The following is a brief installation tutorial for Arch Linux. It assumes familiarity with the Arch Installation Guide.
It will provide a system with full-disk encryption using LVM on LUKS,
including an encrypted /boot. The system will be bootable via both UEFI and
legacy BIOS.
Note that this guide assumes you are performing the install to /dev/sda. In
some cases, you may find that your USB install disk claimed /dev/sda and you
want to install to /dev/sdb. Confirm which disk is which before proceeding.
On some newer systems (e.g. Dell XPS 15), set SATA operation mode to AHCI.
Boot into the Arch installer.
If your console font is tiny (HiDPI systems), set a new font.
$ setfont sun12x22
Connect to the Internet.
Verify that the system clock is up to date.
$ timedatectl set-ntp true
Create partitions for legacy boot, EFI, and root.
$ parted -s /dev/sda mklabel gpt
$ parted -s /dev/sda mkpart primary 2048s 2MiB
$ parted -s /dev/sda set 1 bios_grub on
$ parted -s /dev/sda mkpart primary fat32 2MiB 515MiB
$ parted -s /dev/sda set 2 boot on
$ parted -s /dev/sda set 2 esp on
$ parted -s /dev/sda mkpart primary 540MiB 100%
Create and mount the encrypted root filesystem.
$ cryptsetup luksFormat --type luks1 /dev/sda3
$ cryptsetup luksOpen /dev/sda3 lvm
$ pvcreate /dev/mapper/lvm
$ vgcreate arch /dev/mapper/lvm
$ lvcreate -L 8G arch -n swap
$ lvcreate -l +100%FREE arch -n root
$ lvdisplay
$ mkswap -L swap /dev/mapper/arch-swap
$ mkfs.ext4 /dev/mapper/arch-root
$ mount /dev/mapper/arch-root /mnt
$ swapon /dev/mapper/arch-swap
Format and mount the EFI partition.
$ mkdir /mnt/efi
$ mkfs.fat -F32 /dev/sda2
$ mount /dev/sda2 /mnt/efi
Optionally edit the mirror list.
$ vi /etc/pacman.d/mirrorlist
Install the base system.
$ pacstrap -i /mnt base base-devel linux linux-firmware lvm2 dhcpcd net-tools wireless_tools dialog wpa_supplicant efibootmgr vi git grub ansible
Generate and verify fstab.
$ genfstab -U -p /mnt >> /mnt/etc/fstab
$ less /mnt/etc/fstab
Change root into the base install and perform base configuration tasks.
$ arch-chroot /mnt /bin/bash
$ export LANG=en_US.UTF-8
$ export TIME=en_DK.UTF-8
$ echo $LANG UTF-8 >> /etc/locale.gen
$ echo $TIME UTF-8 >> /etc/locale.gen
$ locale-gen
$ echo LANG=$LANG > /etc/locale.conf
$ echo LC_TIME=$TIME >> /etc/locale.conf
$ ln -fs /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
$ hwclock --systohc --utc
$ echo mymachine > /etc/hostname
$ systemctl enable dhcpcd.service
$ passwd
Set your mkinitcpio encrypt/lvm2 hooks.
$ sed -i 's/^HOOKS=.*/HOOKS=(base udev autodetect modconf block keyboard encrypt lvm2 resume filesystems fsck)/' /etc/mkinitcpio.conf
Add a keyfile to decrypt the root volume and properly set the hooks.
$ dd bs=512 count=8 if=/dev/urandom of=/crypto_keyfile.bin
$ cryptsetup luksAddKey /dev/sda3 /crypto_keyfile.bin
$ chmod 000 /crypto_keyfile.bin
$ sed -i 's/^FILES=.*/FILES=(\/crypto_keyfile.bin)/' /etc/mkinitcpio.conf
$ mkinitcpio -p linux
Configure GRUB.
$ echo GRUB_ENABLE_CRYPTODISK=y >> /etc/default/grub
$ ROOTUUID=$(blkid /dev/sda3 | awk '{print $2}' | cut -d '"' -f2)
$ sed -i "s/^GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX=\"cryptdevice=UUID="$ROOTUUID":lvm:allow-discards root=\/dev\/mapper\/arch-root resume=\/dev\/mapper\/arch-swap\"/" /etc/default/grub
$ grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --recheck --removable
$ grub-install --target=i386-pc --recheck /dev/sda
$ grub-mkconfig -o /boot/grub/grub.cfg
$ chmod -R g-rwx,o-rwx /boot
Cleanup and reboot!
$ exit
$ umount -R /mnt
$ reboot
Run ansible!