Encrypted Arch Linux install

Hey! Listen! To make sure you’re reading the most current version of this post, check the table below.

2017-01-02Encrypted Arch Linux install
  • New partition layouts
  • 2014-11-15Arch Linux with Encrypted LVM on hardware
  • Replaced Cinnamon with Openbox
  • 2014-11-10Arch Linux with Encrypted LVM on hardware
  • Installing on hardware instead of inside VM
  • 2014-10-06Arch Linux with Encrypted LVM in VirtualBox
  • Using 64bit instead of 32bit
  • Replaced GDM with LightDM
  • 2014-09-05Arch Linux with Encrypted LVM in VirtualBox
  • Replaced MBR with GPT
  • Added encryption
  • 2014-08-27Arch Linux with LVM in VirtualBox
  • Initial post
  • Introduction

    This post is an update of my last post, since I am building a new machine. Since then, the Beginner’s Guide has been deprecated and has been replaced with the regular install guide. This time around, I’ve simplified my partition layout and I’m going to be using XFCE as my desktop environment. You’ll need the following before you begin:

    • A copy of the Arch Linux ISO (I recommend using a torrent instead of a direct download)
    • A USB flash drive
    • A machine that will run Linux

    Hardware info

    I thought it would be helpful if you knew what hardware I’m working with.
    PCPartPicker part list / Price breakdown by merchant

    Type Item Price
    CPU Intel Core i5-6500 3.2GHz Quad-Core Processor $189.99 @ SuperBiiz
    CPU Cooler Noctua NH-L9i 33.8 CFM CPU Cooler $37.99 @ Newegg
    Motherboard Gigabyte GA-H170N-WIFI Mini ITX LGA1151 Motherboard $112.99 @ SuperBiiz
    Memory G.Skill Ripjaws V Series 16GB (2 x 8GB) DDR4-2400 Memory $99.99 @ Newegg
    Storage Crucial MX300 525GB 2.5″ Solid State Drive $124.99 @ Jet
    Video Card Sapphire Radeon RX 480 8GB NITRO+ OC Video Card $267.99 @ Jet
    Case Fractal Design Node 202 HTPC Case $78.99 @ SuperBiiz
    Power Supply Corsair SF 600W 80+ Gold Certified Fully-Modular SFX Power Supply $119.99 @ Corsair
    Prices include shipping, taxes, rebates, and discounts
    Total $1032.92
    Generated by PCPartPicker 2016-12-29 09:26 EST-0500


    Before I begin, I wanted to explain a few of the decisions I made:

    1. I chose to use a traditional BIOS instead of UEFI, simply for convenience sake.
    2. I chose to use a GUID Partition Table (GPT) instead of a Master Boot Record (MBR). I’m probably not going to utilize all the advantages GPT offers, but MBR seems to be on the way out.
    3. Compared to my last guide, I’m using a much more simple partition layout. Both GPT-BIOS and /boot need to be on their own, unencrypted partitions. Then, I’ll encrypt only my third partition. See the figure below for an illustrated example.
      +-----------+ +----------------+ +---------------------------------------------------------------------------+
      |           | |                | |                                                                           |
      | GPT-BIOS  | | Boot partition | |                                                                           |
      | partition | | (may be on     | |                        LUKS encrypted partition                           |
      |           | | other device)  | |                                                                           |
      |           | |                | |                                                                           |
      | /dev/sda1 | | /dev/sda2      | |                          /dev/sda3                                        |
      +-----------+ +----------------+ +---------------------------------------------------------------------------+

      In contrast, my last guide was using LVM on LUKS (shown below). Since LVM is only needed if you have more than one partition (in the last guide, I had swap, root, and home), I chose not to use it this time.

      +-----------+ +----------------+ +---------------------------------------------------------------------------+
      |           | |                | |Logical volume1        | Logical volume2        | Logical volume3          |
      | GPT-BIOS  | | Boot partition | |/dev/mapper/lvolswap   | /dev/mapper/volroot    | /dev/mapper/lvolhome     |
      | partition | | (may be on     | |_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ |_ _ _ _ _ _ _ _ _ _ _ _ _ |
      |           | | other device)  | |                                                                           |
      |           | |                | |                        LUKS encrypted partition                           |
      | /dev/sda1 | | /dev/sda2      | |                          /dev/sda3                                        |
      +-----------+ +----------------+ +---------------------------------------------------------------------------+
    4. I chose ext4 over ext3, however, I’m also considering XFS.
    5. I did not use a swap partition, since I had 16GB of RAM. However, if you need swap, I recommend a swap file instead of a swap partition. Ubuntu recently switched to swap files by default, and it seems to be easier to manage. Instructions for creating a swap file are here.

