The no BS guide to installing Arch Linux with encryption
Why Arch Linux?#
Arch Linux is a pretty good distro for medium to advanced users. If you’re not in this category, i would advise you to close this article and go install Linux Mint or something. Regardless, Arch Linux is a barebones distro. It dosen’t come with a desktop environment, display manager, file browser or anything like that. You configure the system the way you want it.
Getting started#
Firstly, you will need some kind of installation medium. This is usually a USB stick, but any kind of storage device will work. Then go to the Arch Linux downloads page and download it. I advise that you use a torrent for this as this uses less bandwidth on the Arch Linux servers.
After you’ve downloaded the iso file, you need to flash it to the installation medium. There are multiple ways to do this, but the most simple is to use dd. That is if you’re already on a UNIX-like OS. If you’re on Windows, you can use something like Rufus or balenaEtcher.
To flash the iso to the installation medium using dd, you just have to run a modified version this command from the folder you installed the iso:
sudo dd if=archlinux.iso of=/dev/sdX bs=2M status=progress
Replace archlinux.iso with whatever the iso filename actually is. And you
should also replace /dev/sdX with the name of the medium you want to flash the
iso to. The same will be true for the rest of the commands that deal with
drives and partitions. You can easily find the medium by just running lsblk in
your terminal.
Starting the installation process#
With the installation medium plugged into your computer, you should now restart your system. As it’s starting up again, you should spam the key to enter UEFI/BIOS. After you’ve entered the BIOS menu, you need to boot from the installation medium.
Connecting to the internet and checking time#
If you have an ethernet cable available, you should use this as it makes the whole thing much easier. If you don’t have an ethernet cable available, just follow this guide.
Now run timedatectl set-ntp true to make sure the system clock is working.
Identifying the drive and deleting the existing filesystem#
As before, you can easily do this by just typing lsblk into your terminal. You
need to be careful here as you probably don’t want to wipe data that you want to
keep. Also, this installation guide is not for dual booting. If you want to do
that, you need to look up another guide.
To wipe your system, just type the following into your terminal:
wipefs -a /dev/sdX
Side note#
For privacy and security reasons, it could be a good idea to fully wipe the data on your drive. If you want to do this, follow a guide like this one on the Arch wiki. Just be wary that some of these methods don’t work as well on SSDs.
Partitioning the disks#
You only really need 2 partitions. A boot partition and a root partition. Some people also recommend that you have a swap partition, but i find this to be unnecessary for most use cases.
Run cfdisk /dev/sdX and create a 1G boot partition and give the rest of the
space to the root partition. Both can just have the type ‘Linux filesystem’.
If you now type lsblk you should see that the drive has two separate partitions. To make a filesystem for the boot partition, run
mkfs.fat -F32 /dev/sdX1
Encrypted partition#
For the encrypted partition it’s a little bit more complicated. Start by typing the following into your terminal:
cryptsetup luksFormat /dev/sdX2
There will be a password prompt. This will be the decryption password for the partition.
After you’ve done this run the following and put in your password:
cryptsetup open /dev/sdX2 crypt
Now create a filesystem for the root/crypt partition by typing the following:
mkfs.ext4 /dev/mapper/crypt
Mounting and installation#
Now that we’ve set up the disks it’s time to move on to the actual installation.
Mounting the partitions#
Run the following commands to mount the partitions to /mnt. Put them in line by line:
mount /dev/mapper/crypt /mnt
mkdir /mnt/boot
mount /dev/sdX1 /mnt/boot
Installation#
Run the following command:
pacstrap -K /mnt base base-devel linux linux-firmware cryptsetup grub lvm2 vim networkmanager efibootmgr
NOTE: efibootmgr is only necessary if you’re on a UEFI system. If you don’t know how to use vim, you can install nano instead.
If you’re installing on a system where you don’t have ethernet access regularly, like a laptop, you should also install wpa_supplicant.
