Afficher/cacher Sommaire
Install ARCH Linux with encrypted file-system and UEFI
The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.
Download the archiso image from https://www.archlinux.org/
Copy to a usb-drive
dd if=archlinux.img of=/dev/sdX bs=16M && sync # on linux
Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.
Set french keymap
le clavier par défaut étant le clavier QWERTY, il faut taper loqdkeys fr)pc sur un clavier AZERTY pour écrire loadkeys fr-pc
loadkeys fr-pc
Let’s start with disk erasing. Run lsblk to find your primary disk and replace /dev/sdX where needed:
shred –verbose –random-source=/dev/urandom –iterations=3 /dev/sdX
This assumes a wifi only system…
wifi-menu
Create partitions
gdisk /dev/sdX 1 100MB EFI partition # Hex code ef00 2 250MB Boot partition # Hex code 8300 3 100% size partiton # (to be encrypted) Hex code 8300
mkfs.vfat -F32 /dev/sdX1 mkfs.ext2 /dev/sdX2
Create cryptographic device mapper device in LUKS encryption mode:
cryptsetup –verbose –cipher aes-xts-plain64 –key-size 512 –hash sha512 –iter-time 5000 –use-random luksFormat /dev/sdX3 cryptsetup luksOpen /dev/sdX3 cryptroot
Create encrypted partitions
This creates one partions for root, modify if /home or other partitions should be on separate partitions
pvcreate /dev/mapper/cryptroot vgcreate vg0 /dev/mapper/cryptroot lvcreate –size 8G vg0 –name swap lvcreate -l +100%FREE vg0 –name root
Create filesystems on encrypted partitions
mkfs.ext4 /dev/mapper/vg0-root mkswap /dev/mapper/vg0-swap
Mount the new system
mount /dev/mapper/vg0-root /mnt # /mnt is the installed system swapon /dev/mapper/vg0-swap # Not needed but a good thing to test mkdir /mnt/boot mount /dev/sdX2 /mnt/boot mkdir /mnt/boot/efi mount /dev/sdX1 /mnt/boot/efi
Install the system also includes stuff needed for starting wifi when first booting into the newly installed system
pacstrap /mnt base base-devel grub-efi-x86_64 git efibootmgr dialog wpa_supplicant
‘install’ fstab
genfstab -pU /mnt » /mnt/etc/fstab
Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)
tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0
Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)
Enter the new system
arch-chroot /mnt
Setup system clock
ln -s /usr/share/zoneinfo/Europe/Stockholm /etc/localtime hwclock –systohc –utc
Set the hostname
echo MYHOSTNAME > /etc/hostname
Uncomment the fr_FR locale:
sed -i ‘s/#fr_FR.UTF-8 UTF-8/fr_FR.UTF-8 UTF-8/g’ /etc/locale.gen
Generate the locale:
locale-gen
Create configuration file that would instruct the system what language locale it should be using:
echo LANG=fr_FR.UTF-8 > /etc/locale.conf
Export the locale
export LANG=fr_FR.UTF-8
Set password for root
passwd
Add real user
useradd -m -g users -G wheel,games,power,optical,storage,scanner,lp,audio,video -s /bin/bash username passwd username
Install sudo (base-devel) and the boot loader grub and os-prober:
pacman -S sudo grub os-prober
Allow the system user to use sudo and run commands (temporary) as root:
EDITOR=nano visudo
Press CTRL + W and type wheel, then uncomment the following line:
%wheel ALL=(ALL) ALL
Add the following kernel parameter to be able to unlock your LUKS encrypted root partition during system startup (In /etc/default/grub edit the line GRUB_CMDLINE_LINUX) :
GRUB_CMDLINE_LINUX=”cryptdevice=/dev/sdX3:cryptroot:allow-discards”
Configure mkinitcpio with modules needed for the initrd image
nano /etc/mkinitcpio.conf
Add ‘encrypt’ and ‘lvm2’ to HOOKS before filesystems
Since we added new hook in the mkinitcpio configuration file, we should re-generate our initrams image (ramdisk):
mkinitcpio -p linux
Install grub and save it’s configuration file:
grub-install –recheck /dev/sda grub-mkconfig –output /boot/grub/grub.cfg
Exit new system and go into the cd shell
exit
Unmount all partitions
umount -R /mnt swapoff -a
Reboot into the new system, don’t forget to remove the cd/usb
reboot