Arch Linux with LVM on LUKS (dm-crypt) Disk Encryption Installation Guide (Legacy/BIOS System)

Hello 0x00’ers.
Today I will be writing a guide on an encrypted Arch install via LUKS, then installing the lightweight XFCE desktop environment. The way we will be going about this is we will create a non-encrypted boot partition, and then we will create a LUKS encrypted partition with 2 logical volumes (home and root). Think of the LUKS partition as a container for our root and home partitions. Lets get started.

Pre-install + Setting Up Your Hard Drive and Partitions

You will need a bootable flash drive with arch on it. If you choose to erase your hard drive, now would be the time to do it. I use dban on a dvd. Boot up arch and you should see
Arch Linux <Version of Arch> (tty1)
archiso login: root (automatic login)
root@archiso ~ #

First lets connect to the interwebz and set up the clock.

if you are connected to Ethernet it should have automatically connected to your network via dhcp but if it didnt you can run
root@archiso ~ # dhcpcd <your interface here ex: enp0s25>

You can get a list of your interfaces by typing
root@archiso ~ # ip link

If you are using wifi you can use the included tool, “wifi-menu”
root@archiso ~ # wifi-menu -o (the “o” shows asterisks when you type in the wifi password and stores it as a hexadecimal string.)

A dialog menu will pop up with a list of essid’s. Choose yours via arrow keys and hit enter. Next, it should say "Enter a name for the new profile. It should be already filled out, but if it isn’t type something in here like “home-wifi”. Hit enter. Next, type in your wifi password. Hit enter, if it asks you if you would like to save this profile select yes and hit enter again. Finally ping a website to see if the internet is working.
root@archiso ~ # ping www.google.com

to set the system clock via ntp type
root@archiso ~ # timedatectl set-ntp true

Now lets partition the disks, and be aware that this will erase your hard drive.
Identify your hard drive via fdisk.
root@archiso ~ # fdisk -l

For me it is /dev/sda

now enter the disk tool “parted”
root@archiso ~ # parted

notice how instead of root@archiso ~ # it shows (parted). Now select your hard drive
(parted) select /dev/sdX where X is your hard drive label. For me it was (parted) select /dev/sda
Next, create a msdos disk label
(parted) mklabel msdos
then create the boot partition
(parted) mkpart primary ext2 1MB 512MB
Then create a partition for the lvm using the rest of the disk space.
(parted) mkpart primary ext4 512MB 100%
(parted) print should list all of your partitions, you should have 2.
now set the boot flag on your boot partition
(parted) set 1 boot on (1 should be the number of your boot partition)
now type
(parted) quit
and verify that the changes have been made.
root@archiso ~ # fdisk -l
you should see two partitions with one having an asterisk under “boot”. For my hard drive /dev/sda1 is my boot partition, and /dev/sda2 is the partition I will be using for the lvm so that is what I will be going off of for this part of the tutorial.

Now lets set up luks
type
root@archiso ~ # cryptsetup luksFormat /dev/sda2
(2 being the bigger partition…the one you will be using for the lvm)
type YES and your password for the encrypted partition. Be sure to have a strong password.

now open the luks container
root@archiso ~ # cryptsetup open /dev/sda2 name
name can be anything. The container will now be at /dev/mapper/name

next lets create the physical volume.
root@archiso ~ # pvcreate /dev/mapper/name
now create a volume group, it can be whatever name you want.
root@archiso ~ # vgcreate x /dev/mapper/name where x is anything you want
now lets create the logical volumes.
root@archiso ~ # lvcreate -L 8GB x -n swap where x is the name of your volume group
root@archiso ~ # lvcreate -L 30G x -n root
root@archiso ~ # lvcreate -l 100%FREE x -n home

Now lets create the file systems on each volume + boot partition.
root@archiso ~ # mkfs.ext4 /dev/mapper/x-home
root@archiso ~ # mkfs.ext4 /dev/mapper/x-root
root@archiso ~ # mkswap /dev/mapper/x-swap
root@archiso ~ # mkfs.ext2 /dev/sda1 where /dev/sda1 is your boot partiton (the one where we set the boot flag on)

Now we mount
root@archiso ~ # mount /dev/mapper/x-root /mnt
root@archiso ~ # mkdir /mnt/home
root@archiso ~ # mount /dev/mapper/x-home /mnt/home
root@archiso ~ # mkdir /mnt/boot
root@archiso ~ # mount /dev/sda1 /mnt/boot
root@archiso ~ # swapon /dev/mapper/x-swap

Installation

Now let us install arch
root@archiso ~ # pacstrap /mnt base base-devel
Lets generate the fstab file
root@archiso ~ # genfstab -U /mnt >> /mnt/etc/fstab
Then lets chroot into the system.
root@archiso ~ # arch-chroot /mnt
Notice how the prompt changes to [root@archiso /] #

Setting the timezone and locales
To set the time zone type
[root@archiso /] # ln -s /usr/share/zoneinfo/YourRegionHere/YourCityHere /etc/localtime
Run the hardware clock
[root@archiso /] # hwclock --systohc
Next, type
[root@archiso /] # nano /etc/locale.gen
and uncomment (delete the #) on the line with “en_US.UTF-8 UTF-8” (or your localization)
then run
[root@archiso /] # locale-gen
now type
[root@archiso /] # nano /etc.locale.conf
and type LANG=en_US.UTF-8 or what you need for your local.
type
[root@archiso /] # echo myhostname > /etc/hostname where myhostname is what you want your hostname to be.
Now lets install wpa_supplicant, iw, dialog, and netctl
[root@archiso /] # pacman -S wpa_supplicant iw
now type
[root@archiso /] # nano /etc/mkinitcpio.conf
and where it says HOOKS="bla bla bla make sure “keyboard”, “encrypt”, and “lvm2” are in that list.

