ljfranklin · November 16, 2021 18:38 · Mar 14, 2018 · Jan 7, 2018 · Jan 7, 2018 · Jan 7, 2018
diff --git a/arch-install.md b/arch-install.md
@@ -135,7 +135,7 @@ We'll re-enable it after we create the partitions.
    cryptsetup luksAddKey /dev/BOOT_PARTITION /etc/boot-keyfile
    # get UUID for **boot** partition (should say TYPE="crypto_LUKS")
    blkid
-   echo -e "\ncryptboot\tUUID=<device-UUID>\t/etc/boot-keyfile"
+   echo -e "\ncryptboot\tUUID=<device-UUID>\t/etc/boot-keyfile" >> /etc/crypttab
    ```
    - Note: Once the root filesystem is unlocked, the keyfile will be viewable in plain text if you have root access.
      Follow [these directions](https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Using_GPG.2C_LUKS.2C_or_OpenSSL_Encrypted_Keyfiles) for a more secure two-factor unlock method.

diff --git a/arch-install.md b/arch-install.md
@@ -153,29 +153,27 @@ We'll re-enable it after we create the partitions.
 1. Exit BIOS, boot back into Arch as non-root user
 1. Download and install `cryptboot` utility
    ```
-   wget -O cryptboot.tgz https://github.com/xmikos/cryptboot/archive/v1.1.0.tar.gz
+   # TODO: change this back after PR is merged
+   # wget -O cryptboot.tgz https://github.com/xmikos/cryptboot/archive/v1.1.0.tar.gz
+   wget -O cryptboot.tgz https://github.com/ljfranklin/cryptboot/archive/master.tar.gz
    tar xvf cryptboot.tgz
    cd ./cryptboot-*
    sudo pacman -S efitools sbsigntools
    sudo install -Dm755 cryptboot /usr/bin/cryptboot
    sudo install -Dm755 cryptboot-efikeys /usr/bin/cryptboot-efikeys
+   sudo install -Dm755 cryptboot-grub-warning /etc/cryptboot-grub-warning
    sudo install -Dm644 cryptboot.conf /etc/cryptboot.conf
    ```
-1. Add `grub` to pacman upgrade ignore list:
-   ```
-   sudo vi /etc/pacman.conf
-   # Add "grub" to "IgnorePkg" list
-   ```
-   **Important!!!**: Going forward use `cryptboot upgrade-grub` rather than `grub-install`.
-   To upgrade `grub`, run `pacman -U grub && cryptboot upgrade-grub`.
-   Failure to run `cryptboot` to re-sign your grub files will cause subsequent boots to fail.
 1. Generate and install new UEFI Secure Boot keys:
    ```
    sudo su root
    cryptboot-efikeys create # enter any cosmetic ID when prompted for Common Name
    cryptboot-efikeys enroll
    cryptboot update-grub
+   ln -s /etc/cryptboot-grub-warning /usr/local/bin/grub-install
    ```
+   **Important!!!**: Going forward use `cryptboot update-grub` rather than `grub-install`.
+   Failure to run `cryptboot` to re-sign your bootloader will cause subsequent Secure Boots to fail.
 1. `reboot`, login, and verify Secure Boot is shown as "enabled":
    ```
    bootctl status 2> /dev/null | grep "Secure Boot"

diff --git a/arch-install.md b/arch-install.md
@@ -180,4 +180,10 @@ We'll re-enable it after we create the partitions.
    ```
    bootctl status 2> /dev/null | grep "Secure Boot"
    ```
-1. Congrats! The current environment is not much to look at right now, but next we'll install a shiny graphical environment and a tiling window manager. Deeper down the Arch Linux rabbit hole we go...
+1. Congrats! The current environment is not much to look at right now, but next we'll install a shiny graphical environment and a tiling window manager. Deeper down the Arch Linux rabbit hole we go...
