This post outlines how to install Arch Linux with LVM-partitioned full disk encryption. It borrows heavily from LVM on LUKS, but suited for Arch Linux rather than Debian-based Linux distributions.

(This post is primarily intended as a personal reference and thus is terse, opinionated, and without explanation in some places.)

Boot in EFI mode

Boot in EFI mode and check it is so.

ls /sys/firmware/efi/efivars

Follow the guide

Follow the first part of the Arch Linux Installation Guide.

loadkeys uk
timedatectl set-ntp true

At the point where the guide specifies to set up filesystems and encryption, come back here and continue.

Configure the filesystem

Run fdisk -l to find out the primary disk, i.e. /dev/sda.

  • /dev/sda1: 128M fat32 "EFI System Partition" (ESP) (/boot/efi).
  • /dev/sda2: 512M ext2 partition (/boot).
  • /dev/sda3: LUKS-encrypted block containing LVM volumes.

On Arch the linux package is continually upgraded, so old kernels don't stick around. The boot partition only has to hold the current kernel, plus any extra kernels desired (e.g. lts, zen, or hardened).

Start fdisk with fdisk /dev/sda.

g # create a new GPT partition table
n # partition 1, default first sector (probably 2048)
+128M
n # partition 2, default first sector
+512M
n # partition 3, default first sector, default size (rest of disk)
w # write

Create the filesystems for the two unencrypted partitions.

mkfs.fat /dev/sda1
mkfs.ext2 /dev/sda2

Configure encryption

Encrypt /dev/sda3.

cryptsetup luksFormat /dev/sda3

Unlock the encrypted container.

cryptsetup open /dev/sda3 sda3

This command creates /dev/mapper/sda3 which is the block device representing the unencrypted drive. It is equivalent to /dev/sda3 on an unencrypted system.

Configure LVM

Create a physical volume on this partition.

pvcreate /dev/mapper/sda3

Run pvscan to see the physical volume.

Create a volume group called vg00.

vgcreate vg00 /dev/mapper/sda3

Run vgscan to see the volume group.

Add logical volumes for root (/) and swap.

lvcreate -L 2G -n swap vg00
lvcreate -l 100%FREE -n root vg00

If you plan on using sleep or hibernate, ensure the swap partition is at least as big as the RAM.

Run lvscan to see logical volumes. These can be thought of as partitions, accessible in two ways.

  1. Under /dev/vg00/ by name (e.g. root).
  2. Under /dev/mapper/ with the volume group (vg00) prefixing the name (e.g. vg00-root).

Both are just symlinks to /dev/dm-*.

The final layout is as follows.

  • /dev/vg00/root mounted at / as ext4
  • /dev/vg00/swap as swap
  • /dev/sda2 mounted at /boot as ext2
  • /dev/sda1 mounted at /boot/efi as fat32

Continue the guide

Return to the Arch Linux Installation Guide and continue where you left off, using the /dev/vg00/* block devices for root and swap.

At the point where the mkinitcpio -p linux command appears, come back here to set up /etc/crypttab, the bootloader, and to finalise the installation.

You should be in the chrooted environment now.

Configure the root password

Set the root password.

passwd

Configure /etc/crypttab

Edit /etc/crypttab.

sda3 UUID=XXX none luks
# sda3 UUID=$(blkid -o value -s UUID /dev/sda3) none luks,discard

Install GRUB

pacman -S grub efibootmgr
grub-install

Configure initrd hooks

Edit /etc/mkinitcpio.conf.

Change the HOOKS line to contain references to keyboard, keymap, encrypt, and lvm2 (order matters).

HOOKS=(base udev autodetect keyboard keymap modconf block encrypt lvm2 filesystems fsck)

Configure kernel parameters

Edit /etc/default/grub and add cryptdevice, root, and resume to the kernel parameters.

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID=XXX:sda3 root=/dev/vg00/root resume=/dev/vg00/swap"
# GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID=$(blkid -o value -s UUID /dev/sda3):sda3 root=/dev/vg00/root resume=/dev/vg00/swap"

The resume parameter is for suspend and resume (sleep and hibernate).

Regenerate the initrd image

mkinitcpio -p linux

Generate the grub config

grub-mkconfig -o /boot/grub/grub.cfg

Exit the chroot and reboot.

With any luck, the system will boot. The encryption password should only need to be entered once.

Enable the DHCP service

Arch Linux does not enable services by default, so enable the DHCP and timesyncd services.

systemctl enable --now dhcpcd
systemctl enable --now systemd-timesyncd

Add another user

useradd -m jimmy
passwd jimmy

Trust jimmy

Add jimmy to sudoers by uncommenting the line %sudo ALL=(ALL) ALL which authorises anyone in the group sudo.

visudo
groupadd sudo
usermod -a -G sudo jimmy

Install a backup kernel

Install the LTS kernel so there is a backup if a mainline kernel upgrade ever fails.

pacman -Syu linux-lts
grub-mkconfig -o /boot/grub/grub.cfg

Install a crontab

Arch Linux uses systemd timers instead, but a crontab is more convenient.

pacman -Syu cronie

Appendix - Recover if the system no longer boots

If the worst happens and the system can't be booted, manual intervention may be necessary.

Boot up Arch Linux from removable media and enter the chroot.

cryptsetup open /dev/sda3 sda3
mkdir /mnt
mount /dev/vg00/root /mnt
mount /dev/sda2 /mnt/boot
mount /dev/sda1 /mnt/boot/efi
arch-chroot /mnt