryption

Set up LUKS encryption for the root partition.

3.1 Encrypt Root Partition

1
2
3

cryptsetup luksFormat /dev/nvme0n1p4
cryptsetup open /dev/nvme0n1p4 cryptroot
mkfs.ext4 /dev/mapper/cryptroot

3.2 Configure Swap (Optional Encryption)

  • Unencrypted Swap:
1
2

mkswap /dev/nvme0n1p3
swapon /dev/nvme0n1p3
  • Encrypted Swap (random key per boot):
1
2
3

cryptsetup open --type plain -d /dev/urandom /dev/nvme0n1p3 cryptswap
mkswap /dev/mapper/cryptswap
swapon /dev/mapper/cryptswap

📂 Section 4: Method 1 – Mount Filesystems and Install Base System

Mount partitions and install the base system.

4.1 Mount Filesystems

1
2
3
4
5

mount /dev/mapper/cryptroot /mnt
mkdir /mnt/boot
mount /dev/nvme0n1p2 /mnt/boot
mkdir /mnt/boot/efi
mount /dev/nvme0n1p1 /mnt/boot/efi

4.2 Install Base System

1
2
3
4

pacstrap /mnt base linux linux-firmware base-devel \
vim sudo networkmanager man-db man-pages bash-completion \
inetutils grub efibootmgr mkinitcpio lvm2 \
dosfstools e2fsprogs

🧠 Why Each Package Matters

PackagePurpose
baseCore system utilities
linuxKernel
linux-firmwareFirmware for wireless/network/GPU devices
base-develNeeded to build AUR packages with makepkg (e.g., for yay)
vimText editor (available in ISO unlike nano)
sudoPrivilege escalation for your user
networkmanagerVersatile networking daemon
man-dbman command
man-pagesSystem manual pages
bash-completionTab completion for bash
inetutilsProvides hostname, ping, and other basic networking tools
grubRequired for bootloader installation
efibootmgrNeeded for EFI bootloader setup
mkinitcpioBuilds the initramfs (hook system for encryption, filesystems, etc.)
lvm2Required if using or unlocking LVM volumes (even on encrypted systems)
dosfstoolsNeeded to format EFI partition with mkfs.fat -F32
e2fsprogsIncludes fsck, mkfs.ext4, and tools for ext4 filesystems

4.3 Generate fstab

1

genfstab -U /mnt >> /mnt/etc/fstab

Add encrypted swap (if used):

1

echo "/dev/mapper/cryptswap  none  swap  sw  0  0" >> /mnt/etc/fstab

Verify /mnt/etc/fstab:

1

/dev/mapper/cryptroot  /  ext4  defaults  0  1

⚙️ Section 5: Method 1 – Configure System and Encryption

Configure the installed system and encryption settings.

5.1 Chroot and Set Up Basics

1

arch-chroot /mnt

Configure:

1
2
3
4
5
6
7
8

ln -sf /usr/share/zoneinfo/Region/City /etc/localtime
hwclock --systohc
echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf
echo "arch" > /etc/hostname
echo "127.0.0.1 localhost" >> /etc/hosts
passwd

5.2 Configure Encryption

Understood. Here’s a corrected version that uses vim, avoids suggesting tools Arch doesn’t include by default, and preserves your echo approach while warning about duplication risk:

5.2 Configure Encryption

Get the UUID of your encrypted root partition:

1

blkid -s UUID -o value /dev/nvme0n1p4

Append it to /etc/crypttab:

1

echo "cryptroot UUID=$(blkid -s UUID -o value /dev/nvme0n1p4) none luks" >> /etc/crypttab

If you’re re-running this guide or not sure, inspect the file to avoid duplicates:

1

vim /etc/crypttab

Make sure there’s only one cryptroot entry and that it matches the UUID of /dev/nvme0n1p4.

Encrypted Swap (Optional):

If you’re using encrypted swap with a random key per boot, add this:

1

echo "cryptswap /dev/nvme0n1p3 /dev/urandom swap" >> /etc/crypttab

Then check again:

1

vim /etc/crypttab

Remove any duplicate cryptswap or cryptroot entries. This prevents boot hangs or cryptsetup errors.

5.3 Configure Initramfs

Edit /etc/mkinitcpio.conf:

1

HOOKS=(base udev autodetect kms keyboard keymap consolefont modconf block encrypt filesystems fsck)

Regenerate:

1

mkinitcpio -P

🖥️ Section 6: Method 1 – Install and Configure GRUB

Set up GRUB for booting the encrypted system.

