joelmathewthomas / archinstall-luks2-lvm2-secureboot-tpm2

Arch Linux install with full disk encryption using LUKS2 - Logical Volumes with LVM2 - Secure Boot - TPM2 Setup A complete Arch Linux installation guide with **LUKS2** full disk encryption, and logical volumes with **LVM2**, and added security using **Secure Boot** with **Unified Kernel Image** and **TPM2 LUKS** key enrollment for auto unlocking encrypted root. Firstly, acquire an installation image. Visit the Download page and, acquire the ISO file and the respective GnuPG signature, and flash it to a USB drive and boot off it. It is recommended to verify the image signature before use, especially when downloading from an _HTTP mirror_, where downloads are generally prone to be intercepted to serve malicious images. On a system with GnuPG installed, do this by downloading the ISO PGP signature (under Checksums in the page Download) to the ISO directory, and verifying it with: Alternatively, from an existing Arch Linux installation run: This guide assumes that your system supports UEFI and you have a connection. If you want to use , refer to the Arch Wiki • Disk Preparation We'll use a 1024MB FAT32 system partition for our **EFI** partition , and for the root we'll use an **ext4** partition and a **SWAP** partition using **LVM2** logical volumes inside a LUKS encrypted partition. • Partition the disks We're gonna be using for partitioning the disks. Before partitioning , the output of is gonna look something like this. • Launch : Open a terminal. Identify your disk. For this guide, we'll use /dev/nvme0n1 as an example. Replace it with your actual disk identifier. • Select the Label Type: Choose **gpt** (GUID Partition Table) if prompted. • Create Partitions: Create EFI System Partition: **Select [ New ]**. Enter **1024M** for the size. Select **[ Type ]** and choose **EFI** System. Create LUKS Partition: Select **[ New ]**. Use the remaining disk space for this partition, or allocate the space you want , if you don't plan on using the entire disk for this setup. Ensure the type is Linux filesystem. Write Changes: Select [ Write ]. Type yes to confirm. • Visual Representation of Partition Structure: After partitioning, will output the following. • Create the encrypted LUKS2 container Now we, need to create the **LUKS2** encrypted container. **Optional**: Overwriting your disk with random data is an optional step that can help prevent any possible recovery of old data. This is typically done before setting up the LUKS2 container to ensure the disk is fully erased. > [!WARNING] > This will erase all data on the disk. Ensure you have selected the correct device. Create the LUKS encrypted container at the designated partition. Enter the chosen password twice. Open the container: Here is the name we are assigning to the encrypted container after opening it. The decrypted container is now available at . • Preparing the logical volumes Create a physical volume on top of the opened LUKS container: Create a volume group (in this example, it is named , but it can be whatever you want) and add the previously created physical volume to it: Create all your logical volumes on the volume group: > [!TIP] > If a logical volume will be formatted with ext4, leave at least 256 MiB free space in the volume group to allow using . After creating the last volume with , this can be accomplished by reducing its size with . Format your file systems on each logical volume: Mount your file systems: • Preparing the boot partition Replace with the drive identifier for your EFI partition. Mount the partition to : • Installation > [!NOTE] > This section of the guide deals with installing the base system, setting up timezones, locale, hostname, hosts, creating new non-root user's, setting passwords for both and user accounts. > This is generally user specific configuration, and you might have a different setup you might, want to follow. > So it is recommended to refer to official Arch Wiki Installation guide, for this section. And you may come back here and follow from the next section, when it is time to configure mkinitcpio. But, if you want to follow through, how I do it, feel free to follow through this section. Install essential packages: You can replace with if your CPU is an **AMD** CPU After that is completed, we need to generate the fstab file: Change root into the new system: Set the time zone: Replace and with your corresponding ones. Run to generate : This command assumes the hardware clock is set to UTC. Localization: Edit and uncomment and other needed locales. Generate the locales by running: Create the file, and set the LANG variable accordingly: If you set the console keyboard layout, make the changes persistent in vconsole.conf: Network configuration: Create the file: Edit the hosts file: Add the following lines: Set the root password: Create a non-root user account: Set the newuser password: Edit the file: Run : Uncomment the following line: Add new user to wheel group: • Configure To build a working systemd based initramfs, modify the line in mkinitcpio.conf as follows: Add the following hooks: **systemd, keyboard, sd-vconsole, sd-encrypt, lvm2** You can skip , if you didn't configure Do **not** regenerate the initramfs **yet**, as the directory needs to be created first , which we will do later • Set kernel command line supports reading kernel parameters from command line files in the directory. will concatenate the contents of all files with a extension in this directory and use them to generate the kernel command line. Any lines in the command line file that start with a # character are treated as comments and ignored by . Create the directory: In order to unlock the encrypted root partition at boot, the following kernel parameters need to be set: You can obtain the by running command . This is an example output. Now you need to obtain the **UUID** for the luks container , in our case for which is • Install the and It is pos…