Installing ArchLinux with Encrypted LVM, UEFI and GPT

Posted on by russell

This is not a definitive guide. This is just what I learned installing and booting to a command prompt with /boot, /home and root defined as logical volumes inside of an encrypted partition. As I’ve said, this is by no means an exhaustive guide. It’s more like a list of specific steps and resources for more information.

I got a new laptop from System76 and wanted to install Debian. The Debian installer, for whatever reason, wouldn’t load the graphics, making it unusable. Bummer. So I decided to take this opportunity to finally wrap my head around ArchLinux. I see it mentioned everywhere, they have incredible documentation that I often use for help even with other distros, and I like the level of control it allows. However, I don’t know enough about it to just go formatting my new laptop and installing it willy nilly. So I decided to muddle through a test install on a virtual machine using VirtualBox. This presented a couple of unique challenges since it’s not a perfect emulator (but it’s still the best one around).

I wanted to emulate the setup that came on the laptop as far as the encrypted disk and Logical Volume Management, so that’s where I started. It took several tries for me to get it right since these things are new to me, but I eventually got it. Start by following the instructions from the Archlinux Installation Guide up to partitioning.

On a 20G virtual drive, using gdisk, my partitioning goes like this: 

/dev/sda1    Sectors 34-2047    BIOS Partition (EF02)
/dev/sda2    512M  EFI Partition (EF00)
/dev/sda3    512M  EXT4 Partition (8300)
/dev/sda4    4G    Swap (8200)
/dev/sda5    whatever is left for LVM (8E00)

Setup the /dev/sda5 as the encrypted volume with:
# cryptsetup -v --type luks1 luksFormat /dev/sda5
I use luks1 because luks2 doesn’t seem to be fully supported yet and is definitely not supported by GRUB. The above command will encrypt /dev/sda5 and ask you for the password you’d like to use.
Open the encrypted volume with :
# cryptsetup open /dev/sda5 cryptdata
This will open the encrypted volume and map it to /dev/mapper/cryptdata. Now create the logical volumes for /var /home and root. 
# pvcreate /dev/mapper/cryptdata
# vgcreate data /dev/mapper/cryptdata
# lvcreate -L 2G data -n var
# lvcreate -L 5G data -n home
# lvcreate -l 100%FREE data -n root
Now the disk is partitioned. Time to format. 
# mkfs.fat -F32 /dev/sda2
# mkfs.ext4 /dev/sda3
# mkswap /dev/sda4
# swapon /dev/sda4
# mkfs.ext4 /dev/data/var
# mkfs.ext4 /dev/data/home
# mkfs.ext4 /dev/data/root
Now that we’re all partitioned and formatting, let’s get everything mounted. 
# mount /dev/data/root /mnt
# cd /mnt
# mkdir efi boot home var
# mount /dev/sda2 efi
# mount /dev/sda3 boot
# mount /dev/data/var var
# mount /dev/data/home home
So now my target filesystem should be all set and it’s time to pick our mirrors. You can go through the steps to sort the list by the fastest mirrors, but I just selected all of the servers in the US. Go to /etc/pacman.d to find the mirrorlist and copy it to mirrorlist.orig. 
# cp mirrorlist mirrorlist.orig
# grep -A 1 'United States' mirrorlist|sed -e 's/--//g'|sed 's/#Server/Server/g' >> mirrorlist.us
# cp mirrorlist.us mirrorlist
Install the base system with :
# pacstrap /mnt base
Wrap it up with :
# genfstab -U /mnt >> /mnt/etc/fstab
# arch-root /mnt
# pacman -S --noconfirm vim
# ln -sf /usr/share/zoneinfo/Americas/Chicago /etc/localtime
# hwclock --systohc
Uncomment your locale in /etc/locale.gen (en_US.UTF-8 UTF-8) and run # locale-gen
# echo 'LANG=en_US.UTF-8' >> /etc/locale.conf
# echo 'workstation' >> /etc/hostname
# echo '127.0.0.1 localhost' >> /etc/hosts
# echo '::1 localhost' >> /etc/hosts
With both dm_crypt (luks1) and lvm, you’ll need to make /etc/mkinitcpio.conf HOOKS= look like: 
HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems fsck)
And run : mkinitcpio -P Set the root password with passwd Install grub and efibootmgr : 
# pacman -S --noconfirm grub efibootmgr
# grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB
Use the command lsblk -f to get the UUID for the encrypted partition. In my case this was /dev/sda5. Edit /etc/default/grub so that GRUB_CMDLINE_LINUX looks like:
GRU_CMDLINE_LINUX="cryptdevice=UUID=2f8fdc54-e985-4f8e-8b0a-b256a5c0332f:cryptdata"

Now generate grub.cfg with :
# grub-mkconfig -o /boot/grub/grub.cfg
Exit from chroot, unmount with umount -R /mnt and reboot. That should get you to a prompt.