6.1 Install GRUB

1

pacman -S grub efibootmgr

6.2 Configure GRUB

1. Get the UUID of your encrypted root partition:

1

blkid -s UUID -o value /dev/nvme0n1p4

Example output:

1

e1c4fafe-73c5-47b9-bc91-5f1ae7a9ef10

2. Edit /etc/default/grub with that value hardcoded:

1

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID=e1c4fafe-73c5-47b9-bc91-5f1ae7a9ef10:cryptroot root=/dev/mapper/cryptroot"

Install and generate config:

1
2

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg

🔄 Section 7: Method 1 – Reboot and Verify

Finalize and verify the installation.

7.1 Exit and Reboot

1
2
3
4

exit
umount -R /mnt
swapoff -a  # If swap is active
reboot

7.2 Verify Installation

  • Confirm LUKS password prompt at boot.
  • Check mounts:
1
2

lsblk
# Verify /dev/mapper/cryptroot is mounted on /
  • Verify kernel parameters:
1
2

cat /proc/cmdline
# Should include cryptdevice=...

🔐 Section 8: Method 2 – Encrypt Existing Arch Installation

Encrypt an existing Arch Linux root partition.

8.1 Boot into Arch ISO

Boot the Arch ISO and check:

1

lsblk -f

Identify:

  • Root (/dev/nvme0n1p4).
  • Boot (/dev/nvme0n1p2).
  • EFI (/dev/nvme0n1p1).
  • Swap (/dev/nvme0n1p3).

8.2 Backup Root Filesystem

1
2
3

mount /dev/nvme0n1p4 /mnt
mkdir /backup
rsync -aAXv /mnt/ /backup/

⚠️ Verify backup.

8.3 Encrypt Root Partition

⚠️ Destroys root partition.

1
2
3
4

cryptsetup luksFormat /dev/nvme0n1p4
cryptsetup open /dev/nvme0n1p4 cryptroot
mkfs.ext4 /dev/mapper/cryptroot
mount /dev/mapper/cryptroot /mnt

8.4 Restore Backup

1
2
3

rsync -aAXv /backup/ /mnt/
mount /dev/nvme0n1p2 /mnt/boot
mount /dev/nvme0n1p1 /mnt/boot/efi

8.5 Configure Encryption

Edit /mnt/etc/crypttab:

1

echo "cryptroot UUID=$(blkid -s UUID -o value /dev/nvme0n1p4) none luks" >> /mnt/etc/crypttab

Update /mnt/etc/fstab:

1

/dev/mapper/cryptroot  /  ext4  defaults  0  1

8.6 Chroot and Update System

1

arch-chroot /mnt

Edit /etc/mkinitcpio.conf:

1

HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt microcode filesystems fsck)

Regenerate:

1

mkinitcpio -P

8.7 Update GRUB

Edit /etc/default/grub:

1

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID=$(blkid -s UUID -o value /dev/nvme0n1p4):cryptroot root=/dev/mapper/cryptroot"

Regenerate:

1

grub-mkconfig -o /boot/grub/grub.cfg

8.8 Exit and Reboot

1
2
3

exit
umount -R /mnt
reboot

8.9 Post-Boot Checks

  • Confirm LUKS prompt.
  • Verify mounts:
1

lsblk
  • Check kernel parameters:
1

cat /proc/cmdline

🔒 Section 9: Optional – Enable Secure Boot

  1. Install sbctl:
1

pacman -S sbctl
  1. Create and enroll keys:
1
2

sbctl create-keys
sbctl enroll-keys
  1. Sign binaries:
1
2

sbctl sign -s /boot/efi/EFI/GRUB/grubx64.efi
sbctl sign -s /boot/vmlinuz-linux

  1. Enable Secure Boot in BIOS and reboot.

  2. Verify:

1

sbctl status

🔧 Section 10: Notes and Troubleshooting

🔹 Common Boot Failures

  • Hangs after password prompt with /dev/mapper/cryptroot: clean

    • System may not be hung. It’s just slow or stuck on a failing service.
    • 👉 At GRUB, press e, add systemd.unit=multi-user.target at the end of the linux line, boot, and check systemctl blame and journalctl -xb.

  • Failed to start Remount Root and Kernel File Systems

    • Typically caused by:

      • Broken or duplicated lines in /etc/fstab
      • Missing cryptroot or cryptswap entries in /etc/crypttab
      • Mistyped UUIDs or invalid mapper devices

🔹 read swap header failed

  • If you’re using encrypted swap with a random key:

    1
2
3

    cryptsetup open --type plain -d /dev/urandom /dev/nvme0n1p3 cryptswap
mkswap /dev/mapper/cryptswap
swapon /dev/mapper/cryptswap

  • ❌ Don’t try to mkswap inside the chroot unless the device was properly opened from the host.

