Skip to content

Instantly share code, notes, and snippets.

@HardenedArray

HardenedArray/Efficient Encrypted UEFI-Booting Arch Installation

Last active March 18, 2025 17:50
Show Gist options
  • Save HardenedArray/31915e3d73a4ae45adc0efa9ba458b07 to your computer and use it in GitHub Desktop.
Save HardenedArray/31915e3d73a4ae45adc0efa9ba458b07 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. HardenedArray revised this gist Dec 13, 2020. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -171,7 +171,8 @@ nano /etc/pacman.d/mirrorlist
    # optional: make and enjoy some fresh java while the following command completes. Once completed, you'll only
    # be a few minutes away from putting your new system to serious work!

    pacstrap /mnt base base-devel grub efibootmgr dialog wpa_supplicant linux linux-headers nano dhcpcd iwd lvm2 linux-firmware man-pages
    pacstrap /mnt base base-devel grub efibootmgr dialog wpa_supplicant linux linux-headers nano dhcpcd
    iwd lvm2 linux-firmware man-pages

    # Create and review FSTAB

  2. HardenedArray revised this gist Dec 13, 2020. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -171,7 +171,7 @@ nano /etc/pacman.d/mirrorlist
    # optional: make and enjoy some fresh java while the following command completes. Once completed, you'll only
    # be a few minutes away from putting your new system to serious work!

    pacstrap /mnt base base-devel grub efibootmgr dialog wpa_supplicant linux linux-headers nano dhcpcd iwd lvm2 linux-firmware
    pacstrap /mnt base base-devel grub efibootmgr dialog wpa_supplicant linux linux-headers nano dhcpcd iwd lvm2 linux-firmware man-pages

    # Create and review FSTAB

  3. HardenedArray revised this gist Aug 17, 2020. 1 changed file with 13 additions and 4 deletions.
    17 changes: 13 additions & 4 deletions Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -58,13 +58,18 @@ dd bs=4M if=archlinux-*.iso of=/dev/sdX status=progress oflag=sync
    # It is typically wiser to be hard wired to the Net during installation. However, Arch supports WiFi-only installs. Also
    # note that in mid-2020 the Arch devs deprecrated the use of `wifi-menu`. The current installation images support `iwd`,
    # which provides `iwctl`. Carefully note that `iwd` will NOT be installed on your new system. If you will require WiFi
    # access following reboot either install `iwd` or `netctl`, which provides `wifi-menu`. I have left the installation of
    # `netctl` as one the the default packages in the pacstrap command you will run in a subsequent step.
    # access following reboot, we install `iwd` in the pacstrap command and then enable it after we enter arch-chroot, below.

    # Connect to WiFi using:

    iwctl

    # then to connect to your WiFi station; do something like:

    station <wlan device name> connect <wifi-station-name tab-auto-complete>

    # then enter your wifi station's passphrase

    # It is possible to access this guide from within your Arch installation environment using the built-in elinks text browser.
    # For those interested, open a new terminal at tty2 using ctrl-alt-f2, then use elinks to search for 'HardenedArray Gists'
    # which should return the URL of my Arch installation guides:
    @@ -161,12 +166,12 @@ nano /etc/pacman.d/mirrorlist
    # We will be addressing those issues in our pacstrap command below.

    # This installation command provides a decent set of basic system programs which will also support WiFi through
    # netctl's `wifi-menu` after initially booting into your Arch system. Having WiFi following installation is particularly
    # iwd's `iwctl` after initially booting into your Arch system. Having WiFi following installation is particularly
    # critical for anyone running a modern ultrabook, as most are equipped with WiFi-only access to the Net. Recommended, yet
    # optional: make and enjoy some fresh java while the following command completes. Once completed, you'll only
    # be a few minutes away from putting your new system to serious work!

    pacstrap /mnt base base-devel grub efibootmgr dialog wpa_supplicant linux linux-headers nano dhcpcd netctl lvm2 linux-firmware
    pacstrap /mnt base base-devel grub efibootmgr dialog wpa_supplicant linux linux-headers nano dhcpcd iwd lvm2 linux-firmware

    # Create and review FSTAB

    @@ -182,6 +187,10 @@ arch-chroot /mnt /bin/bash
    ln -s /usr/share/zoneinfo/UTC /etc/localtime # This will harmlessly fail if your system's CMOS clock is already set to UTC.
    hwclock --systohc --utc

