Installing Artix Linux with Disk Encryption (for UEFI)

The USB Drive

Downloading the ISO

1. Get the ISO from the Artix Website

Burning the ISO

On linux, connect your usb drive and run lsblk. Assuming your usb drive is /dev/sdb, run

dd if=<path-to-iso> of=/dev/sdb status=progress bs=4M

as root.

WARNING: dd is the famous disk destroyer! Don't get the output file wrong or you could lose all your data.

The Installation

Connecting to WiFi

0. See if you're connected to the internet. Try

   ping almela.io
   

   If this works for you, you can skip this section.

1. Get the name of your interface using

   ip link
   

   Ignoring lo, which is the loopback address. Usually it looks like wlan0 or wlp2s0 for WiFi.

2. Create a config file to connect to your WiFi:

   wpa_passphrase "<SSID>" "<password>" > /etc/wpa_supplicant.conf
   

   Where <SSID> is the name of your WiFi, and <password> is... its password.

   If you don't have the required permissions to run this, try it as root using sudo su.

3. Start wpa_supplicant

   sudo wpa_supplicant -B -i <interface> -c /etc/wpa_supplicant.conf
   

   Where <interface> is the interface you found in step 1.

4. Obtain an IP Address: After wpa_supplicant is connected, you need to request an IP address using dhclient

   sudo dhclient <interface>
   

   If this fails with message RTNETLINK answers: Operation not possible due to RF-kill, try running rfkill unblock <interface*> where <interface*> is just <interface> without the numbered suffix. For instance if your interface is wlan0, <interface*> is just wlan.

5. Attempt step 0 again.

Checking for UEFI

If the following command returns anything, then you're using UEFI. Otherwise, you're not.

ls /sys/firmware/efi/efivars

Paritioning your drive

ERRATA: to avoid the grub-install: error: unknown filesystem - please downgrade the parted utility from 3.6-1 to 3.4-2 before making the partitions

pacman -U "https://archive.artixlinux.org/packages/p/parted/parted-3.4-2-x86_64.pkg.tar.zst"

Partition	Name	Size	Notes
/dev/sdX1	ESP	1G	Includes swap file
/dev/sdX2	CRYPT	?G	Remaining space

/dev/sdX2 will have 2 logical volumes

• /dev/mapper/lvm-root: the root volume

  This volume will contain a swap file, which should be about 1.5 times the size of your total ram. How much space to account for programs depends on the size of your drive, but I will likely never exceed 100Gbs.

• /dev/mapper/lvm-home: the home volume.

  This volume uses the rest of the space.

To use the same commands as the rest of this section, you can link you drive using the following commands

ln -s /dev/<your-drive> /dev/sdX
ln -s /dev/<your-drive>1 /dev/sdX1
ln -s /dev/<your-drive>2 /dev/sdX2

Setting a label for the drive

parted -s /dev/sdX mklabel gpt

Creating the boot partition

parted -s -a optimal /dev/sdX mkpart "primary" "fat32" "0%" "1024MiB"
parted -s /dev/sdX set 1 esp on

This partition will be unencrypted, which makes boot times faster.

If you're using UEFI, you need to use fat32

Creating the encrypted partition

Make a /dev/sdX2 partition which will take the rest of free space - after 1 GB of /boot - and set a lvm flag:

parted -s -a optimal /dev/sdX mkpart "primary" "ext4" "1024MiB" "100%"
parted -s /dev/sdX set 2 lvm on

Print the partition table of a drive and see if the alignment of your partitions is optimal:

parted -s /dev/sdX print
parted -s /dev/sdX align-check optimal 1
parted -s /dev/sdX align-check optimal 2

Setting up the Logical Volumes

At this stage, its a good idea to figure out which encryption cypher is the fastest for your system. It's the one you'll be using to encrypt your drive.

cryptsetup benchmark

In my case, the fastest is the aes-xts cypher with a 256 byte key (probably because of hardware acceleration) so that's what I'm using.

