thacoon · September 7, 2021 05:06
diff --git a/arch-linux-uefi-encrypted-install b/arch-linux-uefi-encrypted-install
 # Install ARCH Linux with encrypted file-system and UEFI
 # The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.
 # Based on https://gist.github.com/mattiaslundberg/8620837
 # And based on https://wiki.archlinux.de/title/Anleitung_f%C3%BCr_Einsteiger

 # Download the archiso image from https://www.archlinux.org/

 # Verfiy it (also download the .sig file to verify it)
 gpg --keyserver-options auto-key-retrieve --verify archlinux-version-x86_64.iso.sig
 # or if you have already arch installed
 pacman-key -v archlinux-version-x86_64.iso.sig

 # Copy to a usb-drive
 sudo dd if=archlinux.img of=/dev/sdX bs=1M && sudo sync # on linux

 # Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.

 # Set german keymap
 loadkeys de-latin1

 # This assumes a wifi only system...
 wifi-menu

 # List your partitions
 lsblk

 # (Optional) If you want to prevent recovery of previously stored data you need to wipe your disk first.
 # Because encryption only use individual sectors on demand and does not encrypt the whole disk.
 cat /dev/zero > /etc/sdX
 # Or if you even want to hide how much storage you are using use the following. However, this takes significantly longer.
 cat /dev/urandom > /etc/sdX

 # If you already installed arch with the same setup on the computer there may be still files in /mnt/boot if you did not wipe your disk
 # In this case run at least cat /dev/urandom > /etc/sdX1 and /dev/urandom > /etc/sdX2

 # Create partitions
 cgdisk /dev/sdX
 1 100MB EFI partition # Hex code ef00
 2 250MB Boot partition # Hex code 8300
 3 100% size partiton # (to be encrypted) Hex code 8300
 # press d to delete a partition, n to create a new partition
 # before creating a new partition select the free space partition type
 # for the first sector just press enter, then enter the size and unit e.g. for boot 250M press enter and then add a name to your partition
 # for the 100% just press enter when asked for size
 # if entered all three partitions press w to write it down and then quit with q

 mkfs.vfat -F32 /dev/sdX1
 mkfs.ext2 /dev/sdX2

 # Setup the encryption of the system
 cryptsetup --key-size 512 --hash sha512 --iter-time 5000 -y --use-random luksFormat /dev/sdX3
 cryptsetup luksOpen /dev/sdX3 luks

 # Create encrypted partitions
 # This creates one partions for root and home, modify if /tmp or other partitions should be on separate partitions
 pvcreate /dev/mapper/luks
 # a 30-50G root partition should be large enough. However if you play a lott with dockers make it bigger, e.g. 80G
 vgcreate vg0 /dev/mapper/luks
 lvcreate --size 8G vg0 --name swap
 lvcreate --size 50G vg0 --name root
 lvcreate -l +100%FREE vg0 --name home

 # Create filesystems on encrypted partitions
 mkfs.ext4 /dev/mapper/vg0-root
 mkfs.ext4 /dev/mapper/vg0-home
 mkswap /dev/mapper/vg0-swap

 # Mount the new system
 mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
 mkdir /mnt/home
 mount /dev/mapper/vg0-home /mnt/home
 swapon /dev/mapper/vg0-swap # Not needed but a good thing to test
 mkdir /mnt/boot
 mount /dev/sdX2 /mnt/boot
 mkdir /mnt/boot/efi
 mount /dev/sdX1 /mnt/boot/efi

 # Edit the mirrorlist to speed up downloading, top ten should be servers near your current location
 nano /etc/pacman.d/mirrorlist
 # Delete one line with Ctrl+K

 # Install the system also includes stuff needed for starting wifi when first booting into the newly installed system
 pacstrap /mnt base base-devel linux linux-firmware lvm2 nano grub-efi-x86_64 git efibootmgr netctl dialog dhcpcd wpa_supplicant

 # 'install' fstab
 genfstab -pU /mnt >> /mnt/etc/fstab
 # Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)
 tmpfs	/tmp	tmpfs	defaults,noatime,mode=1777	0	0
 # Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)

 # Enter the new system
 arch-chroot /mnt /bin/bash

 # Setup system clock
 ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime
 hwclock --systohc --utc

 # Set the hostname
 echo MYHOSTNAME > /etc/hostname

 # Set keymap
 echo KEYMAP=de-latin1 > /etc/vconsole.conf

 # Update locale
 echo LANG=en_US.UTF-8 >> /etc/locale.conf
 echo LANGUAGE=en_US >> /etc/locale.conf
 #echo LC_ALL=C >> /etc/locale.conf # not recommended, caused an unicode error in python for me

