loadkeys fr

Available layouts are located in /usr/share/kbd/keymaps/.

List them all with ls /usr/share/kbd/keymaps/**/*.map.gz.

Do yourself a favour: increase the terminal font during install for visual comfort

setfont ter-124b

Available fonts are located here /usr/share/kbd/consolefonts/.

List them all with ls /usr/share/kbd/consolefonts/.

Remember this tutorial is for BIOS boot firmware. Be sure to be in that mode as there are minor divergences with UEFI during partitioning and bootloader configuration.

cat /sys/firmware/efi/fw_platform_size
# No such file or directory => system booted with BIOS
# 32 or 64 => system booted with UEFI

If the command returns nothing (No such file or directory): your system booted in BIOS (or CSM; Compatibility Support Mode). Otherwise, if the command returns 64 (or 32): your system booted in UEFI 64-bit x64 (or 32-bit IA32).

If your computer is not ethernet-plugged, connect using Wi-Fi:

iwctl
    station wlan0 scan
    station wlan0 connect <SSID>
    exit

Check your connection with:

ping -c 3 1.1.1.1

If that last command returns time latencies, you are all set.

We want LVM on LUKS. That means a layer of encryption is going to reside between LVM and our physical hard drive. It is better to have LVM inside the LUKS encryption. (But it is more common to say LVM on LUKS.)

Steps will be as follow:

1. Safe (and long) disk wipe
2. Physical partitioning
3. (almost) full disk encryption
4. LVM partitioning

Identify the drive you want to install the OS on (usually /dev/sda if you have only one drive connected to the motherboard).

lsblk

To avoid copy-pasting mistakes, we will assume the drive to be /dev/sdXXX. Change it accordingly.

Before encryption, the disk is wiped and populated with random data (see why/how here).

cryptsetup benchmark # if you want to chose the fastest algorithm (aes-xts for now)
ALGO="aes-xts-plain64"
cryptsetup open --type plain --cipher "$ALGO" -d /dev/urandom /dev/sdXXX to_be_wiped # hard drive points to 'to_be_wiped'
lsblk # you should see the drive 'to_be_wiped'
dd if=/dev/zero of=/dev/mapper/to_be_wiped status=progress # no need for /dev/urandom here, cryptsetup acts as a layer of randomness (see above command)

Time for coffee(s) ☕. Duration depends on speed and hard drive size. It took me 2 hours 15 minutes for 240G at ~35MB/s mean speed.

cryptsetup close to_be_wiped

There are differences between GPT and MBR partition table layouts. To keep it short, you'll probably want GPT over MBR1.

With BIOS/GPT, a BIOS boot partition is required (this is where GRUB embeds its core.img).

cfdisk /dev/sdXXX

Delete (<Del>) every pre-existing partition.

Create a <New> primary partition of size 1M. Set its type to BIOS boot.

It is going to be unencrypted (BIOS boot) and will be used to store the second stage of BIOS bootloader.

You should still be in cfdisk (else cfdisk /dev/sdXXX again).

Use remaining <Free Space> as a <New> primary partition. Set its type to Linux LUKS if available, else to Linux filesystem. Select <Write> to apply changes to disk. Then <Quit> to exit cfdisk.

cryptsetup luksFormat --type luks1 /dev/sdXXX2 # this NON-boot partition we've just created
# BEFORE typing your secure passphrase READ BELOW

cryptsetup open /dev/sdXXX2 cryptlvm # open this partition at mountpoint "cryptlvm"
# type secure passphrase to decrypt

Prepare logical volumes:

pvcreate /dev/mapper/cryptlvm # create a physical volume on top of the opened LUKS container
vgcreate vg-arch /dev/mapper/cryptlvm # create a volume group (named here "vg-arch")
lvcreate -L 8G vg-arch -n swap
lvcreate -L 60G vg-arch -n root
lvcreate -l 100%FREE vg-arch -n home

Format :

mkfs.ext4 /dev/vg-arch/root
mkfs.ext4 /dev/vg-arch/home
mkswap /dev/vg-arch/swap

Mount :

mount /dev/vg-arch/root /mnt
mount --mkdir /dev/vg-arch/home /mnt/home
swapon /dev/vg-arch/swap

pacstrap -K /mnt base base-devel linux linux-firmware neovim lvm2 grub git sudo openssh mkinitcpio dhcpcd iwd # my usual programs
genfstab -U /mnt >> /mnt/etc/fstab

It's time to enter our new system:

arch-chroot /mnt

Set time:

ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime
hwclock --systohc

Set locales. Edit /etc/locale.gen and uncomment en_US.UTF-8 UTF-8 and/or other needed locales (e.g. fr_FR.UTF-8 UTF-8.

locale-gen

Create the /etc/locale.conf file and set the LANG variable:

LANG=en_US.UTF-8

Set keymap. Set the console /etc/vconsole.conf for keyboard layout:

KEYMAP=fr

Set hostname. Create /etc/hostname file:

desired-hostname

Set the initramfs. Edit /etc/mkinitcpio.conf:

HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems fsck)

Configure GRUB to allow booting from /boot on a LUKS1 encrypted partition.

Edit /etc/default/grub so it contains those lines:

GRUB_CMDLINE_LINUX="... cryptdevice=UUID=<device-UUID>:cryptlvm ..."
GRUB_ENABLE_CRYPTODISK=y

The first line sets the kernel parameters so the initramfs can unlock the encrypted root partition, using the encrypt hook.

The <device-UUID> is the one of the LUKS superblock (the big partition) (in this example /dev/sdXXX2).

To find UUID : blkid for GPT (else lsblk -f).

grub-install --target=i386-pc --recheck /dev/sdXXXX # not a parition, it's the whole disk (e.g. /dev/sda)

Grub will be splitted on the boot loader partition as well as on the /boot partition of our encrypted filesystem.

Generate GRUB's config file:

grub-mkconfig -o /boot/grub/grub.cfg

Regenerate the initramfs:

mkinitcpio -P

This is it. Everything should be fine.

As boot and root are on the same partition you will be asked twice for your passphrase. The first time, GRUB asks for the passphrase to decrypt the boot partition. The second time, it is the encrypt hook which asks you for the root partition's passphrase. If you do not want to be asked for your root partition password again, you will have to embed the keyfile in the initramfs and configure it to be used on system boot to decrypt and mount the root partition.

From this post.

So, when booting your system, GRUB will ask you to decrypt your /boot partition (remember the keyboard will be in QWERTY layout). Once decrypted, it will ask you again to decrypt the root partition.

We will avoid that by creating a keyfile that will be read after decrypting the boot, so GRUB knows how to decrypt the root partition in the mean time.

First create a keyfile and add it as LUKS key:

dd bs=512 count=4 if=/dev/random of=/root/cryptlvm.keyfile iflag=fullblock
chmod 000 /root/cryptlvm.keyfile
cryptsetup -v luksAddKey /dev/sdXXX2 /root/cryptlvm.keyfile

Add the keyfile to the initramfs image via /etc/mkinitcpio.conf:

FILES=(/root/cryptlvm.keyfile)

Recreate the initramfs image and secure the embedded keyfile:

chmod 600 /boot/initramfs-linux*

Set the following kernel parameters to unlock the LUKS partition with the keyfile. Using the encrypt hook:

GRUB_CMDLINE_LINUX="... cryptkey=rootfs:/root/cryptlvm.keyfile"

If for some reason the keyfile fails to unlock the boot partition, systemd will fallback to ask for a passphrase to unlock and, in case that is correct, continue booting.