+
+
+## TODO
+
+- Add instructions about reformatting root partition, but keeping boot partitions
+- How much of this can be scripted?
diff --git a/arch-install.md b/arch-install.md
@@ -176,7 +176,7 @@ We'll re-enable it after we create the partitions.
    cryptboot-efikeys enroll
    cryptboot update-grub
    ```
-1. `reboot`, login, and verify Secure Boot is showed as "enabled":
+1. `reboot`, login, and verify Secure Boot is shown as "enabled":
    ```
    bootctl status 2> /dev/null | grep "Secure Boot"
    ```

diff --git a/arch-install.md b/arch-install.md
@@ -161,7 +161,7 @@ We'll re-enable it after we create the partitions.
    sudo install -Dm755 cryptboot-efikeys /usr/bin/cryptboot-efikeys
    sudo install -Dm644 cryptboot.conf /etc/cryptboot.conf
    ```
-1. Add `grub` to pacman upgrade ignore list ():
+1. Add `grub` to pacman upgrade ignore list:
    ```
    sudo vi /etc/pacman.conf
    # Add "grub" to "IgnorePkg" list

diff --git a/arch-install.md b/arch-install.md
@@ -72,6 +72,7 @@ We'll re-enable it after we create the partitions.
    # e.g. ln -sf /usr/share/zoneinfo/American/Los_Angeles /etc/localtime
    ```
 1. Sync time with hardware clock: `hwclock --systohc`
+1. Turn on NTP to ensure clock stays in sync: `timedatectl set-ntp true`
 1. Generate localizations:
    ```
    # uncomment 'en_US.UTF-8 UTF-8' and other other needed localizations

diff --git a/arch-install.md b/arch-install.md
@@ -175,5 +175,8 @@ We'll re-enable it after we create the partitions.
    cryptboot-efikeys enroll
    cryptboot update-grub
    ```
-1. `reboot` and verify that boot succeeds with the new signed bootloader
+1. `reboot`, login, and verify Secure Boot is showed as "enabled":
+   ```
+   bootctl status 2> /dev/null | grep "Secure Boot"
+   ```
 1. Congrats! The current environment is not much to look at right now, but next we'll install a shiny graphical environment and a tiling window manager. Deeper down the Arch Linux rabbit hole we go...
diff --git a/arch-install.md b/arch-install.md
@@ -29,7 +29,7 @@ We'll re-enable it after we create the partitions.
 1. Identify your root disk with `fdisk -l`, often `/dev/sda` or `/dev/nvme0n1` on my laptop
 1. Optional: Delete existing partitions with `wipefs -a /dev/sdX` or [securely wipe existing data](https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#dm-crypt_wipe_on_an_empty_disk_or_partition)
 1. See the [Arch Wiki](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_.28GRUB.29) for a more in-depth guide to encrypting your partitions.
-1. Create ESP, Boot, and System partitions:
+1. Create EFI, Boot, and System partitions:
   ```
   parted -s /dev/ROOT_DEVICE \
     mklabel gpt \

diff --git a/arch-install.md b/arch-install.md
@@ -165,7 +165,7 @@ We'll re-enable it after we create the partitions.
    sudo vi /etc/pacman.conf
    # Add "grub" to "IgnorePkg" list
    ```
-   Important: Going forward use `cryptboot upgrade-grub` rather than `grub-install`.
+   **Important!!!**: Going forward use `cryptboot upgrade-grub` rather than `grub-install`.
    To upgrade `grub`, run `pacman -U grub && cryptboot upgrade-grub`.
    Failure to run `cryptboot` to re-sign your grub files will cause subsequent boots to fail.
 1. Generate and install new UEFI Secure Boot keys:
@@ -175,4 +175,5 @@ We'll re-enable it after we create the partitions.
    cryptboot-efikeys enroll
    cryptboot update-grub
    ```
+1. `reboot` and verify that boot succeeds with the new signed bootloader
 1. Congrats! The current environment is not much to look at right now, but next we'll install a shiny graphical environment and a tiling window manager. Deeper down the Arch Linux rabbit hole we go...
diff --git a/arch-install.md b/arch-install.md
@@ -48,7 +48,7 @@ We'll re-enable it after we create the partitions.
 
 ## Perform initial Arch installation
 
-1. Install `base` package group: `pacstrap /mnt base`
+1. Install `base` package group: `pacstrap /mnt base base-devel`
 1. Mount the partitions:
    ```
    mount /dev/mapper/system /mnt
@@ -80,8 +80,17 @@ We'll re-enable it after we create the partitions.
    echo "LANG=en_US.UTF-8" > /etc/locale.conf
    ```
 1. Set your hostname: `echo YOUR_HOSTNAME > /etc/hostname`
-1. Install wireless utilities: `pacman -S wpa_supplicant wpa_actiond dialog`
+1. Install wireless utilities: `pacman -S wpa_supplicant wpa_actiond dialog wget`
 1. Set root password: `passwd`
+1. Create a non-root user:
+   ```
+   useradd -m -G wheel -s /bin/bash YOUR_NAME
+   passwd YOUR_NAME
+   pacman -S sudo
+
+   visudo
+   # uncomment "%wheel ALL=(ALL) ALL"
+   ```
 1. If you have an Intel CPU, enable microcode updates: `pacman -S intel-ucode`
 1. Install GRUB bootloader:
    ```
@@ -139,5 +148,31 @@ We'll re-enable it after we create the partitions.