Now we can encrypt our partition

cryptsetup --verbose --type luks1 --cipher aes-xts-plain64 --key-size 256 --hash sha256 --iter-time 10000 --use-random --verify-passphrase luksFormat /dev/sdX2

TODO: If you're less hardcore, try

cryptsetup luksFormat -v --type=luks1 /dev/sdX2

(it uses aes-xts 256)

Note: We have to use luks1 here because of grub limitations. See Arch Wiki for details

Open the partition and mount it using the device mapper

cryptsetup luksOpen /dev/sdX2 lvm

Here, lvm is the name of the partition.

Now we create a physical volume

pvcreate /dev/mapper/lvm

Now we create a logical volume group

vgcreate lvmSystem /dev/mapper/lvm

And finally, we can actually create the logical volumes. At this stage, set a good size for your root partition and let home take the rest.

lvcreate --contiguous y --size 400G lvmSystem --name root
lvcreate --contiguous y --extents +100%FREE lvmSystem --name home

Finally, you can get an overview of this partition scheme by running lsblk -f, and checking that everything is correct.

Adding filesystems

Mount a FAT filesystem on the boot partition

mkfs.fat -n ESP -F 32 /dev/sdX1

And ext4 filesystems for root and home

mkfs.ext4 -L ROOT /dev/lvmSystem/root
mkfs.ext4 -L HOME /dev/lvmSystem/home

Mouting the partitions

Mount the root first

mount /dev/lvmSystem/root /mnt

Create the mount points for boot and home

mkdir /mnt/boot
mkdir /mnt/home

Then boot

mkdir /mnt/boot/efi
mount /dev/disk/by-label/ESP /mnt/boot/efi

And home

mount /dev/lvmSystem/home /mnt/home

Once again, verify everything is correct with lsblk

TODO: swapfile

Adding a swapfile

Installing the base system & kernel

Before we install the basic programs and kernel, there are a few steps we can take which will help us download these faster.

1. You can edit your mirrorlist at /etc/pacman.d/mirrorlist and put mirrors closer to you at the top. This should help you download things faster

2. You can also edit the ParallelDownloads flag in /etc/pacman.conf. I usually set it to 20.

Once this is done,

basestrap /mnt base base-devel linux linux-firmware networkmanager networkmanager-runit vim runit elogind-runit grub efibootmgr cryptsetup lvm2 lvm2-runit

Everything after /mnt is programs that will be installed on the base system. I like to keep it simple at this stage as most packages will be installed later on.

• base base-devel
• linux linux-firmware
• networkmanager networkmanager-runit
• vim
• runit elogind-runit
• grub
• efibootmgr: Install this if you're using UEFI
• cryptsetup lvm2 lvm2-runit

Jumping into the real system

artix-chroot /mnt

Configuring the base system

Setting the timezone

For example, if you're in the EST timezone,

ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime

Update the hardware clock

hwclock --systohc

Setting the locale

Create a file at /etc/locale.conf with contents

export LANG="en_US.UTF-8"
export LC_COLLATE="C"

Next, in /etc/locale.gen, uncomment your locale of choice. For me that's usually

en_US.UTF-8 UTF-8
en_US ISO-8859-1

Once done, update your locale info by running

locale-gen

Network Configs

Create a hostname

vim /etc/hostname

Pick a good name for your computer. Write it in the file, save, and exit.

Next, write hosts

vim /etc/hosts

And write

127.0.0.1        localhost
::1              localhost
127.0.1.1        <hostname>.localdomain  <hostname>

Where <hostname> is the hostname you picked in step 1.

Note: There are 3 columns in the above file, separating each of them are tabs, not spaces. It's unclear to me if this matters, but I've always done it that way.

Enable WiFi on boot

ln -s /etc/runit/sv/NetworkManager /etc/runit/runsvdir/current

Set the root password

passwd

And pick a good password

Autologin as yourself

Since your system is encrypted, you'll be prompted to enter your decryption password, followed by your user password. If you think this is too much work, go to /etc/runit/sv/agetty-tty1/conf, and to GETTY_ARGS, add --autologin <username>.

