Table of contents
- The mistakes
- The process
I recently received my new work computer, and the guys from the IT department asked me to perform encryption, at least of my home partition. This was the first time I tried to encrypt partitions during the Arch Linux install. I remember some of my friends trying to encrypt their home without encrypting their whole partition, and I remembered that they had had some problems, so I though I might as well encrypt the whole partition.
Another thing I remember from a long time ago is that it was considered a good
practice to have your
/ and your
/home on two separate partitions in case
of crashes. I did that a couple of time, and when crashes occurred, I had
never managed to fix them without wiping the whole disk, so eventually I
stopped doing that.
This install caused me some problems, and this is why I write this post: if anyone else than myself reads it and finds help in it, I'm glad, but I mostly write it in case I need to do this once again.
So here I am, with my brand new machine, with an Ubuntu distribution that I obviously won't keep. I have my Arch Linux iso on my USB stick, and I'm ready to install.
When encrypting, if you have your
/home on the same partition, and
you want to encrypt your home, well, you'll be encrypting your
/, and since
/boot is in
/, it will also be encrypted. Maybe your want to encrypt your
/boot for security reasons, but it wasn't specially my case. The thing is
/boot leads to extra complexity, since you'll need to decrypt
This is why I decided to finally go back to putting
/home on two
separate partitions. That way, I encrypt my home, and that's all.
Another thing that a lot of people that encrypt disks use is LVM. Honestly, I don't know much about LVM, I just know that is adds a layer of complexity to the setup, and if I can avoid that, I might as well.
Booting the USB drive
As it always begin, I plug my USB drive into my computer, boot it and rapidly press F12, and make my computer boot on the USB drive. From there, I get a prompt, and as a french guy, with an azerty keyboard, I start by running
(which I need to type as
loqdkeys fr since the default keyboard layout is the
Partitioning the disk
Then comes the part when we format the disk. As said previously, I'll have my
/home on two separate partitions, and since I don't believe in swap,
I made three partitions :
/dev/nvme0n1p1that corresponds to
/dev/nvme0n1p2that corresponds to
15GB (I want to keep it small because my laptop only has 512GB of SSD)50GB, even if you have a small disk, be large on this one or you'll be f**ked later (happened to me on August 24th);
/dev/nvme0n1p3that corresponds to
/home, that fills the rest of my disk and that will be encrypted.
Then, we need to format those partitions. So it starts as usual:
mkfs.vfat -F32 /dev/nvme0n1p1 mkfs.ext4 /dev/nvme0n1p2 mkfs.ext4 /dev/nvme0n1p3 # This may be useless but I'm not sure
Then we need to setup the encryption of our
cryptsetup --type luks1 luksFormat /dev/nvme0n1p3
I'm not super sure the
--type luks1 is required, but I use Grub as bootloader
and I'm not sure it supports
Anyway, this will ask you for a passphrase. Finding a good passphrase is hard, but advice can be found online. I used diceware a source of inspiration.
When this is done, you need to mount your partitions to continue the install.
The following command remounts the encrypted disk to an unencrypted location:
cryptsetup luksOpen /dev/nvme0n1p3 luks
It creates a virtual disk in
/dev/mapper/luks that you then need to format as
Then you can start mounting everything everywhere:
mount /dev/nvme0n1p2 /mnt mkdir -p /mnt/boot/efi && mount /dev/nvme0n1p1 /mnt/boot/efi mkdir /mnt/home && mount /dev/mapper/luks /mnt/home
Install all the things
Now is the moment to pacstrap all the things. Make sure you have an internet
connection, edit your
/etc/pacman.d/mirrorlist to put the servers close to
you at the top of the file, and here we go:
pacstrap /mnt base base-devel linux linux-firmware netctl dhclient dhcpcd wireless_tools wpa_supplicant dialog
Those should let you connect to the internet once the install is finished. Make sure to also install your favorite text editor.
You should also generate your fstab file:
genfstab -Up /mnt >> /mnt/etc/fstab
This file describes which partitions should be mounted and where when the computer boots.
Now comes the time to chroot.
Welcome to your new computer. You can configure things such as the machine name, the timezone, the keyboard layout, etc... Don't hesitate to check the official guide for these parts, encryption doesn't change anything until the Initramfs (mkinitcpio).
Don't forget to set the root password with the
To be honest, I have no idea what this does, but I know that it's very important.
Start by running
mkinitcpio -p linux. This should generate a file named
/etc/mkinitcpio.conf. In this file you should add
ext4 in the modules line,
my line looks like this:
encrypt just before
filesystems in the hooks line, my line looks
HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck)
mkinitcpio -p linux once again, and you're done with that part.
Ok, there surely are alternatives to Grub, but Grub is the only thing I know so that's what I use. To install grub, you need to install two other packages:
pacman -S grub efibootmgr
Normally, you should still have your internet connection active from before the chroot.
Once grub is installed, you need to edit its default configuration to make it
understand that some partitions are encrypted. Edit the
file. The line
GRUB_ENABLE_CRYPTODISK=y should be uncommented, and I also
Once those modifications are done, you need to install the grub:
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=arch_grub grub-mkconfig -o /boot/grub/grub.cfg
and normally you should be all set.
You can now exit the chroot (Ctrl+D or
exit), umount the disks (
umount -R /mnt) and reboot your computer.
When booting again, grub should start and run Arch Linux, and then, it will prompt you for you passphrase. When the passphrase is entered, it will prompt for your login and password and you can then continue your configuration.