      - Note: you or an attacker can still reset the BIOS password and boot settings by opening the case and messing with some jumpers
    1. Re-enable Secure Boot
    1. Delete all pre-loaded keys, "Settings > Secure Boot > Expert Key Management > Enable Custom Mode + Delete All Keys" on my Dell XPS
-1. TODO: set grub in the pacman ignore list
-1. Congrats! The current environment is not much to look at right now, but next we'll install a shiny graphical environment and a tiling window manager. Deeper down the Arch Linux rabbit hole we go...
+     - We'll generate new keys in a subsequent step
+1. Exit BIOS, boot back into Arch as non-root user
+1. Download and install `cryptboot` utility
+   ```
+   wget -O cryptboot.tgz https://github.com/xmikos/cryptboot/archive/v1.1.0.tar.gz
+   tar xvf cryptboot.tgz
+   cd ./cryptboot-*
+   sudo pacman -S efitools sbsigntools
+   sudo install -Dm755 cryptboot /usr/bin/cryptboot
+   sudo install -Dm755 cryptboot-efikeys /usr/bin/cryptboot-efikeys
+   sudo install -Dm644 cryptboot.conf /etc/cryptboot.conf
+   ```
+1. Add `grub` to pacman upgrade ignore list ():
+   ```
+   sudo vi /etc/pacman.conf
+   # Add "grub" to "IgnorePkg" list
+   ```
+   Important: Going forward use `cryptboot upgrade-grub` rather than `grub-install`.
+   To upgrade `grub`, run `pacman -U grub && cryptboot upgrade-grub`.
+   Failure to run `cryptboot` to re-sign your grub files will cause subsequent boots to fail.
+1. Generate and install new UEFI Secure Boot keys:
+   ```
+   sudo su root
+   cryptboot-efikeys create # enter any cosmetic ID when prompted for Common Name
+   cryptboot-efikeys enroll
+   cryptboot update-grub
+   ```
+1. Congrats! The current environment is not much to look at right now, but next we'll install a shiny graphical environment and a tiling window manager. Deeper down the Arch Linux rabbit hole we go...
diff --git a/arch-install.md b/arch-install.md
@@ -133,4 +133,11 @@ We'll re-enable it after we create the partitions.
 1. On boot, you should now be prompted to enter your encryption password to proceed.
 1. If successful, you should now see the GRUB menu. Select "Arch Linux" and hit enter.
 1. You should then see a login prompt. Enter `root` and the password you created in the previous `passwd` step.
+1. `reboot` again, we're going to go a step farther and encrypt our bootloader as well.
+1. Press F2 to go into BIOS setup:
+   1. Set an Admin Password so someone can't just turn Secure Boot back off without a password
+     - Note: you or an attacker can still reset the BIOS password and boot settings by opening the case and messing with some jumpers
+   1. Re-enable Secure Boot
+   1. Delete all pre-loaded keys, "Settings > Secure Boot > Expert Key Management > Enable Custom Mode + Delete All Keys" on my Dell XPS
+1. TODO: set grub in the pacman ignore list
 1. Congrats! The current environment is not much to look at right now, but next we'll install a shiny graphical environment and a tiling window manager. Deeper down the Arch Linux rabbit hole we go...
diff --git a/arch-install.md b/arch-install.md
@@ -28,9 +28,10 @@ We'll re-enable it after we create the partitions.
    - Wait a couple seconds and run `ping archlinux.org` to verify connectivity
 1. Identify your root disk with `fdisk -l`, often `/dev/sda` or `/dev/nvme0n1` on my laptop
 1. Optional: Delete existing partitions with `wipefs -a /dev/sdX` or [securely wipe existing data](https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#dm-crypt_wipe_on_an_empty_disk_or_partition)
+1. See the [Arch Wiki](https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_.28GRUB.29) for a more in-depth guide to encrypting your partitions.