NOTE: We haven't created this user yet! You can create it if you want, but if you're using the autorice script, you may want to do do this step after having ran that script instead.

Decrypting the drive on boot

Go to /etc/mkinitcpio.conf. To HOOKS, add encrypt and lvm2 between block and filesystems.

For example

HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems fsck)

NOTE: You may also want to add the resume hook to enable hibernation, but note that this may not always work (i.e. hardened kernels)

If you chose to add it, resume goes after lvm2.

Then update the image

mkinitcpio -p linux

Generating the fstab

If you're chrooted into the base system, exit with ctrl+d or exit to go back to the usb drive.

Take a look at the output of fstabgen -U /mnt. If everything looks good, write it with

fstabgen -U /mnt >> /mnt/etc/fstab

TODO: describe what we're looking for. (In short, is boot there? is home there? is root there? do the uuids match? compare with lsblk -f)

Configuring GRUB

At this point, we need to chroot back into the base system

artix-chroot /mnt

Create a Backup!

Before making these modifications, back up your default grub config file!

cp /etc/default/grub /etc/default/grub.bak

Adding the partition UUIDs

Modify GRUB_CMDLINE_LINUX_DEFAULT from

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"

To

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID=<XXX>:lvmSystem root=UUID=<YYY> home=UUID=<ZZZ>"

Where

• <XXX> is the UUID of /dev/sdX2. More importantly, its the UUID of the partition with FSTYPE set to crypto_LUKS.
• <YYY> is the UUID of the root partition. Since we set labels earlier, this partition should be labeled ROOT.
• <ZZZ> is the UUID of the home parition, labeled HOME.

To get this information, run lsblk -f in the base system. If you're still chrooted and don't know it, simply ctrl+d or run exit to go back, then go back in.

Enabling cryptodisk

Near the top of your /etc/default/grub file, you'll see a commented line,

#GRUB_ENABLE_CRYPTODISK=y

Uncomment it

Enabling Continuous TRIM

If you are using an SSD, you can also add :allow-discards to enable Continuous TRIM.

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet cryptdevice=UUID=<XXX>:lvmSystem:allow-discards root=UUID=<YYY> home=UUID=<ZZZ>"

TODO(@Gaetan): You might wanna do this last step

Installing GRUB

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub

NOTE: Need to be chrooted for this

Then, create the config file using

grub-mkconfig -o /boot/grub/grub.cfg

Reboot the system

Exit the chroot environment

exit
umount -R /mnt
reboot

TODO:

• nvidia drivers
• amd/intel microcode

Enabling suspend/hibernate/sleep

TODO

Issues

_ on boot with no output

This happened to me after not logging into my machine for some time. I was able to fix it by booting into an artix drive, decrypting the drives manually

1. Boot into your external artix usb drive

2. Decrypt the drive manually

   cryptsetup luksOpen /dev/sdX2 lvm
   

3. Activate the logical volumes

   vgchange -ay lvmSystem
   

4. Mount the partitions

   mount /dev/lvmSystem/root /mnt
   
   mkdir -p /mnt/boot/efi
   mkdir -p /mnt/home
   mount /dev/lvmSystem/home /mnt/home
   mount /dev/sdX1 /mnt/boot/efi
   

5. chroot into the system

   artix-chroot /mnt
   

6. Rebuilding the grub config

   grub-mkconfig -o /boot/grub/grub.cfg
   

Resources

• https://wiki.artixlinux.org/Main/InstallationWithFullDiskEncryption
• https://web.archive.org/web/20210515073858/https://www.rohlix.eu/post/artix-linux-full-disk-encryption-with-uefi/
• https://web.archive.org/web/20180525195921/https://wiki.voidlinux.eu/Manual_install_w/full_disk_encryption
• https://gist.github.com/mattiaslundberg/8620837
• https://docs.voidlinux.org/installation/guides/fde.html