Setting up Arch Linux

Jump to bottom Edit New page

Kyle C. Simmons edited this page Jan 28, 2018 · 21 revisions

Setup Arch Linux with UEFI, LVM and LUKS

A secure Arch linux setup with UEFI, encrypted LVM LUKS and hardened system. Download the current version of Arch Linux which can be downloaded at archlinux.org/download. If Arch is being setup on a virtual machine make sure to change settings to UEFI.

Table of Contents

Setup Arch Linux with UEFI, LVM and LUKS

Requiements

An internet connection throughout the installation
UEFI is required
Arch Linux ISO
Previous Linux experience

Initial setup

Check UEFI is active

Check if your system is running UEFI by entering the following:

# ls /sys/firmware/efi

Check network connectivity

Setup wifi or ethernet so the packages can be downloaded from the mirrors later on.

Check the connectivity by pinging Google:

# ping -c 3 8.8.8.8

Setup mirrors

Get mirrorlists from your location and add them to configuration file.

# vim /etc/pacman.d/mirrorlist

Setup the partitions

Check partitions and disk space. The amount of GB each logical volume will depend on your disk space.

lsblk

Gdisk can be used to create new partitions. 2 partitions will be created in this example. The first one is for the UEFI boot and the second one is for the LVM. Enter the following command to begin configuring the partitions:

# gdisk /dev/sda

WARNING This next command will overwrite all partiitons. Confirm the overwrite when prompted.

Creating the first partiton will be EFI, 512MB is efficent enough for a boot partiton.

n
Partion number (choose default usally, press enter)
First sector (press enter)
Last sector (+512MB)
Hex code (ef00)

Entering the ef00 will chane it to a EFI system partiton. The second partition will be the Linux LVM which will be encrypted and will contain the file system.

n
Partition number (choose default)
First sector (press enter)
Last sector (press enter, this will use the remaining space on the disk for the partition) 
Hex code (8e00)

Save the partiton changes:

Encrypt the partition (LUKS)

To encrypt our entire system we will be using LUKS. This will encrypt the LVM /dev/sda2 with LUKS. A passphase for the partition is required.

# cryptsetup luksFormat /dev/sda2

The 'lvm' is the name of the LVM. For simplicity i named it 'lvm'.

# cryptsetup open —type luks /dev/sda2 lvm

LVM setup

Setup physical volume:

# pvcreate /dev/mapper/lvm

Setup volume and volume name

# vgcreate volume /dev/mapper/lvm

Logical volume setup. The swap lvcreate is optional depending on if you need / want swap space. The swap space does not require a large amount of space, 4GB is used.

# lvcreate -L4G volume -n swap

The root size will depend on how big your disk space is, in my example i am going with 20G.

# lvcreate -L20G volume -n root

The home lvcreate will allocate any other space available to home.

# lvcreate -l FREE100% volume -n home

Mount and format partitions

Format the partitions with ex54 and swap if used in previous steps.

mount /dev/mapper/volume-root /mnt
mkdir /mnt/home
mkdir /mnt/boot
mount /dev/mapper/volume-home /mnt/home
mount /dev/sda1 /mnt/boot
swapon /dev/mapper/volume-swap

Setup base system

Now that we have setup the partiitons, LVM and mounted them. We can begin installing the base system and setup configuration files. Start by installing base and base-devl. In addition to installing the base system we are installing some wifi tools, Vim and sudo.

# pacstrap /mnt base base-devel wireless_tools dialog wpa_supplicant wpa_actiond vim sudo

Generate fstab

Fstab is the file system table used to decide how each partition is used. To generate fstab we type the following line:

# genfstab -p /mnt >> /mnt/etc/fstab

Chroot into the system

# arch-chroot /mnt

Setup configuration files

Edit the locale.gen file and uncomment your country

vim /etc/locale.gen

Once your location is uncommented, enter the following commands:

locale-gen
locale > /etc/locale.conf

Enter hostname:

vim /etc/hostname

Setup the timezone:

ln -s /usr/share/zoneinfo/Europe/London /etc/localtime

Setup the clock:

hwclock —systohc —utc

Enable the 32 bit repositories (optional), this allows you to install extra packages if needed. Allows both 64 and 32bit programs to be installed. To enable this edit the configuration file and uncomment [multilib].

vim /etc/pacman.conf
pacman -Sy

Basic user configuration

Setup a root password:

passwd

Add a user: (NAME is the user)

# useradd -m -g users -G wheel, storage,power -s /bin/bash NAME

Setup users password:

# passwd NAME

Configure the sudoers file:

# vim /etc/sudoers

Uncomment the line to allow the new user to use 'sudo':

%wheel ALL=(ALL) ALL

*** ### Boot loader Access the following config file:

vim /etc/mkinitcpio.conf

Add encrypt and lvm2 to the line below after keyboard. This will allow you to use the keyboard to enter your password before 'encrypt' is run. If this is not entered, the keyboard will not work when entering the password.

# base udev autodetect modconf block keyboard encrypt lvm2 filesystem fsck.

# mkinitcpio -p linux

Setup the boot loader path:

bootctl —path=/boot/ install

Edit the config file with following lines:


vim /boot/loader/loader.conf

default arch 
timeout 5
editor 0

Setup the boot loader UUID:

vim /boot/loader/entries/arch.conf

Get the UUID in Vim:

:read ! blkid /dev/sda2

Enter the following code in this configuration file:


title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
options cryptdevice=UUID=1234-566-67-80:volume root=/dev/mapper/volume-root quiet rw

Finalise the Arch installation

To finish off the installation we need to exit chroot, umount all the partitions, and reboot the machine.

exit
umount -R /mnt
reboot

Once the machine has been rebooted, a login prompt will appear and the installation is complete.

If issues ouccur during the installation you can mount the LVM and chroot back into Arch and backtrack to make changes.