 1. Create ESP, Boot, and System partitions:
   ```
-  parted -s /dev/sdX \
+  parted -s /dev/ROOT_DEVICE \
     mklabel gpt \
     mkpart ESP fat32 1MiB 550MiB \
     set 1 boot on \
@@ -48,7 +49,6 @@ We'll re-enable it after we create the partitions.
 ## Perform initial Arch installation
 
 1. Install `base` package group: `pacstrap /mnt base`
-   - TODO: should any additional packages be listed here?
 1. Mount the partitions:
    ```
    mount /dev/mapper/system /mnt
@@ -82,23 +82,35 @@ We'll re-enable it after we create the partitions.
 1. Set your hostname: `echo YOUR_HOSTNAME > /etc/hostname`
 1. Install wireless utilities: `pacman -S wpa_supplicant wpa_actiond dialog`
 1. Set root password: `passwd`
-1. Add additional hooks to `/etc/mkinitcpio.conf`: `HOOKS=(... keyboard keymap encrypt lvm2)`
-1. Recreate initramfs image: `mkinitcpio -p linux`
 1. If you have an Intel CPU, enable microcode updates: `pacman -S intel-ucode`
 1. Install GRUB bootloader:
    ```
    pacman -S grub efibootmgr
    ```
-1. Configure GRUB to unlocked encrypted **root** filesystem on boot:
+1. Configure GRUB to unlock encrypted **root** filesystem on boot:
    ```
    # get UUID for **root** partition (should say TYPE="crypto_LUKS")
    blkid
    # update grub config
    vi /etc/default/grub
    # add 'cryptdevice=UUID=<device-UUID>:lvm' to the 'GRUB_CMDLINE_LINUX' option list
    # uncomment 'GRUB_ENABLE_CRYPTODISK=y'
-   ```
-   - Note: this setup prompts for a password at boot to unlock the encrypt root partition.
+
+   # create keyfile to unlock root partition on boot (avoids a second password prompt)
+   # the `/crypto_keyfile.bin` can be changed with the `cryptkey` GRUB option
+   dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin
+   chmod 000 /crypto_keyfile.bin
+   chmod 600 /boot/initramfs-linux* # ensure non-root users can't read keyfile
+   cryptsetup luksAddKey /dev/ROOT_PARTITION /crypto_keyfile.bin
+
+   vi /etc/mkinitcpio.conf
+   # Replace 'FILES=()' with 'FILES=(/crypto_keyfile.bin)'
+   # Add additional hooks to existing hooks array: 'HOOKS=(... keyboard keymap encrypt lvm2)'
+
+   # regenerate initramfs
+   mkinitcpio -p linux
+   ```
+   - Note: this setup prompts for a password at boot to unlock the encrypted root partition.
      Follow [these directions](https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Unlocking_the_root_partition_at_boot) to use a keyfile from a USB instead.
 1. Install GRUB:
    ```

diff --git a/arch-install.md b/arch-install.md
@@ -117,3 +117,8 @@ We'll re-enable it after we create the partitions.
    ```
    - Note: Once the root filesystem is unlocked, the keyfile will be viewable in plain text if you have root access.
      Follow [these directions](https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Using_GPG.2C_LUKS.2C_or_OpenSSL_Encrypted_Keyfiles) for a more secure two-factor unlock method.
+1. Exit from chroot and `reboot`. You can now remove the USB drive.
+1. On boot, you should now be prompted to enter your encryption password to proceed.
+1. If successful, you should now see the GRUB menu. Select "Arch Linux" and hit enter.
+1. You should then see a login prompt. Enter `root` and the password you created in the previous `passwd` step.
+1. Congrats! The current environment is not much to look at right now, but next we'll install a shiny graphical environment and a tiling window manager. Deeper down the Arch Linux rabbit hole we go...
diff --git a/arch-install.md b/arch-install.md
@@ -91,13 +91,15 @@ We'll re-enable it after we create the partitions.
    ```
 1. Configure GRUB to unlocked encrypted **root** filesystem on boot:
    ```
-   # get UUID for root partition (should say TYPE="crypto_LUKS")
+   # get UUID for **root** partition (should say TYPE="crypto_LUKS")
    blkid
    # update grub config
    vi /etc/default/grub
    # add 'cryptdevice=UUID=<device-UUID>:lvm' to the 'GRUB_CMDLINE_LINUX' option list
    # uncomment 'GRUB_ENABLE_CRYPTODISK=y'
    ```
+   - Note: this setup prompts for a password at boot to unlock the encrypt root partition.