  • fstab should use:

    1

    /dev/mapper/cryptswap none swap sw 0 0

  • crypttab should have:

    1

    cryptswap /dev/nvme0n1p3 /dev/urandom swap

🔹 Missing GRUB Files (e.g., grubx64.efi, core.efi)

  • This happens if pacstrap was done but /boot/efi wasn’t mounted, or if rsync skipped boot partitions.

  • Fix with:

    1
2

    grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg

🔹 genfstab not found in chroot

  • It’s in the arch-install-scripts package, which may not be present in your installed system:

    1
2

    pacman -S arch-install-scripts
genfstab -U / >> /etc/fstab

🔹 fstab issues from nested or extra mounts

  • After copying from or mounting backup systems, you may find junk like:

    1

    UUID=xxxx /mnt/extra ext4 ...

    Remove it unless you explicitly want that mounted on boot.

🔹 Slow Boot Analysis

  • Use systemd-analyze to check boot time:

    1
2

    systemd-analyze
systemd-analyze blame

  • Common culprits:

    • NetworkManager-wait-online.service
    • Missing swap devices
    • Bad UUIDs

🛠️ Section 11: Post-Installation Setup

After installing Arch Linux with root encryption (Method 1 or Method 2), configure the system for daily use. This section covers setting up an AUR helper (yay), creating a user, enabling networking, and installing essential packages.

11.1 Create a User Account

Create a non-root user for security and daily use:

1
2

useradd -m -G wheel username  # Replace 'username' with your desired name
passwd username

Grant the user sudo privileges:

1
2

pacman -S sudo
EDITOR=nano visudo

Uncomment the line to allow wheel group sudo access:

1

%wheel ALL=(ALL:ALL) ALL

11.2 Enable Networking

Set up networking for the installed system (the live environment used dhcpcd or iwctl).

  • For wired connections (simple):

Install and enable dhcpcd:

1
2

pacman -S dhcpcd
systemctl enable dhcpcd@eth0  # Replace 'eth0' with your interface (check with 'ip link')
  • For versatile networking (wired and Wi-Fi):

Install NetworkManager:

1
2

pacman -S networkmanager
systemctl enable NetworkManager

Configure with nmtui (terminal UI) or nmcli:

1

nmtui  # Follow prompts to set up wired or Wi-Fi

Verify connectivity:

1

ping archlinux.org

11.3 Install an AUR Helper (yay)

The Arch User Repository (AUR) provides community packages. Install yay to manage AUR packages easily.

  1. Install dependencies:
1

pacman -S base-devel git
  1. Clone and build yay:
1
2
3
4

cd /tmp
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si
  1. Verify yay installation:
1

yay --version
  1. Update system and AUR packages:
1

yay -Syu

Note: Run yay as your user, not root. Use yay -S package to install AUR packages (e.g., yay -S google-chrome).

11.4 Install Common Packages

Install essential tools for a functional system:

1

pacman -S vim bash-completion man-db man-pages texinfo

11.5 Additional Configuration

Enhance your system with optional tools and settings.

  • Enable automatic updates (optional):

Install pacman-contrib for package cache management:

1
2

pacman -S pacman-contrib
systemctl enable paccache.timer  # Cleans package cache weekly

Install auracle for lightweight AUR update checking:

1

yay -S auracle  # CLI tool to query AUR updates

Check for AUR updates manually:

1

auracle sync  # Lists available AUR package updates

To automate AUR update checks, create a systemd timer (optional):

  1. Create a script to check updates:
1

sudo vim /usr/local/bin/check-aur-updates.sh

Add:

1
2

#!/bin/bash
auracle sync

Save and exit (:wq in vim). Make it executable:

1

sudo chmod +x /usr/local/bin/check-aur-updates.sh
  1. Create a systemd service:
1

sudo vim /etc/systemd/system/aur-update-check.service

Add:

1
2
3
4
5

[Unit]
Description=Check for AUR updates
[Service]
Type=oneshot
ExecStart=/usr/local/bin/check-aur-updates.sh

Save and exit.

  1. Create a systemd timer:
1

sudo vim /etc/systemd/system/aur-update-check.timer

Add:

1
2
3
4
5
6
7

[Unit]
Description=Daily AUR update check
[Timer]
OnCalendar=daily
Persistent=true
[Install]
WantedBy=timers.target

Save and exit. Enable and start the timer:

1

systemctl enable --now aur-update-check.timer

Note: auracle sync only lists updates. To apply them, run yay -Syu as your user. The timer logs updates to /var/log/systemd (view with journalctl -u aur-update-check).

  • Set up a firewall (optional):
1
2
3

pacman -S ufw
systemctl enable ufw
ufw enable
  • Check system logs:
1

journalctl -b  # View boot logs for errors

11.6 Reboot

Reboot to ensure all services (e.g., networking, display manager) start correctly:

1

reboot
This post is licensed under CC BY 4.0 by the author.