 # Update locales
 nano /etc/locale.gen
 # Uncomment `de_DE.UTF-8 UTF-8`, `de_DE ISO-8859-1` and `de_DE@euro ISO-8859-15`
 locale-gen

 # Set password for root
 passwd

 # Add real user
 useradd -m -g users -G wheel,storage,power -s /bin/bash MYUSERNAME
 passwd MYUSERNAME
 # If you want to use sudo, you need to uncomment `%wheel ALL=(ALL) ALL` in /etc/sudoers

 # Configure mkinitcpio with modules needed for the initrd image
 nano /etc/mkinitcpio.conf
 # Add 'ext4' to MODULES
 # Add 'encrypt' and 'lvm2' to HOOKS before filesystems
 # Add keymap after keyboard but before filesystems
 # MODULES=(ext4)
 # HOOKS=(base udev autodetect modconf block keyboard keymap encrypt lvm2 filesystems fsck)

 # Regenerate initrd image
 mkinitcpio -p linux

 # Setup grub
 grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=arch_grub --recheck
 # Even if it shows an error that efibootmgr failed to register the boot entry it still works
 nano /etc/default/grub
 # Change GRUB_CMDLINE_LINUX to: GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdX3:luks:allow-discards"
 grub-mkconfig -o /boot/grub/grub.cfg
 mkdir /boot/efi/EFI/boot
 cp /boot/efi/EFI/arch_grub/grubx64.efi /boot/efi/EFI/boot/bootx64.efi
 # If you reboot and Arch is not booting there is a good chance that you have Legacy mode enabled
 # Then reboot, get in the UEFI boot menu and disable Legacy Mode, sometimes it's hard to find the setting but it's somewhere, startpage.com is your friend ;-)

 # Exit new system and go into the cd shell
 exit

 # Unmount all partitions
 umount -R /mnt
 swapoff -a

 # Reboot into the new system, don't forget to remove the cd/usb
 reboot

 # Processor manufacturers release stability and security updates to the processor microcode.
 # These updates provide bug fixes that can be critical to the stability 
 # of your system. Without them, you may experience spurious crashes or 
 # unexpected system halts that can be difficult to track down.
 # --> see: https://wiki.archlinux.org/index.php/Microcode
 # For AMD processors use
 pacman -Sy amd-ucode
 # For Intel
 pacman -Sy intel-ucode
 # Then configure grub
 grub-mkconfig -o /boot/grub/grub.cfg
	# Install ARCH Linux with encrypted file-system and UEFI
	# The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.
	# Based on https://gist.github.com/mattiaslundberg/8620837
	# And based on https://wiki.archlinux.de/title/Anleitung_f%C3%BCr_Einsteiger

	# Download the archiso image from https://www.archlinux.org/

	# Verfiy it (also download the .sig file to verify it)
	gpg --keyserver-options auto-key-retrieve --verify archlinux-version-x86_64.iso.sig
	# or if you have already arch installed
	pacman-key -v archlinux-version-x86_64.iso.sig

	# Copy to a usb-drive
	sudo dd if=archlinux.img of=/dev/sdX bs=1M && sudo sync # on linux

	# Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.

	# Set german keymap
	loadkeys de-latin1

	# This assumes a wifi only system...
	wifi-menu

	# List your partitions
	lsblk

	# (Optional) If you want to prevent recovery of previously stored data you need to wipe your disk first.
	# Because encryption only use individual sectors on demand and does not encrypt the whole disk.
	cat /dev/zero > /etc/sdX
	# Or if you even want to hide how much storage you are using use the following. However, this takes significantly longer.
	cat /dev/urandom > /etc/sdX

	# If you already installed arch with the same setup on the computer there may be still files in /mnt/boot if you did not wipe your disk
	# In this case run at least cat /dev/urandom > /etc/sdX1 and /dev/urandom > /etc/sdX2

	# Create partitions
	cgdisk /dev/sdX
	1 100MB EFI partition # Hex code ef00
	2 250MB Boot partition # Hex code 8300
	3 100% size partiton # (to be encrypted) Hex code 8300
	# press d to delete a partition, n to create a new partition
	# before creating a new partition select the free space partition type
	# for the first sector just press enter, then enter the size and unit e.g. for boot 250M press enter and then add a name to your partition
	# for the 100% just press enter when asked for size
	# if entered all three partitions press w to write it down and then quit with q

	mkfs.vfat -F32 /dev/sdX1
	mkfs.ext2 /dev/sdX2

	# Setup the encryption of the system
	cryptsetup --key-size 512 --hash sha512 --iter-time 5000 -y --use-random luksFormat /dev/sdX3
	cryptsetup luksOpen /dev/sdX3 luks