+     Follow [these directions](https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Unlocking_the_root_partition_at_boot) to use a keyfile from a USB instead.
 1. Install GRUB:
    ```
    grub-mkconfig -o /boot/grub/grub.cfg
@@ -109,7 +111,9 @@ We'll re-enable it after we create the partitions.
    dd bs=512 count=4 if=/dev/urandom of=/etc/boot-keyfile
    chmod 600 /etc/boot-keyfile
    cryptsetup luksAddKey /dev/BOOT_PARTITION /etc/boot-keyfile
+   # get UUID for **boot** partition (should say TYPE="crypto_LUKS")
+   blkid
+   echo -e "\ncryptboot\tUUID=<device-UUID>\t/etc/boot-keyfile"
    ```
    - Note: Once the root filesystem is unlocked, the keyfile will be viewable in plain text if you have root access.
      Follow [these directions](https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Using_GPG.2C_LUKS.2C_or_OpenSSL_Encrypted_Keyfiles) for a more secure two-factor unlock method.
-     
diff --git a/arch-install.md b/arch-install.md
@@ -88,4 +88,28 @@ We'll re-enable it after we create the partitions.
 1. Install GRUB bootloader:
    ```
    pacman -S grub efibootmgr
-   ```
+   ```
+1. Configure GRUB to unlocked encrypted **root** filesystem on boot:
+   ```
+   # get UUID for root partition (should say TYPE="crypto_LUKS")
+   blkid
+   # update grub config
+   vi /etc/default/grub
+   # add 'cryptdevice=UUID=<device-UUID>:lvm' to the 'GRUB_CMDLINE_LINUX' option list
+   # uncomment 'GRUB_ENABLE_CRYPTODISK=y'
+   ```
+1. Install GRUB:
+   ```
+   grub-mkconfig -o /boot/grub/grub.cfg
+   grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck
+   ```
+1. Configure `crypttab` and `fstab` to unlock `/boot` and `/boot/efi` at boot:
+   ```
+   # create randomtext keyfile
+   dd bs=512 count=4 if=/dev/urandom of=/etc/boot-keyfile
+   chmod 600 /etc/boot-keyfile
+   cryptsetup luksAddKey /dev/BOOT_PARTITION /etc/boot-keyfile
+   ```
+   - Note: Once the root filesystem is unlocked, the keyfile will be viewable in plain text if you have root access.
+     Follow [these directions](https://wiki.archlinux.org/index.php/Dm-crypt/Specialties#Using_GPG.2C_LUKS.2C_or_OpenSSL_Encrypted_Keyfiles) for a more secure two-factor unlock method.
+     
diff --git a/arch-install.md b/arch-install.md
@@ -43,16 +43,49 @@ We'll re-enable it after we create the partitions.
   - You'll be prompted to enter your encryption password
 1. Format system partition: `cryptsetup open /dev/SYSTEM_PARTITION system && mkfs.ext4 /dev/mapper/system`
 1. Create encrypted container on boot partition: `cryptsetup luksFormat /dev/BOOT_PARTITION`
-1. Format boot partition: `cryptsetup open /dev/SYSTEM_PARTITION cryptboot && mkfs.ext4 /dev/mapper/cryptboot`
-1. Mount boot and EFI partitions:
-  ```
-  mkdir /mnt/boot
-  mount /dev/mapper/cryptboot /mnt/boot
-  mkdir /mnt/boot/efi
-  mount /dev/EFI_PARTITION /mnt/boot/efi
-  ```
-
+1. Format boot partition: `cryptsetup open /dev/BOOT_PARTITION cryptboot && mkfs.ext4 /dev/mapper/cryptboot`
 
 ## Perform initial Arch installation
 
-1. 
+1. Install `base` package group: `pacstrap /mnt base`
+   - TODO: should any additional packages be listed here?
