After my blog post emphasizing the importance of taking control of your privacy, I’ve decided to make a few more posts going over detailed instructions on how to actually do so. Today we have a video that goes over the process of installing Arch Linux with full disk encryption.
This is my first go at publishing videos on my blog, so please provide some feedback in the comments of this article. I’d prefer to use my blog instead of YouTube for publishing technical videos, since it’s all open source, ad-free, and DRM-free. Let me know if you’d like to see more content like this on my blog and which topics you’d like covered - I intend to at least release another video going over this process for Ubuntu as well.
The video goes into detail on each of these steps, but here’s the high level overview of how to do this. Always check the latest version of the Install Guide and the dm-crypt page on the Arch Wiki for the latest procedure.
- Partition your disks with gdisk and be sure to set aside a partition for /boot
- Create a filesystem on /boot
- (optional) Securely erase all of the existing data on your disks with
dd if=/dev/zero of=/dev/sdXY bs=4096
- note: this is a correction from the command mentioned in the video - Set up encryption for your encrypted partitions with
cryptsetup luksFormat /dev/sdXX
- Open the encrypted volumes with
cryptsetup open /dev/sdXX [name]
- Create filesystems on /dev/mapper/[names]
- Mount all of the filesystems on /mnt
- Perform the base install with
pacstrap /mnt base [extra packages...]
genfstab -p /mnt >> /mnt/etc/fstab
arch-chroot /mnt /usr/bin/bash
ln -s /usr/share/zoneinfo/[region]/[zone] /etc/localtime
hwclock --systohc --utc
- Edit /etc/locale.gen to your liking and run
locale-gen
locale > /etc/locale.conf
- note this only works for en_US users, adjust if necessary- Edit /etc/hostname to your liking
- Reconfigure the network
- Edit /etc/mkinitcpio.conf and ensure that the
keyboard
andencrypt
hooks run before thefilesystems
hook mkinitcpio -p linux
- Set the root password with
passwd
- Configure /etc/crypttab with any non-root encrypted disks you need. You can
get partition UUIDs with
ls -l /dev/disk/by-partuuid
- Configure your kernel command line to include
cryptdevice=PARTUUID=[...]:[name] root=/dev/mapper/[name] rw
- Install your bootloader and reboot!