	# Create encrypted partitions
	# This creates one partions for root and home, modify if /tmp or other partitions should be on separate partitions
	pvcreate /dev/mapper/luks
	# a 30-50G root partition should be large enough. However if you play a lott with dockers make it bigger, e.g. 80G
	vgcreate vg0 /dev/mapper/luks
	lvcreate --size 8G vg0 --name swap
	lvcreate --size 50G vg0 --name root
	lvcreate -l +100%FREE vg0 --name home

	# Create filesystems on encrypted partitions
	mkfs.ext4 /dev/mapper/vg0-root
	mkfs.ext4 /dev/mapper/vg0-home
	mkswap /dev/mapper/vg0-swap

	# Mount the new system
	mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
	mkdir /mnt/home
	mount /dev/mapper/vg0-home /mnt/home
	swapon /dev/mapper/vg0-swap # Not needed but a good thing to test
	mkdir /mnt/boot
	mount /dev/sdX2 /mnt/boot
	mkdir /mnt/boot/efi
	mount /dev/sdX1 /mnt/boot/efi

	# Edit the mirrorlist to speed up downloading, top ten should be servers near your current location
	nano /etc/pacman.d/mirrorlist
	# Delete one line with Ctrl+K

	# Install the system also includes stuff needed for starting wifi when first booting into the newly installed system
	pacstrap /mnt base base-devel linux linux-firmware lvm2 nano grub-efi-x86_64 git efibootmgr netctl dialog dhcpcd wpa_supplicant

	# 'install' fstab
	genfstab -pU /mnt >> /mnt/etc/fstab
	# Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)
	tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0
	# Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)

	# Enter the new system
	arch-chroot /mnt /bin/bash

	# Setup system clock
	ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime
	hwclock --systohc --utc

	# Set the hostname
	echo MYHOSTNAME > /etc/hostname

	# Set keymap
	echo KEYMAP=de-latin1 > /etc/vconsole.conf

	# Update locale
	echo LANG=en_US.UTF-8 >> /etc/locale.conf
	echo LANGUAGE=en_US >> /etc/locale.conf
	#echo LC_ALL=C >> /etc/locale.conf # not recommended, caused an unicode error in python for me

	# Update locales
	nano /etc/locale.gen
	# Uncomment `de_DE.UTF-8 UTF-8`, `de_DE ISO-8859-1` and `de_DE@euro ISO-8859-15`
	locale-gen

	# Set password for root
	passwd

	# Add real user
	useradd -m -g users -G wheel,storage,power -s /bin/bash MYUSERNAME
	passwd MYUSERNAME
	# If you want to use sudo, you need to uncomment `%wheel ALL=(ALL) ALL` in /etc/sudoers

	# Configure mkinitcpio with modules needed for the initrd image
	nano /etc/mkinitcpio.conf
	# Add 'ext4' to MODULES
	# Add 'encrypt' and 'lvm2' to HOOKS before filesystems
	# Add keymap after keyboard but before filesystems
	# MODULES=(ext4)
	# HOOKS=(base udev autodetect modconf block keyboard keymap encrypt lvm2 filesystems fsck)

	# Regenerate initrd image
	mkinitcpio -p linux

	# Setup grub
	grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=arch_grub --recheck
	# Even if it shows an error that efibootmgr failed to register the boot entry it still works
	nano /etc/default/grub
	# Change GRUB_CMDLINE_LINUX to: GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdX3:luks:allow-discards"
	grub-mkconfig -o /boot/grub/grub.cfg
	mkdir /boot/efi/EFI/boot
	cp /boot/efi/EFI/arch_grub/grubx64.efi /boot/efi/EFI/boot/bootx64.efi
	# If you reboot and Arch is not booting there is a good chance that you have Legacy mode enabled
	# Then reboot, get in the UEFI boot menu and disable Legacy Mode, sometimes it's hard to find the setting but it's somewhere, startpage.com is your friend ;-)

	# Exit new system and go into the cd shell
	exit

	# Unmount all partitions
	umount -R /mnt
	swapoff -a

	# Reboot into the new system, don't forget to remove the cd/usb
	reboot

	# Processor manufacturers release stability and security updates to the processor microcode.
	# These updates provide bug fixes that can be critical to the stability
	# of your system. Without them, you may experience spurious crashes or
	# unexpected system halts that can be difficult to track down.
	# --> see: https://wiki.archlinux.org/index.php/Microcode
	# For AMD processors use
	pacman -Sy amd-ucode
	# For Intel
	pacman -Sy intel-ucode
	# Then configure grub
	grub-mkconfig -o /boot/grub/grub.cfg