+1. Mount the partitions:
+   ```
+   mount /dev/mapper/system /mnt
+   mkdir /mnt/boot
+   mount /dev/mapper/cryptboot /mnt/boot
+   mkdir /mnt/boot/efi
+   mount /dev/EFI_PARTITION /mnt/boot/efi
+   ```
+1. Create swapfile:
+   ```
+   fallocate -l 4096 /mnt/swapfile
+   chmod 600 /mnt/swapfile
+   mkswap /mnt/swapfile
+   ```
+1. Generate Filesystem table to ensure partitions are mounted at boot: `genfstab -U /mnt >> /mnt/etc/fstab`
+1. Add the swap entry: `echo -e "\n/swapfile\tnone\tswap\tdefaults\t0 0" >> /mnt/etc/fstab`
+1. Change root into `/mnt`: `arch-chroot /mnt`
+1. Set your timezone:
+   ```
+   ln -sf /usr/share/zoneinfo/REGION/CITY /etc/localtime
+   # e.g. ln -sf /usr/share/zoneinfo/American/Los_Angeles /etc/localtime
+   ```
+1. Sync time with hardware clock: `hwclock --systohc`
+1. Generate localizations:
+   ```
+   # uncomment 'en_US.UTF-8 UTF-8' and other other needed localizations
+   vi /etc/locale.gen
+   locale-gen
+   echo "LANG=en_US.UTF-8" > /etc/locale.conf
+   ```
+1. Set your hostname: `echo YOUR_HOSTNAME > /etc/hostname`
+1. Install wireless utilities: `pacman -S wpa_supplicant wpa_actiond dialog`
+1. Set root password: `passwd`
+1. Add additional hooks to `/etc/mkinitcpio.conf`: `HOOKS=(... keyboard keymap encrypt lvm2)`
+1. Recreate initramfs image: `mkinitcpio -p linux`
+1. If you have an Intel CPU, enable microcode updates: `pacman -S intel-ucode`
+1. Install GRUB bootloader:
+   ```
+   pacman -S grub efibootmgr
+   ```
diff --git a/arch-install.md b/arch-install.md
@@ -41,4 +41,18 @@ We'll re-enable it after we create the partitions.
 1. Create encrypted container on system partition: `cryptsetup luksFormat /dev/SYSTEM_PARTITION`.
   - Make sure you type `YES` not `yes`
   - You'll be prompted to enter your encryption password
-1. Create encrypted container on boot partition: `cryptsetup luksFormat /dev/BOOT_PARTITION`
+1. Format system partition: `cryptsetup open /dev/SYSTEM_PARTITION system && mkfs.ext4 /dev/mapper/system`
+1. Create encrypted container on boot partition: `cryptsetup luksFormat /dev/BOOT_PARTITION`
+1. Format boot partition: `cryptsetup open /dev/SYSTEM_PARTITION cryptboot && mkfs.ext4 /dev/mapper/cryptboot`
+1. Mount boot and EFI partitions:
+  ```
+  mkdir /mnt/boot
+  mount /dev/mapper/cryptboot /mnt/boot
+  mkdir /mnt/boot/efi
+  mount /dev/EFI_PARTITION /mnt/boot/efi
+  ```
+
+
+## Perform initial Arch installation
+
+1. 
diff --git a/arch-install.md b/arch-install.md
@@ -28,7 +28,7 @@ We'll re-enable it after we create the partitions.
    - Wait a couple seconds and run `ping archlinux.org` to verify connectivity
 1. Identify your root disk with `fdisk -l`, often `/dev/sda` or `/dev/nvme0n1` on my laptop
 1. Optional: Delete existing partitions with `wipefs -a /dev/sdX` or [securely wipe existing data](https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#dm-crypt_wipe_on_an_empty_disk_or_partition)
-1. Create ESP, Boot, and Primary partitions:
+1. Create ESP, Boot, and System partitions:
   ```
   parted -s /dev/sdX \
     mklabel gpt \
@@ -37,4 +37,8 @@ We'll re-enable it after we create the partitions.
     mkpart primary ext4 550MiB 806MiB \
     set 2 lvm on \
     mkpart primary ext4 806MiB 100%
-  ```
+  ```
+1. Create encrypted container on system partition: `cryptsetup luksFormat /dev/SYSTEM_PARTITION`.
+  - Make sure you type `YES` not `yes`
+  - You'll be prompted to enter your encryption password
+1. Create encrypted container on boot partition: `cryptsetup luksFormat /dev/BOOT_PARTITION`
diff --git a/arch-install.md b/arch-install.md
@@ -26,7 +26,7 @@ We'll re-enable it after we create the partitions.