Now we install and configure Grub
[root@archiso /] # pacman -S grub
[root@archiso /] # grub-install /dev/sda where /dev/sda is the hard drive you are installing arch onto.
[root@archiso /] # nano /etc/default/grub
and where it says GRUB_CMDLINE_LINUX="" make it say
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:x root=/dev/mapper/x-root"
where x is the name of your volume group, and /dev/sda2 should be your partition with the volume group.
Now type
[root@archiso /] # grub-mkconfig -o /boot/grub/grub.cfg
and type
[root@archiso /] # mkinitcpio -p linux
to set the root password type
[root@archiso /] # passwd
Now lets add a user account and give it sudo privleges.
[root@archiso /] # useradd -m -G wheel yourusername
where yourusername is…of course…the username you want…duh.
Set the password with
[root@archiso /] # passwd yourusername
now type
[root@archiso /] # visudo
Navigate to where it says # %wheel ALL=(ALL) ALL and uncomment it.
(its like vi so navigate so that the cursor is over the #, hit del, and type “:wq”
Now you should be able to reboot into your new system. You can log into root or your newly created account to install a couple more packages.

Installing XFCE and more things.

First lets install the sound manager
[root@hostname ~] # pacman -S alsa-utils
Now install the Xorg display server and other goodies.
[root@hostname ~] # pacman -S xorg-server xorg-server-utils xorg-xinit
[root@hostname ~] # pacman -S xfce4 xfce4-goodies
[root@hostname ~] # pacman -S lxdm
[root@hostname ~] # systemctl enable lxdm
This will install xfce, lxdm, and bring the “login screen” up on boot.

More packages
To install firefox type
[root@hostname ~] # pacman -S firefox

To install wicd network manager type
[root@hostname ~] # pacman -S wicd wicd-gtk
[root@hostname ~] # systemctl start wicd.service && systemctl enable wicd.service

If you have a Thinkpad like me and would like to use the dedicated volume control keys do this:
Main Menu > Settings -> Keyboard -> Application Shortcuts. Add a shortcut and type amixer set Master 1+; click ok; then press the volume up key when it prompts you too. Add another; amixer set Master 1-; ok; press volume down key. then add one and type “amixer set Master toggle”; ok; press mute key.

Final Words

Thank your for reading this guide. I really hope it helps, In a time like now everyone should be using disk encryption to protect themselves from thieves and nosy governments . Arch may turn you off because its complicated but dont let it. It has a great community. I advise you to read about the AUR (Arch User Repository). If you do not like XFCE you can stop at the part where I say you should be able to reboot your computer. I chose XFCE because it is simple, lightweight and runs great on older laptops like my Thinkpad. Last but not least…I wrote this at 1:00 AM so please give me suggestions and recommendations on how I can make this article easier to understand and better.

#Other things you may need (special thanks to @kowalski )

Graphic Drivers pacman -Ss xf86-video and then pick the one for your card.
Input Devices search with pacman -Ss xf86-input. evdev and synaptics/libinput should be enough.

Including additional LUKS encryption options is a good idea, even better if you have decent hardware. Here is a link to the wiki article with good explanation about what each option means: https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode3

If you don’t want lxdm or any display manager, add startxfce4 to your .xinitrc in the home directory and just startx. You can also set startx to be executed automatically when you log into tty1 by putting this in /etc/profile.

autostart systemd default session on tty1

if [[ “$(tty)” == ‘/dev/tty1’ ]]; then
exec startx
fi
Install pulseaudio-alsa so that when you play youtube and mpd together, youtube doesn’t stop. -_-

For nice composting in XFCE, use compiz or compton. ( I used compiz with mate and xfce before.)

[root@archiso /] # visudo
Navigate to where it says # %wheel ALL=(ALL) ALL and uncomment it.
(its like vi so navigate so that the cursor is over the #, hit del, and type “:wq”
EDITOR=nano visudo, no need to use vi.

And as always,
Stay Frosty :snowman2:

Elliot Approved :thumbsup:

6 Likes

Great article, I have a similar cheatsheet for myself! Few things I’d like to point out:

  1. You haven’t listed out the step where graphics drivers are installed. It’s easy to do that, pacman -Ss xf86-video and then pick the one for your card. Also, xorg-twm, xorg-xclock and xterm aren’t needed.
    For your input devices, search with pacman -Ss xf86-input. evdev and synaptics/libinput should be enough. keyboard and mouse are for old devices that don’t really play well with udev iirc.

  2. Including additional LUKS encryption options is a good idea, even better if you have decent hardware. Here is a link to the wiki article with good explanation about what each option means: https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode

  3. If you don’t want lxdm or any display manager, add startxfce4 to your .xinitrc in the home directory and just startx. You can also set startx to be executed automatically when you log into tty1 by putting this in /etc/profile.

     # autostart systemd default session on tty1
     if [[ "$(tty)" == '/dev/tty1' ]]; then
         exec startx
     fi
    
  4. Install pulseaudio-alsa so that when you play youtube and mpd together, youtube doesn’t stop. -_-

  5. For nice composting in XFCE, use compiz or compton. ( I used compiz with mate and xfce before.)

[root@archiso /] # visudo
Navigate to where it says # %wheel ALL=(ALL) ALL and uncomment it.
(its like vi so navigate so that the cursor is over the #, hit del, and type “:wq”

EDITOR=nano visudo, no need to use vi.

Good Job though! :wink:

4 Likes

Thank you, I will add your suggestions. I never had a problem with the keyboard thing and I was using integrated graphics so that’s why I didn’t install any drivers.

2 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.