How to install Arch Linux with Full Disk Encryption

How to install Arch Linux with Full Disk Encryption

How to install Arch Linux with Full Disk Encryption

In today’s tutorial we are going to install Arch Linux with full disk encryption.if(typeof __ez_fad_position != ‘undefined’){__ez_fad_position(‘div-gpt-ad-howtoforge_com-box-3-0’)};

Before we proceed, I want you to backup your existing data.if(typeof __ez_fad_position != ‘undefined’){__ez_fad_position(‘div-gpt-ad-howtoforge_com-medrectangle-3-0’)};

In the previous tutorial we learnt what dm-crypt and LUKS are and how to encrypt single disk partition. While in the post today we will take a slightly different approach to encrypt the whole disk with dm-crypt LUKS and install Archlinux on it.

Let’s start with disk erasing. Run lsblk to find your primary disk and replace /dev/sda where needed:

shred --verbose --random-source=/dev/urandom --iterations=3 /dev/sda

I ran the above command with ‘–iterations=15’ on my 120GB SSD overnight and it finished after 7 hours.

Once done, partition the disk. Unless your motherboard is using UEFI firmware, make sure to select ‘dos’ (msdos) label, otherwise go with the ‘gpt’ when you type:

cfdisk /dev/sda

After that create boot loader partition:

New-> Partition Size: 100M -> primary -> Bootable

The last one will be the root partition. The partition size should be automatically set to your remaining free space.

New-> Partition Size: xxxGB -> primary

Write the changes and quit from cfdisk.if(typeof __ez_fad_position != ‘undefined’){__ez_fad_position(‘div-gpt-ad-howtoforge_com-medrectangle-4-0’)};

In order to boot your encrypted root partition, the boot loader partition /dev/sda1 that will be mounted in /boot won’t be encrypted. I will place couple links at the end of this post that will guide you how to encrypt and even move the boot partition on a CD/DVD/USB.

Create cryptographic device mapper device in LUKS encryption mode:

cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/sda2

Unlock the partition, note that cryptroot will be the device mapper name that we will operate on.

cryptsetup open --type luks /dev/sda2 cryptroot

Create the boot and root file systems:

mkfs.ext4 /dev/sda1
mkfs.ext4 /dev/mapper/cryptroot

Mount them:

mount -t ext4 /dev/mapper/cryptroot /mnt
mkdir -p /mnt/boot
mount -t ext4 /dev/sda1 /mnt/boot

Install the base and base-devel systems:

pacstrap -i /mnt base base-devel

Generate the fstab:

genfstab -U -p /mnt >> /mnt/etc/fstab

Chroot to configure the base system:

arch-chroot /mnt

Uncomment the en_US locale:

sed -i 's/#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/g' /etc/locale.gen

Generate the locale:


Create configuration file that would instruct the system what language locale it should be using:

echo LANG=en_US.UTF-8 > /etc/locale.conf

Export the locale

export LANG=en_US.UTF-8

Create a symbolic link with the desired time zone:

ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime

Set the hardware clock to UTC:

hwclock --systohc --utc

Set the desired hostname:

echo CookieMonster > /etc/hostname

Set the root password:


Add a system user:

useradd -m -g users -G wheel,games,power,optical,storage,scanner,lp,audio,video -s /bin/bash username

Set the system user password:

passwd username

Install sudo (base-devel) and the boot loader grub and os-prober:

pacman -S sudo grub-bios os-prober

Allow the system user to use sudo and run commands (temporary) as root:

EDITOR=nano visudo

Press CTRL + W and type wheel, then uncomment the following line:

Add the following kernel parameter to be able to unlock your LUKS encrypted root partition during system startup:

Add encrypt hook:

Since we added new hook in the mkinitcpio configuration file, we should re-generate our initrams image (ramdisk):

mkinitcpio -p linux

Install grub and save it’s configuration file:

grub-install --recheck /dev/sda
grub-mkconfig --output /boot/grub/grub.cfg

Exit from chroot, unmount the partitions, close the device and reboot (remove the installation media):

umount -R /mnt/boot
umount -R /mnt
cryptsetup close cryptroot
systemctl reboot

Once you type in your password and login as system user, start dhcpcd.

sudo systemctl start dhcpcd
ping -c2

Install Xorg and copy .xinitrc over your $HOME dir:

sudo pacman -S xorg-server xorg-server-utils xorg-xinit mesa xterm xorg-twm xorg-xclock
cp /etc/X11/xinit/xinitrc ~/.xinitrc

There is a special wiki page that contains useful information for the GPU drivers, check it out and if it happens your GPU brand to be amd/ati, intel or nvidia install the appropriate drivers listed there.

Type startx and you should see couple terminals side-by-side, now type exit

Comment in the following lines in .xinitrc and add some to specify that we want the xfce desktop environment to be started upon successful login:

Install xfce, external display manager and network manager:

sudo pacman -S slim archlinux-themes-slim xfce4 networkmanager network-manager-applet

Exchange the default slim theme:

Stop dhcpcd, enable slim, enable NetworkManager, startx:

sudo systemctl stop dhcpcd
sudo systemctl enable NetworkManager
sudo systemctl enable slim

That was it, hope you enjoyed this post.

If you ever manage to f*ck up your system and have to chroot from removable media, the order is:

cryptsetup open --type luks /dev/sda2 cryptroot
mount -t ext4 /dev/mapper/cryptroot /mnt
mount -t ext4 /dev/sda1 /mnt/boot
arch-chroot /mnt

To unmount them:

umount -R /mnt/boot
umount -R /mnt
cryptsetup close cryptroot

The promised links, read the 8th and 9th links carefully if you got SSD:

  • link 1
  • link 2
  • link 3
  • link 4
  • link 5
  • link 6
  • link 7
  • link 8
  • link 9
  • link 10
About the Author

Leave a Reply