This post outlines how to install Arch Linux with LVM-partitioned full disk encryption. It borrows heavily from LVM on LUKS, but suited for Arch Linux rather than Debian-based Linux distributions.

(This post is primarily intended as a personal reference and thus is terse, opinionated, and without explanation in some places.)

Boot in EFI mode

Boot in EFI mode and check it is so.

ls /sys/firmware/efi/efivars

Follow the guide

Follow the first part of the Arch Linux Installation Guide.

loadkeys uk
timedatectl set-ntp true

At the point where the guide specifies to set up filesystems and encryption, come back here and continue.

Configure the filesystem

Run fdisk -l to find out the primary disk, i.e. /dev/sda.

  • /dev/sda1: 128M fat32 "EFI System Partition" (ESP) (/boot/efi).
  • /dev/sda2: 512M ext2 partition (/boot).
  • /dev/sda3: LUKS-encrypted block containing LVM volumes.

On Arch the linux package is continually upgraded, so old kernels don't stick around. The boot partition only has to hold the current kernel, plus any extra kernels desired (e.g. lts, zen, or hardened).

Start fdisk with fdisk /dev/sda.

g # create a new GPT partition table
n # partition 1, default first sector (probably 2048)
+128M
n # partition 2, default first sector
+512M
n # partition 3, default first sector, default size (rest of disk)
w # write

Create the filesystems for the two unencrypted partitions.

mkfs.fat /dev/sda1
mkfs.ext2 /dev/sda2

Configure encryption

Encrypt /dev/sda3.

cryptsetup luksFormat /dev/sda3

Unlock the encrypted container.

cryptsetup open /dev/sda3 main

This command creates /dev/mapper/main which is the block device representing the unencrypted drive, equivalent to what used to be /dev/sda3.

Configure LVM

Create a physical volume on this partition.

pvcreate /dev/mapper/main

Run pvscan to see the physical volume.

Create a volume group called vg00.

vgcreate vg00 /dev/mapper/main

Run vgscan to see the volume group.

Add logical volumes for root (/) and swap.

lvcreate -L 32G -n swap vg00
lvcreate -l 100%FREE -n root vg00

If you plan on using sleep or hibernate, ensure the swap partition is at least as big as the RAM.

Run lvscan to see logical volumes. These can be thought of as partitions, accessible in two ways.

  1. Under /dev/vg00/ by name (e.g. root).
  2. Under /dev/mapper/ with the volume group (vg00) prefixing the name (e.g. vg00-root).

Both are just symlinks to /dev/dm-*.

The final layout is as follows.

  • /dev/vg00/root mounted at / as ext4
  • /dev/vg00/swap as swap
  • /dev/sda2 mounted at /boot as ext2
  • /dev/sda1 mounted at /boot/efi as fat32

Mount the filesystem to /mnt

mkdir /mnt
mount /dev/vg00/root /mnt
mount /dev/sda2 /mnt/boot
mount /dev/sda1 /mnt/boot/efi

Continue the guide

Return to the Arch Linux Installation Guide and continue where you left off, using the /dev/vg00/* block devices for the root and swap partitions.

At the point where the mkinitcpio -P command appears, come back here to set up /etc/crypttab and the bootloader.

You should already be in the chrooted environment.

Install core packages

The base metapackage has been stripped down to its bare bones.

Install some important packages now.

pacman -Syu networkmanager vim lvm2 base-devel linux-headers sudo

Configure the root password

Set the root password.

passwd

Configure /etc/crypttab

Edit /etc/crypttab.

main UUID=XXX none luks,discard
# main UUID=$(blkid -o value -s UUID /dev/sda3) none luks,discard

Install GRUB

pacman -S grub efibootmgr
grub-install

Configure initrd hooks

Edit /etc/mkinitcpio.conf.

Change the HOOKS line to contain references to keyboard, keymap, encrypt, and lvm2 (order matters).

Square brackets denote additions.

HOOKS=(base udev autodetect [keyboard keymap] modconf block [encrypt lvm2] filesystems fsck)

Configure kernel parameters

Edit /etc/default/grub and add cryptdevice, root, and resume to the kernel parameters.

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID=XXX:main root=/dev/vg00/root resume=/dev/vg00/swap"
# GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID=$(blkid -o value -s UUID /dev/sda3):main root=/dev/vg00/root resume=/dev/vg00/swap"

The resume parameter is for suspend and resume (sleep and hibernate).

Regenerate the initrd image

mkinitcpio -P

Generate the grub config

grub-mkconfig -o /boot/grub/grub.cfg

Exit the chroot and reboot.

With any luck, the system will boot. The encryption password should only need to be entered once.

Enable network & time services

Arch does not enable services by default, so enable network and time services.

systemctl enable --now NetworkManager
systemctl enable --now systemd-timesyncd

Add another user

useradd -m jimmy
passwd jimmy

Add jimmy to sudoers by uncommenting the line %sudo ALL=(ALL) ALL which authorises anyone in the group sudo.

visudo
groupadd sudo
usermod -a -G sudo jimmy

Install a backup kernel

Install the LTS kernel so there is a backup if a mainline kernel upgrade ever fails.

pacman -Syu linux-lts
grub-mkconfig -o /boot/grub/grub.cfg

Appendix - Recover if the system no longer boots

If the worst happens and the system can't be booted, manual intervention may be necessary.

Boot up Arch Linux from removable media and enter the chroot.

cryptsetup open /dev/sda3 main
mkdir /mnt
mount /dev/vg00/root /mnt
mount /dev/sda2 /mnt/boot
mount /dev/sda1 /mnt/boot/efi
arch-chroot /mnt