Installing Arch Linux with an Encrypted Root Drive
Jan 27, 24This is the way I’ve been setting up my Arch machines. I want the root drive to have strong encryption.
I follow the instructions to install Arch with a few changes.
I just set one up that was an older legacy bios with GPT. I’m going to use GRUB as my bootloader. I created four partitions on the disk.
- sda1 - Bios boot partition, unformatted, 4 MB.
- sda2 - Boot partition, ext2 formatted, 512 MB.
- sda3 - Swap partition, 4 GB.
- sda4 - Root partition, formatted with BTRFS using the rest of the space.
You can add new system partitions as you like, but I like to keep it simple. I’m going to encrypt partition 4, the root partition. For a UEFI, you don’t need the bios boot partition, and you’ll format the boot partition with FAT32.
Use dm-crypt to encrypt the root partition:
cryptsetup luksFormat /dev/sda4
It will prompt you to create a password. Next, open the encrypted container:
cryptsetup open /dev/sda4 root
Now go ahead and format all the partitions as you normally would. I’m formatting the encrypted drive like this:
mkfs.btrfs /dev/mapper/root
Mount the volume, turn on swap, etc.:
mount /dev/mapper/root /mnt
Run pacstrap and download the basic Arch system. When you run the genfstab command, use the -p switch:
genfstab -p /mnt >> /mnt/etc/fstab
Chroot into the new system, and do all the setups from the install instructions as normal until you get to the mkinitcpio stage. You have to tweak the config file for mkinitcpio with one simple addition of the word encrypt before filesystems.
vim /etc/mkinitcpio.conf
HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt filesystems fsck)
Now just run mkinitcpio -P
Finish installing the system until you get to the bootloader phase. Again, I’m going to use grub.
For this to work, you need to get the partuuid of the encrypted disk. I’m going to print that to a text file like this:
ls -l /dev/disk/by-partuuid/ > disk
Use vim to yank the partuuid and we’re going to use that to modify the grub config file.
vim /etc/default/grub
The fifth line gives you a place to insert this. It looks like this unmodified:
GRUB_CMDLINE_LINUX=""
Modified, it will look like this:
GRUB_CMDLINE_LINUX="cryptdevice=PARTUUID=PARTUUID:root root=/dev/mapper/root rw"
Of course, paste the actual partuuid in place of the second partuuid in that line. Save the file.
Install and then configure grub as normal.
That’s it. Reboot and the system should prompt you for the password.