Written by Lena Fuhrimann
on 

Installing Arch Linux on UEFI with Full Disk Encryption

This is a step-by-step guide to installing Arch Linux on UEFI with full disk encryption. It deliberately contains no unnecessary words or bling. It is heavily based on the Arch Linux wiki’s installation guide, so if you’re ever stuck, just refer to it and the rest of the awesome Arch wiki.

Download ISO

  1. Download the latest ISO from the Arch Linux website

Create Bootable USB Stick

You can skip this step if you just want to run Arch Linux in a VM. In that case, just run the ISO from your favorite VM management tool like QEMU.

  1. Insert a USB stick into your computer
  2. Run lsblk to find the correct disk
  3. Run sudo umount /dev/sdx or whatever the USB stick is
  4. Run sudo dd bs=4M if=path/to/input.iso of=/dev/sdx oflag=sync status=progress to write the ISO to the USB stick. Don’t forget to replace the two paths with the correct ones.
  5. Insert the USB stick into the target computer and boot it from there

As soon as you can see the Arch Linux prompt, you are ready for the next step.

Check for UEFI support

  1. Run ls /sys/firmware/efi/efivars to check if that directory exists. If it doesn’t, your system does not support UEFI and this guide is not for you, and you should refer to the official Arch Linux Installation Guide instead.

Establish Connectivity

  1. Connect the computer via Ethernet (recommended) or run iwctl to log into Wi-Fi
  2. Check for internet connectivity with ping archlinux.org
  3. Make sure the clock is synced with timedatectl set-ntp true

Partition

  1. Check for different drives and partitions with lsblk and then start to partition with gdisk /dev/nvme0n1 (or whatever the disk is)
  2. Delete any existing partitions using d
  3. Create boot partition with n with default number, default first sector, last sector at +512M and select ef00 “EFI System” as the type
  4. Create root partition with n with default number, default first sector, default last sector and select 8300 “Linux filesystem” as the type
  5. Press w to write partitions
  6. Run lsblk again to verify partitioning

Encrypt Root Partition

  1. Run cryptsetup -y -v luksFormat /dev/nvme0n1p2 and then type YES and the new encryption password to encrypt the root partition
  2. Run cryptsetup open /dev/nvme0n1p2 cryptroot to open the encrypted partition

Create File Systems

  1. Create the boot file system with mkfs.fat -F32 /dev/nvme0n1p1 (or whatever the partition is called)
  2. Create the root file system with mkfs.ext4 /dev/mapper/cryptroot

Mount File Systems

  1. Run mount /dev/mapper/cryptroot /mnt to mount the root file system
  2. Run mkdir /mnt/boot to create the boot directory
  3. Run mount /dev/nvme0n1p1 /mnt/boot to mount your boot file system
  4. Run lsblk again to verify mounting

Create Swap File (not needed on VMs)

  1. Run dd if=/dev/zero of=/mnt/swapfile bs=1M count=24576 status=progress to create the swap file where the count is the number of mebibytes you want the swap file to be (usually around 1.5 times the size of your RAM)
  2. Run chmod 600 /mnt/swapfile to set the right permissions on it
  3. Run mkswap /mnt/swapfile to make it an actual swap file
  4. Run swapon /mnt/swapfile to turn it on

Install Arch Linux

  1. Run pacstrap /mnt base base-devel linux linux-firmware neovim to install Arch Linux (linux-firmware is not needed on VMs)

Generate File System Table

  1. Run genfstab -U /mnt >> /mnt/etc/fstab to generate fstab with UUIDs

Switch to Your New Linux Installation

  1. Run arch-chroot /mnt to switch to your new Arch Linux installation

Set Locales

  1. Run ln -sf /usr/share/zoneinfo/Europe/Zurich /etc/localtime (or whatever your timezone is) to set your time zone
  2. Run hwclock --systohc
  3. Run nvim /etc/locale.gen and uncomment yours (e.g. en_US.UTF-8 UTF-8)
  4. Run locale-gen to generate the locales
  5. Run echo 'LANG=en_US.UTF-8' > /etc/locale.conf

