Installing Arch Linux with Encrypted root

Installing Arch Linux with Encrypted root

The Arch Way

So in the Linux world, like in any other tech fields, there are kids, the men, and then the real men. When you start using Linux, most probably, you are the new kid in town, occasionally cursing things here and there for not being like you saw stuff in windows. Some get enlightened and become teens and then the Men. Finally, then they become the real men.

If you know what I mean, its about the various distros people tend to use during their time being in the Linux world an get acquainted to it. Eventually all those real men might stick to what they like, which could be Ubuntu, Fedora or whatever. But while going through those various phases, there are certain things they should do, to become those!

The Kids - They must have installed Ubuntu on their own
The Men - They must have installed Arch Linux on their own
The Real Men - Heard of Gentoo? That's probably the daily driver for the ultra advanced Linux geeks!

I'm not there yet though! I just found some time to install Arch Linux. I've used it in the past, but never cared to install it from scratch!

Why put it here?

Because the Arch Wiki so exhaustive that you will drown in information. For a basic installation, its all good. It has got and excellent Beginner's Guide. But if you want to slightly more advanced, it might become a tedious job to figure out what to do and in which order. For me, I wanted to install the system with root filesystem encrypted. When I checked Arch wiki, I quickly lost the flow, since there were too many cases to deal with, and the information is scattered across various pages. So I am putting here the steps I did in a chronological order so that you might find it easy to install!

You should use this as a complimentary material to the official installation guide. There is no point in repeating each and every step. I'll just highlight the gotchas and key points.

Lets do it!

All right, so we are ready to install the mighty Arch Linux. Go get the ISO image. Choose the dual image.

Get your media ready

If you are on Linux, easiest way is to use dd command. This is a destructive method. Contents of your Flash drive will be lost.

dd if=filename.iso of=/dev/sdX bs=4M && sync  

Repleace /dev/sdx with whatever your flash drive's identification is. If you only have just this flash drive connected, it will be /dev/sdb. However, I've seen laptops which have integrated SSD which will take the second place after your main disk, so as to become sdb, and then your flash drive becomes sdc. If you run that command with sda, then.. Puff! Everything on your disk is lost!

Prep Work

If you intend to have a dual booting system with Win8 or newer ones, then its a good time to disable fastboot from within windows. Once that is done, go to firmware settings and disable Secure Boot. Optionally, if you have a fastboot mode in firmware, disable that too. Lets get rid of all evil Windows settings.

DO NOT change any boot modes like Legacy, UEFI or compatibility, or graphics modes from the firmware. Otherwise, the Crapposoft's OS might not boot.

Internet connectivity

I assume that you have booted up from the newly created flash media, and that you are in a root shell. If you are using a recent computer, you must disable secureboot and optionally fastboot mode from the firmware settings. If you want to change keyboard layout, do that as mentioned in the first step of the installation manual.

Try pinging If you dont have connectivity, its probably because the required services are not started. Just use do:

systemctl start dhcpcd  

interface is your ethernet adapter's name. You can get that from ifconfig.

Time Settings

There is nothing much to tell, do it as mentioned in the official guide.

Partition Settings

This is probably the most difficult thing to do. We will assume a not so simple yet not so complex style of partitioning. First try to make some sense out the official docs. That should explain the GPT vs MBR thing.

My requirement is that we need to encrypt the root partition. In addition to the SWAP partition, and any other extra mount points or data partitions, you dont need to create any extra partition, except for the root partition itself. A simplified partitioning scheme would look like below:

NAME                    SIZE       MOUNTPOINT     TYPE  
├─sda1                 200M        /boot          Linux
├─sda2                 20G         /              Linux
├─sda3                 2G          None           swap
Free Space  

You can use any tool to get this done as mentioned in the official guide. Till here, everthing is straighforward. Now you need to set up encryption for your root partition.

For simplicity, lets not worry about encrypting the Swap and Boot. Though for high security, its recommended to have both these dealt with.

LUKS Encryption

It stands for Linux Unified Key Setup. It is a standard, which is implemented in Linux through dm-crypt backend and these tools (userspace) are invoked through a program called cryptsetup.

Creating a encrypted device

First we will set up the encrypted partition. We will use the space we reserved for the root partition, /dev/sda1:

cryptsetup -v luksFormat /dev/sda1  

You will be prompted for a password. Dont forget that password, BTW. You can add multiple passwords if you wish. For more details regarding the various options you can change, like encryption algorithm, key size, etc, refer to the Arch Wiki.

Now open the same device we just created:

cryptsetup open --type luks /dev/sda2 root  

root is a name we specify. If you wish, you can say archroot or something like that. This name will show up as the mapped name of this encrypted partition once its unlocked. You then use this as /dev/mapper/root. It is a virtual standard partition once you unlock.

Now its time for format the root and boot partition with your favorite file system:

mkfs -t ext4 /dev/mapper/root  
mkfs -t ext4 /dev/sda1  

Now lets setup swap partition:

mkswap /dev/sda3  
swapon /dev/sda3  

Time to mount all these partitions to our new installation's location.

mount -t ext4 /dev/mapper/root /mnt  
mount -t ext4 /dev/sda1 /mnt/boot  
Install the Arch Linux base

After you configure the mirrorlist as mentioned in official guide you can use the pacstrap command. I suggest you install your choice of bootloader now itself, rather than in the order mentioned in the official section so that its done in one step. You might have a dependency issue if you try to install all of them in one go. So do this:

pacstrap /mnt base base-devel  
pacstrap /mnt grub os-prober  

If you are on a newer system, which comes with EFI firmware, you get to choose between the systemd-boot or grub.

Now go to the newly installed system, cd /mnt. We need to configure the fstab, crypttab, ramdisk image and bootloader configuration. These files are the most crucial stuff because without them you wont be able to boot into the newly installed system.

FSTAB Generation

It will detect your swap partition automatically:

genfstab -U /mnt > /mnt/etc/fstab  

Check the generated file and double check if the entries are correct.


This files is the one which is run before fstab for mounting your partition. Here you mention how to unlock the encrypted partition that provides the root partition, which we just configured in /mnt/etc/fstab:

 root         /dev/sda1        none    luks,timeout=180

none is the password field, which will show up a prompt while booting up for you to enter the password. root is the name as it will appear like /dev/mapper/root.

Ramdisk Configuration

The file /mnt/etc/mkinitcpio.conf has the required configuration which will be used to generate the Initial Ramdisk for the target system we are installing. Append encrypt to the line starting HOOKS =. It should look something like

HOOKS="udev usb ... keyboard encrypt"  
Chroot and Ramdisk generation

Now you actually enter the new system with

arch-chroot /mnt /bin/bash  

Now configure language, timezone, keyboard layout,etc and generate the ramdisk. You can look at section 5.2 through Section 5.5 for that.

Bootloader configuration

Now you edit the default settings for the bootloader so that the kernel will be able to find the root file system, device to hibernate, etc. Edit the file /etc/default/grub. Change the line GRUB_CMDLINE_LINUX_DEFAULT="" to:

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda1:root root=/dev/mapper/root resume=/dev/sda3"  

Now just install the bootloader and update the configuration:

grub-install /dev/sda  
grub-mkconfig -o /boot/grub2/grub.cfg  

Done! Now reboot to enter into your new system!


Now that we have installed the bare basic linux system using ample amount of advanced features, we can build on this and make things little more advanced, like having LVM on top of an encrypted partition, encrypting swap and boot, etc.

Related Article