    Base Install

    Step 1 – Setup your installation media

    Download the Arch Linux ISO and install it to your USB flash drive, as described here. Then, set your BIOS boot order to removable media first, plug in your USB flash drive, and boot it up.

    At this point, you should be automatically logged into a root prompt. Until we get a desktop environment installed and working, this is all going to be text-based and you’ll only be using the keyboard, no mouse.

    root@archiso ~ #

    Step 2 – Test internet connectivity

    Enter the following at the prompt to test your internet connection. DHCP is enabled for wired devices on boot. If you’re using wireless, see this page.


    Step 3 – Update the system clock

    Make sure your clock is accurate, since you’re online.

    timedatectl set-ntp true
    timedatectl status

    Step 4 – Setup partitions

    First, we need to setup partitions. However, before we do anything, we need to make sure the device mapper and encryption kernel modules are loaded with the command below.

    modprobe -a dm-mod dm_crypt

    Next, use the fdisk utility to find the name of your disk. More than likely, the disk will be /dev/sda.

    fdisk -l

    Note – I will be using /dev/sda in this guide. Please don’t copy/paste from this guide directly, as you could risk destroying your current system. I’m not responsible for anything you break 🙂

    Optionally, you can erase the partition tables on your disk.

    sgdisk --zap-all /dev/sda

    Next, we want to use gdisk to create the partitions. The fdisk utility only works with MBR disks, while gdisk only works with GPT disks.

    gdisk /dev/sda

    Use the o option to create a new GPT.

    Command (? for help): o
    This option deletes all partitions and creates a new protective MBR.
    Proceed? (Y/N): Y

    Use the n option to create a new partition, then press Enter to use the first partition.

    Command (? for help): n
    Partition number (1-128, default 1):

    This first partition (/dev/sda1) will be our BIOS boot partition. This partition needs to be 1M. Press Enter to select the default option for the first sector of the partition, then +1M for the last. This partition is only required when using BIOS + GPT + GRUB.

    First sector (34-31457246, default = 2048) or {+-}size{KMGTP}:
    Last sector (2048-31457246, default = 31457246) or {+-}size{KMGTP}: +1M

    Then, enter ef02 as the partition type (use the L option to list all available partition types).

    Current type is 'Linux filesystem'
    Hex code or GUID (L to show codes, Enter = 8300): ef02
    Changed type of partition to 'BIOS boot partition'

    Use the n option to create a new partition, then press Enter to use the second partition.

    Command (? for help): n
    Partition number (2-128, default 2):

    This second partition (/dev/sda2) will be our /boot partition. This partition will contain the kernel and ramdisk images, so it is suggested to be around 200MB. For an even number that will leave plenty of room for growth/changes, I’m going to use 512MB. Press Enter to select the default option for the first sector of the partition, then +512M for the last.

    First sector (34-31457246, default = 4096) or {+-}size{KMGTP}:
    Last sector (4096-31457246, default = 31457246) or {+-}size{KMGTP}: +512M

    We can leave this partition at 8300 by pressing Enter.

    Current type is 'Linux filesystem'
    Hex code or GUID (L to show codes, Enter = 8300):
    Changed type of partition to 'Linux filesystem'

    Use the n option to create a new partition, then press Enter to use the third partition.

    Command (? for help): n
    Partition number (3-128, default 3):

    This third partition (/dev/sda3) will be / , which will contain the rest of the disk. Press Enter to select the default option for the first sector of the partition, then +0 to take up the remainder of the free space.

    First sector (34-31457246, default = 1052672) or {+-}size{KMGTP}:
    Last sector (1052672-31457246, default = 31457246) or {+-}size{KMGTP}: +0

    We can leave this partition at 8300 by pressing Enter.

    Current type is 'Linux filesystem'
    Hex code or GUID (L to show codes, Enter = 8300):
    Changed type of partition to 'Linux filesystem'

    Use the p option to preview your changes.