Set Hostname

  1. Run echo 'arch' > /etc/hostname (or whatever your hostname should be)
  2. Run nvim /etc/hosts and insert the following lines:
127.0.0.1     localhost
::1           localhost
127.0.1.1     arch.localdomain        arch

for the last line: change arch to whatever hostname you picked in the last step

Set Root Password

  1. Run passwd and set your root password

Configure Initramfs

  1. Run nvim /etc/mkinitcpio.conf and, to the HOOKS array, add keyboard between autodetect and modconf and add encrypt between block and filesystems
  2. Run mkinitcpio -P

Install Boot Loader

  1. Run pacman -S grub efibootmgr intel-ucode (or amd-ucode if you have an AMD processor) to install the GRUB package and CPU microcode
  2. Run blkid -s UUID -o value /dev/nvme0n1p2 to get the UUID of the device
  3. Run nvim /etc/default/grub and set GRUB_TIMEOUT=0 to disable GRUB waiting until it chooses your OS (only makes sense if you don’t dual boot with another OS), then set GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxx:cryptroot" while replacing “xxxx” with the UUID of the nvme0n1p2 device to tell GRUB about our encrypted file system
  4. Run grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB to install GRUB for your system
  5. Run grub-mkconfig -o /boot/grub/grub.cfg to configure GRUB

Install Network Manager

  1. Run pacman -S networkmanager to install NetworkManager
  2. Run systemctl enable NetworkManager to run NetworkManager at boot

Reboot

  1. Run exit to return to the outer shell
  2. Run reboot to get out of the setup

Connect to Wi-Fi (only needed if there’s no Ethernet connection)

  1. Run nmcli d wifi list to list the available networks
  2. Run nmcli d wifi connect MY_WIFI password MY_PASSWORD to connect to one of them

Add User

  1. Run EDITOR=nvim visudo and uncomment %wheel ALL=(ALL) NOPASSWD: ALL to allow members of the wheel group to run privileged commands
  2. Run useradd --create-home --groups wheel lena (or whatever your user’s name should be) to create the user
  3. Run passwd lena to set your password
  4. Run exit and log back in with your new user

Install Window Manager

  1. Run sudo pacman -S sway swayidle swaylock to install Sway
  2. Add the following to ~/.zlogin or whatever shell you are using:
# Start window manager
if [ "$(tty)" = "/dev/tty1" ]; then
  exec sway
fi

Set Up Sound

  1. Run sudo pacman -S pipewire pipewire-pulse to install Pipewire

Set Up Bluetooth

  1. Run sudo pacman -S bluez bluez-utils to install the Bluetooth utilities
  2. Run sudo systemctl enable bluetooth.service --now to start Bluetooth

Lock Root User (to be extra secure)

  1. Run sudo passwd --lock root to lock out the root user

Install a Firewall

  1. Run sudo pacman -S nftables to install the firewall
  2. Run sudo nvim /etc/nftables.conf to edit the config to our liking (e.g., according to the Arch Wiki)
  3. Run sudo systemctl enable nftables.service --now to enable the firewall

Enable Time Synchronization

  1. Run sudo systemctl enable systemd-timesyncd.service --now to enable automated time synchronization

Improve Power Management (only makes sense on laptops)

  1. Run sudo pacman -S tlp tlp-rdw to install TLP
  2. Run sudo systemctl enable tlp.service --now to run power optimizations automatically
  3. Run sudo systemctl enable NetworkManager-dispatcher.service --now to prevent conflicts
  4. Run sudo tlp-stat and follow any recommendations there

Enable Scheduled fstrim (only makes sense for SSDs)

  1. Run sudo systemctl enable fstrim.timer --now to enable regular housekeeping of your SSD

Enable Scheduled Mirrorlist Updates

  1. Run sudo pacman -S reflector to install reflector
  2. Run sudo nvim /etc/xdg/reflector/reflector.conf and change the file to your liking
  3. Run sudo systemctl enable reflector.timer --now to enable running reflector regularly

Reduce Swappiness (only makes sense if you have more than 4 GB of RAM)

  1. Run echo 'vm.swappiness=10' | sudo tee /etc/sysctl.d/99-swappiness.conf to reduce the swappiness permanently

Install Dotfiles

  1. Run sudo pacman -S git to install Git
  2. Install Cloudlena’s dotfiles or some other ones to customize your installation