Installing archlinux with encrypted LVM on LUKS (UEFI), via ssh.

We will install archlinux with LVM on LUKS encryption (UEFI), via ssh. This is for advanced users. If you just want to install archlinux, look elsewhere.

Download the ISO and burn it to your USB key like so:

dd bs=4M if=/path/to/archlinux.iso of=/dev/sdx && sync

Set the keyboard layout. In my case, it’s Belgian AZERTY (/usr/share/kbd/rubfhaps/i386/azerty/

loadkeys be-latin1

Verify if you are booted in UEFI mode (is this directory populated?)

ls /sys/firmware/efi/efivars

Clean up your disk data (warning: this will take hours)

shred --verbose --random-source=/dev/urandom --iterations=3 /dev/sda

Connect to the internet


Test internet connection and name resolution


Set root pwd for ssh install


Edit /etc/ssh/sshd_config and set PermitRootLogin to yes, if it isn’t. This will not affect the final install.

vi /etc/ssh/sshd_config

Start sshd. After that you can finish the installation remotely (use ip a to get LAN IP)

systemctl start sshd

Check your disks and partitions


Setup your partitions with fdisk

fdisk /dev/sda

So it looks like that (type g in fdisk if needed, to create a new empty GPT partition table)

Device      Start       End   Sectors   Size Type
/dev/sda1    2048    309247    307200   150M EFI System
/dev/sda2  309248    821247    512000   250M Linux filesystem
/dev/sda3  821248 500118158 499296911 238.1G Linux filesystem

Format the EFI partition

mkfs.vfat -F32 /dev/sda1

Format the boot partition

mkfs.ext2 /dev/sda2

Format the root partition

mkfs.ext4 /dev/sda3

Set password and encrypt root partition

cryptsetup luksFormat -c aes-xts-plain64 -s 512 /dev/sda3

Open root partition

cryptsetup open --type luks /dev/sda3 root

Create physical volume

pvcreate /dev/mapper/root

Check the physical volume


Create volume group

vgcreate krisiunvg /dev/mapper/root

Check the volume group


Create logical volume using almost the entire HD

lvcreate --name krisiunlv --size 230G krisiunvg

Now create another logical volume to hold swap

lvcreate -l +100%FREE  krisiunvg -n swaplv

And check the logical volumes


Format the encrypted root logical volume

mkfs.ext4 /dev/mapper/krisiunvg-krisiunlv

Format the encrypted swap logical volume

mkswap /dev/mapper/krisiunvg-swaplv

Enable swap

swapon /dev/mapper/krisiunvg-swaplv

Mount root to /mnt

mount /dev/mapper/krisiunvg-krisiunlv /mnt

Mount /boot

mkdir -p /mnt/boot && mount /dev/sda2 /mnt/boot

Mount /boot/efi

mkdir -p /mnt/boot/efi && mount /dev/sda1 /mnt/boot/efi

Install system

pacstrap /mnt base base-devel grub-efi-x86_64 vim git efibootmgr dialog iw wpa_supplicant openssh firefox flashplugin 

Generate fstab

genfstab -pU /mnt >> /mnt/etc/fstab

To use /tmp as ramdisk, edit /mnt/etc/fstab and add:

tmpfs	/tmp	tmpfs	defaults,noatime,mode=1777	0	0

chroot to the new system using bash shell

arch-chroot /mnt /bin/bash

Set hostname

echo krisiun > /etc/hostname

Set the timezone

ln -s /usr/share/zoneinfo/Europe/Brussels /etc/localtime

Adjust hardware clock

hwclock --systohc --utc

Set locales

echo LANG=en_US.UTF-8 >> /etc/locale.conf
echo LANGUAGE=en_US >> /etc/locale.conf
echo LC_ALL=C >> /etc/locale.conf

Set /etc/vconsole.conf


Edit /etc/mkinitcpio.conf, add keymap keyboard encrypt lvm2 in HOOKS and ext4 in MODULES

HOOKS="... keymap keyboard encrypt lvm2 filesystems ..."

Now run:

mkinitcpio -p linux

Choose root password


Create an user

useradd -m -g users -G wheel,storage,network,sys,lp,scanner,audio,video,power [username] && passwd [username]

With visudo, give privileges to your user

[username] ALL=(ALL) ALL

Install boot loader

pacman -S grub efibootmgr os-prober

Edit /etc/default/grub and add:


Run grub-install

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck

Run grub-mkconfig (you might get some lvmetad warnings, just ignore for now)

grub-mkconfig -o /boot/grub/grub.cfg

Install sound

pacman -S alsa-utils alsa-oss alsa-plugins pulseaudio

Exit chroot


And reboot

shutdown -r now

Leave a Reply

Your email address will not be published. Required fields are marked *

Loading Facebook Comments ...
Loading Disqus Comments ...