    Use the w option to write your changes to disk.

    At this point, you’ll need to reboot for the kernel to pick up the new partition changes.

    Step 4 – Setup encryption

    Now we need to setup encryption on our partition. Please consult this table for other encryption options before you copy/paste my command below. Seriously, read the man page and the FAQ on cryptsetup.

    cryptsetup -v -y -c aes-xts-plain64 -s 512 -h sha512 -i 5000 --use-urandom luksFormat /dev/sda3

    -v = verbose
    -y = verify password, ask twice, and complain if they don’t match
    -c = specify the cipher used
    -s = specify the key size used
    -h = specify the hash used
    -i = number of milliseconds to spend passphrase processing (if using anything more than sha1, must be great than 1000)
    –use-urandom = which random number generator to use
    luksFormat = to initialize the partition and set a passphrase
    /dev/sda3 = the partition to encrypt

    A few notes:

    1. you should run cryptsetup --help to view the compiled-in defaults for your system
    2. you should consider using /dev/urandom (which is probably the default) instead of /dev/random (unless you’re in a low entropy environment like an embedded system)
    3. XTS splits the key size in half, so to use AES-256 you need to specify a key size of 512

    Finally, we need to unlock the LUKS device before we can setup filesystems. This will mount the device at /dev/mapper/crypto.

    cryptsetup open /dev/sda3 cryptroot

    Step 5 – Create filesystems

    Next, we’re going to create filesystems for /boot and / . The partition /dev/sda1 does not need a filesystem.

    mkfs.ext4 /dev/sda2
    mkfs.ext4 /dev/mapper/cryptroot

    Now, we’re going to mount the filesystems we just created.

    mount /dev/mapper/cryptroot /mnt
    mkdir /mnt/boot
    mount /dev/sda2 /mnt/boot

    Finally, we’ll display the filesystems we created.

    lsblk /dev/sda

    Step 6 – Select a mirror

    Next, we need to select a mirror to use when downloading packages. You can use the Mirrorlist Generator to find the best mirror for you based on your preferences.

    Use vi to edit the mirrorlist.

    vi /etc/pacman.d/mirrorlist

    Finally, use pacman to refresh the package lists. You should do this every time you update your mirrorlist.

    pacman -Syy

    Note – The list of mirrors generated has every server commented out. Use a text editor to do a find/replace on #Server with Server. The mirrors are used by pacman in the order they are listed.

    Step 7 – Install the base system

    Finally, we’re installing Arch Linux! Use the pacstrap command to install the system to /mnt. Use the -i option to ignore being prompted for all 75 packages we’re about to install.

    pacstrap -i /mnt base base-devel

    Step 8 – Generate a fstab

    The fstab file tells the sytem what each disk/partition does and how to mount it. Use the command below to generate one.

    genfstab -U /mnt >> /mnt/etc/fstab

    It’s always recommended to check the fstab file for errors.


    Cat out the /mnt/etc/fstab file and compare the UUIDs and logical volumes types to what was returned by blkid above.

    cat /mnt/etc/fstab

    Step 9 – Chroot

    We need to chroot into the newly installed system before we can configure it.

    arch-chroot /mnt /bin/bash

    Step 10 – Set locales and system information

    Set a timezone with the following command. Substitute America and New_York with your zone and sub-zone.

    ln -s /usr/share/zoneinfo/America/New_York /etc/localtime

    Set the hardware clock with the following command.

    hwclock --systohc --utc

    Next, we’re going to set locales. Use vi to edit the /etc/locale.gen file to uncomment your preferred encoding from the file.

    vi /etc/locale.gen

    An excerpt of my file is below, notice the uncommented line.

    #en_PH ISO-8859-1
    #en_SG.UTF-8 UTF-8
    #en_SG ISO-8859-1
    en_US.UTF-8 UTF-8
    #en_US ISO-8859-1
    #en_ZA.UTF-8 UTF-8
    #en_ZA ISO-8859-1

    Then, use the command below to generate a locale.