    # If you require WiFi access following reboot, enable iwd:

    systemctl enable iwd

    # Assign your hostname

    echo MyHostName > /etc/hostname
  4. HardenedArray revised this gist Aug 9, 2020. No changes.
  5. HardenedArray revised this gist Aug 9, 2020. No changes.
  6. HardenedArray revised this gist Aug 9, 2020. No changes.
  7. HardenedArray revised this gist Aug 9, 2020. 1 changed file with 7 additions and 2 deletions.
    9 changes: 7 additions & 2 deletions Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -55,10 +55,15 @@ dd bs=4M if=archlinux-*.iso of=/dev/sdX status=progress oflag=sync

    # Set your keymap only if not you are not using the default English language.

    # It is typically wiser to be hard wired to the Net during installation. However, Arch supports WiFi-only installs.
    # It is typically wiser to be hard wired to the Net during installation. However, Arch supports WiFi-only installs. Also
    # note that in mid-2020 the Arch devs deprecrated the use of `wifi-menu`. The current installation images support `iwd`,
    # which provides `iwctl`. Carefully note that `iwd` will NOT be installed on your new system. If you will require WiFi
    # access following reboot either install `iwd` or `netctl`, which provides `wifi-menu`. I have left the installation of
    # `netctl` as one the the default packages in the pacstrap command you will run in a subsequent step.

    # Connect to WiFi using:

    wifi-menu
    iwctl

    # It is possible to access this guide from within your Arch installation environment using the built-in elinks text browser.
    # For those interested, open a new terminal at tty2 using ctrl-alt-f2, then use elinks to search for 'HardenedArray Gists'
  8. HardenedArray revised this gist Mar 4, 2020. No changes.
  9. HardenedArray revised this gist Feb 28, 2020. No changes.
  10. HardenedArray revised this gist Feb 28, 2020. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -322,7 +322,7 @@ Therefore, instead of using this example from above:

    GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdXZ:2016-Global-OpSec-Champion-LyingHillary resume=/dev/mapper/Arch-swap"

    Run 'blkid' as root, and find the correct PARTUUID for your external device's encryted partition.
    Run 'blkid' as root, and find the correct PARTUUID for your external device's encrypted partition.

    N.B.: PARTUUIDs are completely unrelated to UUIDs.

  11. HardenedArray revised this gist Feb 27, 2020. 1 changed file with 1 addition and 2 deletions.
    3 changes: 1 addition & 2 deletions Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -161,8 +161,7 @@ nano /etc/pacman.d/mirrorlist
    # optional: make and enjoy some fresh java while the following command completes. Once completed, you'll only
    # be a few minutes away from putting your new system to serious work!

    pacstrap /mnt base base-devel grub efibootmgr dialog wpa_supplicant linux linux-headers dkms nano
    dhcpcd netctl lvm2 linux-firmware
    pacstrap /mnt base base-devel grub efibootmgr dialog wpa_supplicant linux linux-headers nano dhcpcd netctl lvm2 linux-firmware

    # Create and review FSTAB

  12. HardenedArray revised this gist Feb 27, 2020. 1 changed file with 0 additions and 22 deletions.
    22 changes: 0 additions & 22 deletions Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -339,28 +339,6 @@ All other parts of my installation procedure should be followed without modifica
    __________________________


    One Post-Install Recommendation To Optimize the Speed of All Your Future Installs - Rank Your Mirrors, First!

    It's a very simple procedure, and will save you a lot of downloading time over your Arch Linux lifetime, particularly
    if you are planning on doing any mass-installs, like gnome, gnome-extra, kde-meta or similar.

    As root, run:

    cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.bak
    rankmirrors -n 6 /etc/pacman.d/mirrorlist.bak > /etc/pacman.d/mirrorlist

    That will test all the mirrors and grab the six fastest from your location. It takes a while to complete,
    so go grab a cup of java.

    Upon your return, you'll be ready to put pacman to serious work, as it was intended: Crazy Fast!

    Cheers, and now it is time to Go Rock Your Arch!

    HardenedArray

    __________________________


    Multi-OS-Booting Notes:

    I UEFI boot and run more than five operating systems from my SSD.
  13. HardenedArray revised this gist Feb 20, 2020. No changes.
  14. HardenedArray revised this gist Feb 20, 2020. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -161,7 +161,7 @@ nano /etc/pacman.d/mirrorlist
    # optional: make and enjoy some fresh java while the following command completes. Once completed, you'll only
    # be a few minutes away from putting your new system to serious work!

    pacstrap /mnt base base-devel grub-efi-x86_64 efibootmgr dialog wpa_supplicant linux linux-headers dkms nano
    pacstrap /mnt base base-devel grub efibootmgr dialog wpa_supplicant linux linux-headers dkms nano
    dhcpcd netctl lvm2 linux-firmware

    # Create and review FSTAB
  15. HardenedArray revised this gist Nov 15, 2019. 1 changed file with 2 additions and 2 deletions.
    4 changes: 2 additions & 2 deletions Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -156,8 +156,8 @@ nano /etc/pacman.d/mirrorlist
    # We will be addressing those issues in our pacstrap command below.

