Arch Linux

Setup LUKS Encryption on Arch Linux

In this article I will show you how to install Arch Linux with LUKS encryption. Let’s get started.

Booting in to Arch Linux installer

Select Arch Linux bootable media from your computer’s BIOS and you should see the following screen. Select Arch Linux archiso x86_64 UEFI CD from the menu and press <Enter>.

You should be logged into the Arch Linux console. You can install Arch Linux from here.

Partitioning Disk

Before you can install Arch Linux, you must partition your disk properly. In this article, I will use cfdisk command line utility to partition the disk.

My hard drive is /dev/sda. Your hard drive might be identified by the system differently. Run lsblk command to find out what it is for you and replace /dev/sda in this article as required.

To partition /dev/sda with cfdisk, run the following command:

$ cfdisk /dev/sda

You should see the following window. If your hardware supports UEFI, select gpt. Otherwise select dos. My hardware supports UEFI. So I am selecting gpt.

Once you select a partitioning method, you should see the following window. Here you have to create 3 partitions if you’ve selected gpt, otherwise 2 partitions are enough.

For gpt partition table:

Partition 1 should be EFI System Partition of about 256MB
Partition 2 should be the boot partition of about 512MB
Partition 3 should be the root partition. Give it the rest of the free space.

For dos partition table:

Partition 1 should be the boot partition of about 512MB.
Partition 2 should be the root partition. Give it the rest of the free space.

To create a partition, navigate to [ New ] using the <Left> and <Right> arrow keys and press <Enter>

Now enter the partition size. In my case, the first partition is the EFI partition. So I will give it 256MB. Once you’re done, press <Enter>.

The partition should be created. Now you have to change the filesystem Type to EFI System Partition. To do that navigate to [ Type ] and press <Enter>.

You should see the following window. Select EFI System from the list and press <Enter>.

The partition should be created.

Now I am going to create the 512MB boot partition.

The boot partition should be created.

Now I am going to create the root partition. I will give it the rest of the free space.

All the partitions are created.

Now we are going to write the changes to the disk. To do that navigate to [ Write ] and press <Enter>.

Now type in yes and press <Enter>.

Now navigate to [ Quit ] and press <Enter>. You should be back to the Arch Linux console.

Configuring LUKS Encryption on the Disk

First load the dm-crypt kernel module with the following command:

$ modprobe dm-crypt

Now load the dm-mod kernel module with the following command:

$ modprobe dm-mod

Now you can encrypt the root partition (in my case /dev/sda3) with LUKS with the following command:

$ cryptsetup luksFormat -v -s 512 -h sha512 /dev/sda3

Now type in YES (must be in uppercase) and press <Enter>.

Now enter a password and press <Enter>.

Re-enter the password and press <Enter>.

The LUKS encryption is complete.

Now open the /dev/sda3 device with the following command, so we can install Arch Linux on it.

$ cryptsetup open /dev/sda3 luks_root

Now enter the password you just set earlier and press <Enter>.

The LUKS encrypted disk should now be available at /dev/mapper/luks_root

Formatting and Mounting the Partitions

Now you have to format the partitions.

Run the following command to format the EFI System Partition /dev/sda1:

$ mkfs.vfat -n "EFI System Partition" /dev/sda1

Run the following command to format the boot partition /dev/sda2:

$ mkfs.ext4 -L boot /dev/sda2

Run the following command to format the LUKS encrypted root partition /dev/mapper/luks_root:

$ mkfs.ext4 -L root /dev/mapper/luks_root

Now mount /dev/mapper/luks_root in /mnt directory:

$ mount /dev/mapper/luks_root /mnt

Create boot/ directory in /mnt with the following commands:

$ cd /mnt

$ mkdir boot

Now mount /dev/sda2 to boot/:

$ mount /dev/sda2 boot

Now create a boot/efi/ directory in /mnt:

$ mkdir boot/efi

Now mount the EFI System Partition /dev/sda1 to boot/efi/ directory:

$ mount /dev/sda1 boot/efi

Create a 1GB swap file in /mnt with the following command:

$ dd if=/dev/zero of=swap bs=1M count=1024

Format the swap block file:

$ mkswap swap

Now enable the swap:

$ swapon swap

Change the swap file permission to the suggested value:

$ chmod 0600 swap

Installing Arch Linux

Run the following command to install Arch Linux:

$ pacstrap -i /mnt base base-devel efibootmgr grub

Press <Enter>.

Press <Enter> again.

Press y and then press <Enter>.

The installation should start and it may take a while to complete.

Once the installation is complete, generate fstab file:

$ genfstab -U /mnt > /mnt/etc/fstab

Now chroot into the newly installed Arch Linux:

$ arch-chroot /mnt

First set up a root password with the following command:

$ passwd

Now edit /etc/locale.gen:

$ nano /etc/locale.gen

Remove the # from the beginning of one of the line depending on your language. Then save the file.

Now run the following commands:

$ locale-gen

$ echo LANG=YOUR_LOCALE > /etc/locale.conf

$ export LANG=YOUR_LOCALE

Now set your time zone with the following commands:

$ ln -sf /usr/share/zoneinfo/YOUR_REGION/YOUR_CIT /etc/localtime

Set hardware clock:

$ hwclock --systohc --utc

Now set hostname with the following command:

$ echo YOUR_HOSTNAME > /etc/hostname

Edit /etc/hosts:

$ nano /etc/hosts

Add the following lines to /etc/hosts and save the file.

Now edit /etc/default/grub:

$ nano /etc/default/grub

Set GRUB_CMDLINE_LINUX=”cryptdevice=/dev/sda3:luks_root” and save the file.

Now edit /etc/mkinitcpio.conf:

$ nano /etc/mkinitcpio.conf

In the HOOKS section, add encrypt after block as shown in the marked section of the screenshot below. Then save the file.

Now run the following command to generate initramfs:

$ mkinitcpio -p linux

Now install GRUB with the following commands:

$ grub-install --boot-directory=/boot --efi-directory=/boot/efi /dev/sda2

Now generate GRUB configuration with the following commands:

$ grub-mkconfig -o /boot/grub/grub.cfg

$ grub-mkconfig -o /boot/efi/EFI/arch/grub.cfg

Now exit out of chroot:

$ exit

Now reboot your computer:

$ reboot

Booting in to the LUKS Encrypted Arch Linux

Once your computer boots again, you should see the following window. Select Arch Linux and press <Enter>.

You should be prompted for your LUKS encryption password that you set earlier. Type in the password and press <Enter> to continue.

Your Arch Linux should start.

Now you can login into your Arch Linux as you can see in the screenshot below.

That’s how you install Arch Linux with LUKS Encryption. Thanks for reading this article.

About the author

Shahriar Shovon

Freelancer & Linux System Administrator. Also loves Web API development with Node.js and JavaScript. I was born in Bangladesh. I am currently studying Electronics and Communication Engineering at Khulna University of Engineering & Technology (KUET), one of the demanding public engineering universities of Bangladesh.