    Now, run the following two commands to generate a locale.conf file and set the LANG variable. Substitute en_US.UTF-8 with the encoding you uncommented in the step above.

    echo LANG=en_US.UTF-8 > /etc/locale.conf
    export LANG=en_US.UTF-8

    There’s still more work to be done. Here, set a hostname with the following command. Substitute Arch with your hostname of choice.

    echo Arch > /etc/hostname

    Step 11 – Generate an initial ramdisk

    This step is very important. Since we’re using encryption, we need to edit the /etc/mkinitcpio.conf file to include a few extra hooks.

    vi /etc/mkinitcpio.conf


    HOOKS="base udev autodetect modconf block filesystems keyboard fsck"


    HOOKS="base udev autodetect modconf block keymap keyboard usbinput encrypt filesystems shutdown fsck"

    Note – The hooks keymap and encrypt need to come between block and filesystems. The shutdown hook is after the filesystems entry. I had to add usbinput to use my USB keyboard.

    Finally, generate the ramdisk. For now, ignore any errors about missing firmware.

    cd /boot
    mkinitcpio -p linux

    Step 12 – Create users and set passwords

    Set a password for the root user with the command below.


    It’s also a good idea to create a normal user for you to use later on. Substitute logan with your username.

    useradd -m -g users -G audio,lp,optical,storage,video,games,power,scanner,wheel -s /bin/bash logan

    Note – I have this user added to the wheel group, which we’ll need to use sudo. More on that later.

    Then, change the password for your new user. Substitute logan with your username.

    passwd logan

    Step 13 – Install and configure a bootloader

    Use pacman to install the GRUB2 bootloader.

    pacman -S grub

    In the GRUB2 config file, we need to set a kernel parameter. The file to edit, however, depends on which bootloader you are using. In our case, it is GRUB2, and we’ll be editing the /etc/default/grub file.

    vi /etc/default/grub

    Find the line GRUB_CMDLINE_LINUX=”” and add the cryptdevice parameter to specify the location of your encrypted device. The format used is cryptdevice=device:name.





    Setup GRUB2 with the following two commands.

    grub-install --target=i386-pc --recheck /dev/sda
    grub-mkconfig -o /boot/grub/grub.cfg

    Step 14 – Enable Intel Microcode updates (optional)

    If you have an Intel CPU, you can enable microcode updates.

    pacman -S intel-ucode

    Then, regenrate the GRUB config.

    grub-mkconfig -o /boot/grub/grub.cfg

    Step 15 – Reboot

    Exit chroot, unmount any filesystems, and shutdown your machine.

    umount -R /mnt
    shutdown -h now

    Remove the USB flash drive from the laptop we inserted back in step 1.

    Step 16 – Start Arch Linux

    Start your machine and you should be greeted by the GRUB2 bootloader. Enter the password to unlock your encrypted partition on /dev/sda3. After the operating system loads, you should be back at a root prompt where you can login with the root username and root password you set earlier.

    Step 17 – Sudo

    We need to edit the /etc/sudoers file to allow use of the wheel group for our normal users. Only use visudo to edit /etc/sudoers, as it locks the file while editing, provides basic syntax checking, etc…


    Uncomment the %wheel ALL=(ALL) ALL line, like below.


    # %wheel ALL=(ALL) ALL


    %wheel ALL=(ALL) ALL

    Optionally, you can uncomment the line below instead and you won’t be prompted for your password.


    # %wheel ALL=(ALL) NOPASSWD: ALL


    %wheel ALL=(ALL) NOPASSWD: ALL

    Step 18 – Networking

    First, test your internet connectivity.


    My network device was down at first, so I brought it up and enabled DHCP (I’m doing this on a wired connection) with the commands below.

    ip link set dev enp3s0 up
    systemctl start dhcpcd

    Next, verify you pulled an IP from DHCP.

    ip a

    I prefer to use NetworkManager, as opposed to dhcpd or systemd-networkd. So, I’m going to install NetworkManager and disable dhcpcd since I’m done with it.

    pacman -S networkmanager
    systemctl enable NetworkManager.service
    systemctl stop dhcpcd 
    systemctl disable dhcpcd

    When you log back in, you should:

    1. Login as yourself
    2. Test sudo (e.g., sudo -l)
    3. Make sure you’re getting an IP (e.g. ip a)

    Step 19 – Updates

    If you’re using 64bit Arch Linux, you should enable the mutlilib repository to install 32bit packages as well. Uncomment the two lines below from the /etc/pacman.conf file.