    # This installation command provides a decent set of basic system programs which will also support WiFi through
    # netctl's `wifi-menu` when initially booting into your Arch system. Having WiFi following is particularly critical
    # for anyone running a modern ultrabook, as most are only equipped with WiFi access to the Net. Recommended, yet
    # netctl's `wifi-menu` after initially booting into your Arch system. Having WiFi following installation is particularly
    # critical for anyone running a modern ultrabook, as most are equipped with WiFi-only access to the Net. Recommended, yet
    # optional: make and enjoy some fresh java while the following command completes. Once completed, you'll only
    # be a few minutes away from putting your new system to serious work!

  16. HardenedArray revised this gist Nov 15, 2019. 1 changed file with 6 additions and 4 deletions.
    10 changes: 6 additions & 4 deletions Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -155,12 +155,14 @@ nano /etc/pacman.d/mirrorlist
    # The new base-metapackage does not contain a kernel nor an editor and several other important packages.
    # We will be addressing those issues in our pacstrap command below.

    # This installation command provides a decent set of basic system programs which will also support WiFi when initially
    # booting into your Arch system. Recommended, yet optional: make and enjoy some fresh java while the following
    # command completes. Once completed, you'll only be a few minutes away from putting your new system to serious work!
    # This installation command provides a decent set of basic system programs which will also support WiFi through
    # netctl's `wifi-menu` when initially booting into your Arch system. Having WiFi following is particularly critical
    # for anyone running a modern ultrabook, as most are only equipped with WiFi access to the Net. Recommended, yet
    # optional: make and enjoy some fresh java while the following command completes. Once completed, you'll only
    # be a few minutes away from putting your new system to serious work!

    pacstrap /mnt base base-devel grub-efi-x86_64 efibootmgr dialog wpa_supplicant linux linux-headers dkms nano
    dhcpcd linux-firmware
    dhcpcd netctl lvm2 linux-firmware

    # Create and review FSTAB

  17. HardenedArray revised this gist Nov 14, 2019. No changes.
  18. HardenedArray revised this gist Nov 14, 2019. 1 changed file with 6 additions and 3 deletions.
    9 changes: 6 additions & 3 deletions Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -32,14 +32,17 @@ https://gist.github.com/HardenedArray/d5b70681eca1d4e7cfb88df32cc4c7e6
    # Download the archlinux-*.iso image from https://www.archlinux.org/download/ and its GnuPG signature.
    # Use gpg --verify to ensure your archlinux-*.iso is exactly what the Arch developers intended. For example:

    $ gpg --verify archlinux-2017.01.01-dual.iso.sig
    gpg: assuming signed data in 'archlinux-2017.01.01-dual.iso'
    gpg: Signature made Sun 01 Jan 2017 04:06:24 PM UTC
    $ gpg -v archlinux-2019.11.01-x86_64.iso.sig
    gpg: WARNING: no command supplied. Trying to guess what you mean ...
    gpg: assuming signed data in 'archlinux-2019.11.01-x86_64.iso'
    gpg: Signature made Fri Nov 1 16:34:35 2019 UTC
    gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
    gpg: using pgp trust model
    gpg: Good signature from "Pierre Schmitz <[email protected]>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg: There is no indication that the signature belongs to the owner.
    Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC
    gpg: binary signature, digest algorithm SHA256, key algorithm rsa2048

    # Burn the archlinux-*.iso to a 1+ Gb USB stick. On linux, do something like:

  19. HardenedArray revised this gist Nov 14, 2019. 1 changed file with 8 additions and 1 deletion.
    9 changes: 8 additions & 1 deletion Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -146,11 +146,18 @@ nano /etc/pacman.d/mirrorlist

    # Install your Arch system

    # If you read the contents of https://www.archlinux.org/ you would know the Arch developers made significant
    # changes to the 'base' package in October 2019.

    # The new base-metapackage does not contain a kernel nor an editor and several other important packages.
    # We will be addressing those issues in our pacstrap command below.

    # This installation command provides a decent set of basic system programs which will also support WiFi when initially
    # booting into your Arch system. Recommended, yet optional: make and enjoy some fresh java while the following
    # command completes. Once completed, you'll only be a few minutes away from putting your new system to serious work!

    pacstrap /mnt base base-devel grub-efi-x86_64 efibootmgr dialog wpa_supplicant
    pacstrap /mnt base base-devel grub-efi-x86_64 efibootmgr dialog wpa_supplicant linux linux-headers dkms nano
    dhcpcd linux-firmware

    # Create and review FSTAB

  20. HardenedArray revised this gist Jul 12, 2019. 1 changed file with 2 additions and 1 deletion.
    3 changes: 2 additions & 1 deletion Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -234,7 +234,8 @@ GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdXZ:2016-Global-OpSec-Champion-LyingHillar
    # GRUB_ENABLE_CRYPTODISK=y

    # Note that you do NOT need to enable that cryptodisk statement to boot your LUKS encrypted / and swap ArchLinux system,
    # assuming you are **NOT** trying to decrypt an encrypted /boot. If you want to encrypt /boot, continue reading.
    # assuming you are **NOT** trying to decrypt an encrypted /boot. If you want to encrypt /boot, read my encrypted boot
    # installation guide, which requires an entirely different, and incompatiable, installation procedure.

    # Generate Your Final Grub Configuration:

  21. HardenedArray revised this gist Jul 12, 2019. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -43,7 +43,7 @@ Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC

    # Burn the archlinux-*.iso to a 1+ Gb USB stick. On linux, do something like:

    dd bs=4M if=archlinux-***.iso of=/dev/sdX status=progress oflag=sync
    dd bs=4M if=archlinux-*.iso of=/dev/sdX status=progress oflag=sync

    # If running Windows, use Rufus to burn the archlinux-*.iso to your USB stick in DD mode.
    # Also, if you are running BitLocker to encrypt your Windows system, read my BitLocker notes below, before proceeding.
  22. HardenedArray revised this gist Jul 12, 2019. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -43,7 +43,7 @@ Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC

    # Burn the archlinux-*.iso to a 1+ Gb USB stick. On linux, do something like:

    dd if=archlinux-*.iso of=/dev/sdX bs=16M && sync
    dd bs=4M if=archlinux-***.iso of=/dev/sdX status=progress oflag=sync

    # If running Windows, use Rufus to burn the archlinux-*.iso to your USB stick in DD mode.
    # Also, if you are running BitLocker to encrypt your Windows system, read my BitLocker notes below, before proceeding.
  23. HardenedArray revised this gist Apr 21, 2019. 1 changed file with 4 additions and 4 deletions.
    8 changes: 4 additions & 4 deletions Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -6,12 +6,12 @@
    # also CANNOT be subsequently converted to support an encrypted /boot!!! A CLEAN INSTALL will be required!

    # Therefore, if you want to have an encrypted /boot or will want an encrypted /boot system at some point in the future,
    # follow my encrypted /boot installation guide here:
    # please ONLY follow my encrypted /boot installation guide, which lives here:

    https://gist.github.com/HardenedArray/ee3041c04165926fca02deca675effe1

    # My encrypted /boot guide varies in several different, critically important ways from the encrypted root and swap
    # installation process I have outlined below.
    # My encrypted /boot guide varies in several different, critically important, ways from the correct and secure encrypted
    # root / and swap installation process I have outlined below.

    # Note: This method supports both dedicated Arch installs and those who wish to install Arch on a multi-OS-UEFI booting system.

    @@ -59,7 +59,7 @@ wifi-menu

    # It is possible to access this guide from within your Arch installation environment using the built-in elinks text browser.
    # For those interested, open a new terminal at tty2 using ctrl-alt-f2, then use elinks to search for 'HardenedArray Gists'
    # which should return the URL of my Arch installation guide:
    # which should return the URL of my Arch installation guides:

    https://gist.github.com/HardenedArray/31915e3d73a4ae45adc0efa9ba458b07

  24. HardenedArray revised this gist Apr 21, 2019. 1 changed file with 4 additions and 4 deletions.
    8 changes: 4 additions & 4 deletions Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -2,16 +2,16 @@

    # OBJECTIVE: Install Arch Linux with encrypted root and swap filesystems and boot from UEFI.

    # Note this encrypted installation method, while perfectly corrent and highly secure, CANNOT support encrypted /boot and
    # Note this encrypted installation method, while perfectly correct and highly secure, CANNOT support encrypted /boot and
    # also CANNOT be subsequently converted to support an encrypted /boot!!! A CLEAN INSTALL will be required!

    # Therefore, if you want to have an encrypted /boot or will want an encryted /boot system at some point in the future,
    # Therefore, if you want to have an encrypted /boot or will want an encrypted /boot system at some point in the future,
    # follow my encrypted /boot installation guide here:

    https://gist.github.com/HardenedArray/ee3041c04165926fca02deca675effe1

    # My encrypted /boot guide varies in several different, highly ways from the encrypted root and swap installation process
    # I have outlined below.
    # My encrypted /boot guide varies in several different, critically important ways from the encrypted root and swap
    # installation process I have outlined below.

    # Note: This method supports both dedicated Arch installs and those who wish to install Arch on a multi-OS-UEFI booting system.

  25. HardenedArray revised this gist Apr 21, 2019. 1 changed file with 12 additions and 2 deletions.
    14 changes: 12 additions & 2 deletions Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -1,7 +1,17 @@


    # OBJECTIVE: Install Arch Linux with encrypted root and swap filesystems and boot from UEFI. Optionally, we will also encrypt
    /boot and then decrypt and mount our entire encrypted system using a single LUKS passphrase entry.
    # OBJECTIVE: Install Arch Linux with encrypted root and swap filesystems and boot from UEFI.

    # Note this encrypted installation method, while perfectly corrent and highly secure, CANNOT support encrypted /boot and
    # also CANNOT be subsequently converted to support an encrypted /boot!!! A CLEAN INSTALL will be required!

    # Therefore, if you want to have an encrypted /boot or will want an encryted /boot system at some point in the future,
    # follow my encrypted /boot installation guide here:

    https://gist.github.com/HardenedArray/ee3041c04165926fca02deca675effe1

    # My encrypted /boot guide varies in several different, highly ways from the encrypted root and swap installation process
    # I have outlined below.

    # Note: This method supports both dedicated Arch installs and those who wish to install Arch on a multi-OS-UEFI booting system.

  26. HardenedArray revised this gist Apr 21, 2019. 1 changed file with 0 additions and 94 deletions.
    94 changes: 0 additions & 94 deletions Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -230,100 +230,6 @@ GRUB_CMDLINE_LINUX="cryptdevice=/dev/sdXZ:2016-Global-OpSec-Champion-LyingHillar

    grub-mkconfig -o /boot/grub/grub.cfg

    # If you are not interested in encrypted /boot, you are almost done! Skip down to: # Exit Your New Arch System, below.

    ++++++++++++++++++++++++++++++++++

    **OPTIONAL** Encrypted /boot Configuration and Installation

    # Booting from an encrypted /boot is entirely optional, but, if you expect to maintain data privacy, unlike having (almost)
    # mandatory encrypted / and swap, booting from an encrypted /boot provides an extra layer of security for the truly paranoid!

    # I spent a great deal of time discussing this topic with a very intelligent Arch developer. I will hide you from the
    # enormous complexity underlying how grub's code actually achieves this seamless dual encrypted booting and mounting
    # outcome, but this encrypted /boot sub-procedure is known to work!

    # Setting up an encrypted /boot requires further configuration.

    # ASSUMING you have followed **ALL** of the above installation steps, now do:

    nano /etc/default/grub

    # and enable, by uncommenting:

    GRUB_ENABLE_CRYPTODISK=y

    # then:

    nano /etc/mkinitcpio.conf

    # Make certain your FILES statement matches this:

    FILES=(/crypto_keyfile.bin)

    # Ensure that /boot and /boot/efi and / are all mounted with:

    df -h

    # then ensure your 'pwd' is at / with:

    cd /

    # Now run these four commands in succession:

    dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin
    chmod 000 /crypto_keyfile.bin
    chmod 600 /boot/initramfs-linux*
    cryptsetup luksAddKey /dev/sdX# /crypto_keyfile.bin

    # Obviously, adjusting /dev/sdX# to your current root partition on your physical HDD/SSD.

    # When prompted for your passphrase with 'luksAddKey' be certain to enter ONLY your current LUKS passphrase,

    # This will add your (second) new LUKS random key, now protecting /boot, to Key Slot #1.

    # Verify your new key has been correctly added with something like:

    cryptsetup luksDump /dev/sda23

    # Now run to verify the partition where /boot is mounted on your physical drive:

    df -h

    # Then run and record the EXACT UUID of your Arch /boot partition:

    ls -l /dev/disk/by-uuid

    # Now run:

    nano /etc/crypttab

    # Add a new line in precisely this format:

    encryptedBOOT UUID=YourArch/bootUUIDgoeshere none luks,timeout=180

    # Of course, alternatively, it is trivial to point /etc/crypttab at a REQUIRED_TO_BE_PRESENT_AT_BOOT external USB stick, etc.
    # I will leave that part up to you to figure out.

    # Now run:

    mkinitcpio -p linux

    # then, re-install grub, and YES, I DO MEAN, a second time:

    grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchLinux --modules="part_gpt part_msdos"

    # and finally:

    grub-mkconfig -o /boot/grub/grub.cfg

    # FINISHED! Now you are completely re-synced with the non-encrypted /boot installers. Merely exit and umount, as below!

    # Enjoy the decryption magic upon your next, and all subsequent, reboots! Bad Actors will be most uphappy, as if I cared!

    ++++++++++++++++++++++++++++++++++


    # Exit Your New Arch System

    exit
  27. HardenedArray revised this gist Feb 21, 2019. 1 changed file with 5 additions and 5 deletions.
    10 changes: 5 additions & 5 deletions Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -276,7 +276,7 @@ chmod 000 /crypto_keyfile.bin
    chmod 600 /boot/initramfs-linux*
    cryptsetup luksAddKey /dev/sdX# /crypto_keyfile.bin

    # Obviously, adjusting /dev/sdaX# to your current root partition on your physical HDD/SSD.
    # Obviously, adjusting /dev/sdX# to your current root partition on your physical HDD/SSD.

    # When prompted for your passphrase with 'luksAddKey' be certain to enter ONLY your current LUKS passphrase,

    @@ -539,15 +539,15 @@ pacman -S plasma-meta # This large package set will also provide us with sddm,

    systemctl enable sddm

    systemctl enable NetworkManager # After your next reboot you will have full, correct, networking support from boot.

    pacman -S kde-applications-meta

    pacman -S xdg-user-dirs

    systemctl enable NetworkManager # After your next reboot you will have full, correct, networking support from boot.

    # If you want full (English) spelling support for all of your applications, do:
    # If you want full (US English) spelling support for all of your applications, do:

    pacman -S hunspell-en hyphen-en libmythes mythes-en aspell-en
    pacman -S hunspell-en_US hyphen-en libmythes mythes-en aspell-en

    # Everyone has their own font preferences, but I agree with Arch's initial ttf-font recommendations because they look great!:

  28. HardenedArray revised this gist Nov 24, 2018. 1 changed file with 5 additions and 3 deletions.
    8 changes: 5 additions & 3 deletions Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -286,11 +286,13 @@ cryptsetup luksAddKey /dev/sdX# /crypto_keyfile.bin

    cryptsetup luksDump /dev/sda23

    # Now run:
    # Now run to verify the partition where /boot is mounted on your physical drive:

    df -h

    lsblk -f
    # Then run and record the EXACT UUID of your Arch /boot partition:

    # Verify the partition where /boot is mounted on your physical drive and record the EXACT UUID of your Arch /boot partition.
    ls -l /dev/disk/by-uuid

    # Now run:

  29. HardenedArray revised this gist Nov 24, 2018. 1 changed file with 3 additions and 9 deletions.
    12 changes: 3 additions & 9 deletions Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -290,19 +290,13 @@ cryptsetup luksDump /dev/sda23

    lsblk -f

    # and verify the partition where /boot is mounted on your physical drive
    # Verify the partition where /boot is mounted on your physical drive and record the EXACT UUID of your Arch /boot partition.

    # now run:

    ls -al /dev/disk/by-uuid

    # and obtain the EXACT UUID of your Arch /boot partition

    # then:
    # Now run:

    nano /etc/crypttab

    # add a new line in precisely this format:
    # Add a new line in precisely this format:

    encryptedBOOT UUID=YourArch/bootUUIDgoeshere none luks,timeout=180

  30. HardenedArray revised this gist Nov 23, 2018. 1 changed file with 6 additions and 0 deletions.
    6 changes: 6 additions & 0 deletions Efficient Encrypted UEFI-Booting Arch Installation
    View file
    Original file line number Diff line number Diff line change
    @@ -290,6 +290,12 @@ cryptsetup luksDump /dev/sda23

    lsblk -f

    # and verify the partition where /boot is mounted on your physical drive

    # now run:

    ls -al /dev/disk/by-uuid

    # and obtain the EXACT UUID of your Arch /boot partition

    # then: