Step 1 (Optional): Securely wipe your disk
dd if=/dev/zero of=/dev/sda iflag=nocache oflag=direct bs=4096
Note: More research desired for proper way to wipe disk.
Step 2: Setup SSH
Change root's password:
passwd
Start sshd service:
systemctl start sshd.service
Step 3: Pre-setup
Ensure necessary kernel modules are loaded:
modprobe -a dm-mod dm_crypt
Erase the partition tables:
sgdisk --zap-all /dev/sda
Step 4: Partition
gdisk /dev/sda
- Enter
oto create a new GPT, and then enterYto confirm. - Enter
nto create a new partition. - Press Enter to use the first partition.
- Press Enter to use the first sector of the partition.
- Enter
+1007Kfor the last sector of the partition. - Enter
ef02for the partition type. - Enter
nto create a new partition. - Press Enter to use the second partition.
- Press Enter to use the first sector of the partition.
- Enter
+0for the last sector of the partition. - Enter
8e00for the partition type. - Enter
pto preview your changes. - Enter
wto write your changes to disk.
Step 5: Setup LUKS
Encrypt /dev/sda2:
cryptsetup --verbose --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/sda2
Verify encryption:
cryptsetup luksDump /dev/sda2
Decrypt /dev/sda2:
cryptsetup luksOpen /dev/sda2 crypto
Step 6: Setup LVM
Create a physical volume:
pvcreate /dev/mapper/crypto
Setup a volume group:
vgcreate VolGroup00 /dev/mapper/crypto
Setup logical volumes:
lvcreate -C y -L 1GB VolGroup00 -n lvolswap
lvcreate -l +100%FREE VolGroup00 -n lvolroot
Step 7: Create filesystems
Scan for volume groups and import any changes:
vgscan
vgchange -ay
Create filesystems for each logical volume:
mkswap /dev/mapper/VolGroup00-lvolswap
mkfs.ext4 /dev/mapper/VolGroup00-lvolroot
Mount filesystems:
swapon /dev/mapper/VolGroup00-lvolswap
mount /dev/mapper/VolGroup00-lvolroot /mnt
Step 8: Install
Pre-install:
mkdir /mnt/boot
Install:
pacman -Syy
pacstrap -i /mnt base base-devel
Step 9: Generate fstab
genfstab -U -p /mnt >> /mnt/etc/fstab
Step 10: Setup new install
chroot into new install:
arch-chroot /mnt /bin/bash
Set locale:
vi /etc/locale.gen
- Uncomment
en_US.UTF-8 UTF-8.
Generate locale:
locale-gen
Setup LANG env variable:
echo LANG=en_US.UTF-8 > /etc/locale.conf
export LANG=en_US.UTF-8
Configure timezone:
rm /etc/localtime
ln -s /usr/share/zoneinfo/America/New_York /etc/localtime
Set the hardware clock:
hwclock --systohc --utc
Set hostname:
echo "archy" > /etc/hostname
Setup /etc/hosts:
vi /etc/hosts
- Add hostname to IPv4 and IPv6 loopback entries.
Enable DHCP client daemon:
systemctl enable [email protected]
Change root's password:
passwd
Step 11: Generate keyfile for single login
Generate keyfile:
dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
Add to LUKS:
cryptsetup luksAddKey /dev/sda2 /crypto_keyfile.bin
Set permissions:
chmod 000 /crypto_keyfile.bin
Step 12: Generate an initial ramdisk
Add extra hooks:
vi /etc/mkinitcpio.conf
-
Before:
HOOKS="base udev autodetect modconf block filesystems keyboard fsck"After:
HOOKS="base udev autodetect modconf block encrypt lvm2 resume filesystems keyboard fsck" -
Before:
FILES=""After:
FILES="/crypto_keyfile.bin"
Generate:
cd /boot
mkinitcpio -p linux
Step 13: Install and configure bootloader
Install GRUB2 bootloader, and supporting packages:
pacman -S fuse grub lvm2 os-prober
Configure:
vi /etc/default/grub
-
Before:
GRUB_CMDLINE_LINUX=""After:
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:VolGroup00 resume=/dev/VolGroup00/lvolswap" -
Append
GRUB_ENABLE_CRYPTODISK=yto EOF
Generate:
grub-install /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg
Set permissions on /boot:
chmod -R g-rwx,o-rwx /boot
Exit, unmount, and shutdown:
exit
umount /mnt
shutdown -h now
Sources: