💾 Archived View for sylvaindurand.org › arch-linux-with-full-encryption › index.gmi captured on 2022-04-29 at 11:22:44. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-04-28)
-=-=-=-=-=-=-
Over the past years, I have installed Arch Linux several dozen times on different devices. This article allows me to easily find the steps to install the distribution on a Dell XPS 9300, with UEFI and full encryption of the whole computer.
Warning: the Arch Linux installation guide should remain your reference if you try to install on your own machine. Not only can the instructions evolve over time, but it alone will allow you to adapt the steps to your needs. It is, finally, something very instructive!
Download the installation image from the Arch Linux website.
Then, insert a USB stick or micro SD card, find its address with `fdisk -l`. You can then copy the image of the key (every data on it will be lost) with :
sudo dd bs=4M if=<image.iso> of=/dev/<sdx> oflag=sync
After making sure you have disabled Secure Boot from the BIOS for the most recent computers, you turn on the computer from the USB key: once launched, the installer consists of a simple terminal.
The keyboard uses an American layout by default. Being French, I use:
loadkeys fr-latin9
For the rest of the installation, we will need the Internet to retrieve the packages. To connect to a wifi network, we use (where [ssid] is the name of your access point):
iwctl station wlan0 connect [ssid]
To avoid any synchronization problems, we will also update the computer's clock with it:
timedatectl set-ntp true
I choose to format the computer to create two partitions: a 100 MB boot partition, and a second one containing the system filling the rest of the space. Of course, all data will be deleted!
You can see which disks and partitions exist with `parted -l`.
First of all, in my case, I delete the previous UEFI entry:
efibootmgr -b 0 -B
In my case, the name of the main disk is `/dev/nvme0n1`. To partition it, I run:
wipefs -af /dev/nvme0n1 parted -s /dev/nvme0n1 mklabel gpt parted -s /dev/nvme0n1 mkpart primary fat32 1MiB 100MiB parted -s /dev/nvme0n1 set 1 esp on parted -s /dev/nvme0n1 mkpart primary ext4 100MiB 100%
These two partitions are then formatted, creating an encrypted space on the second one:
mkfs.fat -F32 /dev/nvme0n1p1 cryptsetup -y -v luksFormat --iter-time 100 /dev/nvme0n1p2 cryptsetup open /dev/nvme0n1p2 cryptroot mkfs.ext4 /dev/mapper/cryptroot
Finally, we mount these partitions with :
mount /dev/mapper/cryptroot /mnt mkdir /mnt/boot mount /dev/nvme0n1p1 /mnt/boot
We use `pacstrap` to install the minimal system on our partition, and create the `fstab` file. I add `iwd` to have wifi on reboot, and `intel-ucode` for Intel processors:
pacstrap /mnt base linux linux-firmware iwd intel-ucode genfstab -U /mnt >> /mnt/etc/fstab
You then enter the newly created system with:
arch-chroot /mnt
You choose your time zone, language, and keyboard with commands like this:
ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime hwclock --systohc echo "LANG=fr_FR.UTF-8" > /etc/locale.conf echo "KEYMAP=fr-latin9" > /etc/vconsole.conf echo "en_US.UTF-8 UTF-8 fr_FR.UTF-8 UTF-8" >> /etc/locale.gen locale-gen
We then activate the different services to benefit from wifi and DNS at startup:
systemctl enable systemd-networkd systemd-resolved iwd echo "[General] EnableNetworkConfiguration=True" >> /etc/iwd/main.conf
We also need to specify our hostname:
echo "xps" > /etc/hostname echo "127.0.0.1 localhost ::1 localhost 127.0.1.1 xps.localdomain>xps" >> /etc/hosts
The following instructions are added to request the password at startup:
sed -i 's/keyboard/keyboard keymap encrypt/' /etc/mkinitcpio.conf mkinitcpio -P
Create a root password with:
passwd
We simply use `efibootmgr` to create a simple UEFI boot entry without any bootloader:
UUID1=$(blkid /dev/nvme0n1p2 -o value -s UUID)
UUID2=$(blkid /dev/mapper/cryptroot -o value -s UUID)
efibootmgr -d /dev/nvme0n1 -p 1 -c -L "Arch Linux" \
-l /vmlinuz-linux -u "cryptdevice=UUID=${UUID1}:cryptroot \
root=UUID=${UUID2} rw quiet \
initrd=\intel-ucode.img initrd=\initramfs-linux.img"
You can leave the installation and reboot with:
exit reboot