Making encryption with GRUB easier#
To make GRUB able to decrypt your drive you need some information about your partitions. It’s generally a good idea to put this information into /etc/default/grub, and you can do so by typing in the following command:
lsblk -f >> /mnt/etc/default/grub
NOTE: It’s important that you type >> and not >. The latter will remove the entirety of the file and replace it with the output of lsblk -f.
Generating fstab#
An fstab file is necessary so the system knows which partitions you want to mount upon boot and where to mount them. Type in the following command to generate an fstab file:
genfstab -U /mnt >> /mnt/etc/fstab
Chrooting into the system#
This is the final step of the main installation part of this guide. It’s basically a command where you enter your newly installed Arch Linux system as root:
arch-chroot /mnt /bin/bash
Configuring the system#
Timezone and clock#
To find your timezone you can run the following command:
ls /usr/share/zoneinfo/Region
Just replace ‘Region’ with your actual region like Europe or America.
To set the timezone:
ln -sf /usr/share/zoneinfo/Region/City
To synchronize the hardware clock:
hwclock --systohc
Locale and hostname#
To set the locale:
echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
You can choose any locale you want, but for most use cases american english is fine.
To set the locale conf:
echo "LANG=en_US.UTF-8" > /etc/locale.conf
To set the system hostname:
echo "myhostname" > /etc/hostname
Just replace myhostname with whatever hostname you want. It dosen’t really matter what you choose.
Mkinitcpio#
Open up /etc/mkinitcpio.conf with your terminal editor of choice and find the
line where it says HOOKS=() with a bunch of different stuff inside the
parentheses. Somewhere inside those parentheses you need to add encrypt and
lvm2.
After you’ve done this, run the following command:
mkinitcpio -P
Setting a password#
Run the command passwd and put in a root password.
GRUB config and installation#
First you should make some edits to the /etc/default/grub file. You probably
remember from earlier that you put the output of lsblk -f into this file.
Using your terminal editor of choice, open the file and look for the line where
it says GRUB_CMDLINE_LINUX_DEFAULT. If there is something already inside the
double quotes, you don’t need to delete it. Just add something after it like
this:
GRUB_CMDLINE_LINUX="cryptdevice=UUID=<UUID-of-sdX2>:crypt root=UUID=<UUID-of-/dev/mapper/crypt>"
The UUID information you need will be at the bottom of the file. You can just copy the UUID from there. You also need to either comment this out or delete it after use to avoid crashing GRUB.
Two different installation commands#
For UEFI:
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
For Legacy BIOS:
grub-install /dev/sdX
And finally to generate the config (this goes for both UEFI and non-UEFI):
grub-mkconfig -o /boot/grub/grub.cfg
Enabling internet#
Just run
systemctl enable NetworkManager
Last commands#
Run these:
exit
umount -R /mnt
reboot
Congratulations! You have now installed Arch Linux with encryption.
Post-installation#
This installation is barebones. It dosen’t come with anything except the essentials for a linux system. After installing, i would advise that you
- Create a non-root user with sudo access.
useradd -m yourusernamehere
usermod -aG wheel yourusernamehere
To get sudo access find the line with the following content and uncomment it by removing the # at the beginning.
%wheel ALL=(ALL:ALL) NOPASSWD: ALL
- Install an audio server like pipewire or pulseaudio.
- Install a desktop environment, a window manager (for xorg) or a compositor (for wayland). Here are some recommendations:
- KDE. Feature-rich desktop environment. More advanced users will say it’s bloat tips fedora.
- GNOME. Kind of the same, but feels more like MacOS.
- Xfce. More minimal DE, but also easy to use.
- bspwm. A good window manager for xorg. Harder to use than a DE.
- dwm. Also a good window manager. Slightly harder to use than bspwm because you have you compile from source and modify the source code yourself.
- river. Good wayland compositor, and one that i have used personally for a long time. About as hard to use as bspwm.
- Hyprland. By far the best wayland compositor if you like eye candy. Also about the same difficulty as river and bspwm.
If you don’t want to deal with installing a compositor or window manager yourself, you can search for something like ‘Hyprland dotfiles’ and a bunch of github repos will show up. Those will usually have an install script to automate the installation process.