    Include = /etc/pacman.d/mirrorlist

    Then, check for updates with pacman.

    sudo pacman -Syy
    sudo pacman -Syu

    Step 20 – Install the GUI

    I’ve started using XFCE, since it’s light on resources. Also, I’m installing the NetworkManager applet as well.

    sudo pacman -S xfce4 network-manager-applet xorg-server xorg-xinit xorg-server-utils

    Then, start XFCE manually.

    exec startxfce4

    You can start XFCE automatically with a display manager, or use the .xinitrc file.

    Step 21 – Graphics drivers (optional)

    Since I’m using an AMD card, I need to install the necessary graphics drivers. AMD recently released new open source drivers, called AMDGPU.

    sudo pacman -S xf86-video-amdgpu mesa mesa-libgl lib32-mesa-libgl mesa-vdpau lib32-mesa-vdpau



    Colored Terminal

    To enabled colors in pacman, uncomment the line below from /etc/pacman.conf.


    Verbose package lists

    To enable verbose package lists, uncomment the line below from /etc/pacman.conf.


    Pacman progress bar

    To change the progress bar to look like Pacman eating dots, add the following line to your /etc/pacman.conf file.



    When compiling programs (either manually or from the AUR), your PC will only use one core by default. You can make it use more by updating the makepkg.conf file.

    echo 'MAKEFLAGS="-j$(nproc)"' >> ~/.makepkg.conf

    AUR helper

    I recommend installing an AUR helper, specifically pacaur.

    sudo pacman -S git
    cd ~
    git clone https://aur.archlinux.org/cower.git
    git clone https://aur.archlinux.org/pacaur.git
    cd cower && makepkg -si --skippgpcheck --noconfirm
    cd ~/pacaur && makepkg -si --noconfirm
    rm -rf ~/cower && rm -rf ~/pacaur

    LUKS backups

    It’s important that you backup the information about your LUKS header, as well as the header itself. Use the command below to view the header information of your LUKS device.

    sudo cryptsetup luksDump /dev/sda3

    Use the command below to backup the actual LUKS header.

    sudo cryptsetup luksHeaderBackup /dev/sda3 --header-backup-file ~/luksHeaderBackup

    The header information and backup should be stored and treated in the same way as your data: encrypted with duplicates on multiple sets of media. If someone were to recover the LUKS backup, they could unlock your drive.

    User directories

    To create all of your default directories in $HOME (e.g., Documents, Music, Pictures, etc…), run the two commands below.

    sudo pacman -S xdg-user-dirs

    Systemd – boot performance

    I’m not going to talk about whether I love systemd or hate it. Honestly, I’m not technical enough to have an opinion on it. That being said, we can use it to improve our boot performance.

    To see the time taken to start each systemd unit file, enter the command below.

    sudo systemd-analyze blame

    At some points in the boot process, the next until file cannot proceed until the previous one loads. To see this, enter the command below at the terminal. This can give you a good idea of where pauses/hangs are happening in the boot process.

    sudo systemd-analyze critical-chain

    VirtualBox host support

    If you’re going to be using this Arch Linux installation as a VirtualBox host, you’ll need the following packages installed.

    sudo pacman -S virtualbox virtualbox-guest-iso virtualbox-host-modules-arch

    Daily use packages

    Below is the list of packages that I use on my machine. You don’t need to install them, obviously.

    sudo pacman -S alsa-firmware alsa-utils android-tools arandr baobab bzip2 coreutils deluge dmenu epdfview filezilla galculator gksu gparted gzip hardinfo htop iotop iputils libreoffice medit networkmanager-openvpn openssh p7zip pinta redshift rsync screenfetch scrot thunar thunar-archive-plugin thunar-media-tags-plugin thunar-volman unzip viewnior vim vlc wget xfce4-artwork xfce4-cpufreq-plugin xfce4-cpugraph-plugin xfce4-datetime-plugin xfce4-notifyd zip
    pacaur -S chromium-widevine firefox-beta-bin pepper-flash spotify ttf-ms-fonts ttf-tahoma unrar-free 
    sudo systemctl start redshift-gtk.service
    sudo systemctl enable redshift-gtk.service
    sudo ln -sf /usr/bin/chromium /usr/bin/chrome

    Hope this helps!


    4 thoughts on “Encrypted Arch Linux install”

    Leave a Comment

    This site uses Akismet to reduce spam. Learn how your comment data is processed.