    - You should now see a terminal prompt and be logged in as root
 1. Run `wifi-menu` to connect to internet
    - Wait a couple seconds and run `ping archlinux.org` to verify connectivity
-1. Identify your root disk with `fdisk -l`, usually `/dev/sda`
+1. Identify your root disk with `fdisk -l`, often `/dev/sda` or `/dev/nvme0n1` on my laptop
 1. Optional: Delete existing partitions with `wipefs -a /dev/sdX` or [securely wipe existing data](https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#dm-crypt_wipe_on_an_empty_disk_or_partition)
 1. Create ESP, Boot, and Primary partitions:
   ```
@@ -35,5 +35,6 @@ We'll re-enable it after we create the partitions.
     mkpart ESP fat32 1MiB 550MiB \
     set 1 boot on \
     mkpart primary ext4 550MiB 806MiB \
+    set 2 lvm on \
     mkpart primary ext4 806MiB 100%
   ```
diff --git a/arch-install.md b/arch-install.md
@@ -27,12 +27,13 @@ We'll re-enable it after we create the partitions.
 1. Run `wifi-menu` to connect to internet
    - Wait a couple seconds and run `ping archlinux.org` to verify connectivity
 1. Identify your root disk with `fdisk -l`, usually `/dev/sda`
+1. Optional: Delete existing partitions with `wipefs -a /dev/sdX` or [securely wipe existing data](https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation#dm-crypt_wipe_on_an_empty_disk_or_partition)
 1. Create ESP, Boot, and Primary partitions:
   ```
   parted -s /dev/sdX \
     mklabel gpt \
-    mkpart ESP fat32 1MiB 512MiB \
+    mkpart ESP fat32 1MiB 550MiB \
     set 1 boot on \
-    mkpart primary ext4 512MiB 768MiB \
-    mkpart primary ext4 768MiB 100%
+    mkpart primary ext4 550MiB 806MiB \
+    mkpart primary ext4 806MiB 100%
   ```
diff --git a/arch-install.md b/arch-install.md
@@ -4,10 +4,35 @@
 
 1. Download arch ISO from https://www.archlinux.org/download/
 1. Copy the ISO to the USB drive:
- - From a Linux machine: 
+   - From a Linux machine: 
     ```
     # replace sdX with usb drive listed by `fdisk -l`,
     # e.g. `/dev/sdb`, do NOT append a partition number
     sudo dd bs=4M if=/path/to/archlinux.iso of=/dev/sdX status=progress && sync
     ```
-  - See [windows](https://wiki.archlinux.org/index.php/USB_flash_installation_media#In_Windows) or [macOS](https://wiki.archlinux.org/index.php/USB_flash_installation_media#In_macOS) instructions if you don't have access to a Linux machine.
+    - See [windows](https://wiki.archlinux.org/index.php/USB_flash_installation_media#In_Windows) or [macOS](https://wiki.archlinux.org/index.php/USB_flash_installation_media#In_macOS) instructions if you don't have access to a Linux machine.
+
+## Disable Secure Boot temporarily
+
+To ensure we can boot off the USB, we're going to disable Secure Boot temporarily.
+We'll re-enable it after we create the partitions.
+
+1. Enter the BIOS, on my machine pressing F2 on boot.
+1. Set "Settings > Secure Boot > Secure Boot Enable" to "Disabled"
+
+## Create partitions
+
+1. Plug in USB drive, reboot, press F12 on boot and select USB drive from Boot list.
+   - You should now see a terminal prompt and be logged in as root
+1. Run `wifi-menu` to connect to internet
+   - Wait a couple seconds and run `ping archlinux.org` to verify connectivity
+1. Identify your root disk with `fdisk -l`, usually `/dev/sda`
+1. Create ESP, Boot, and Primary partitions:
+  ```
+  parted -s /dev/sdX \
+    mklabel gpt \
+    mkpart ESP fat32 1MiB 512MiB \
+    set 1 boot on \
+    mkpart primary ext4 512MiB 768MiB \
+    mkpart primary ext4 768MiB 100%
+  ```
diff --git a/arch-install.md b/arch-install.md
@@ -4,10 +4,10 @@
 
 1. Download arch ISO from https://www.archlinux.org/download/
 1. Copy the ISO to the USB drive:
-   - From a Linux machine: 
+ - From a Linux machine: 
     ```
     # replace sdX with usb drive listed by `fdisk -l`,
     # e.g. `/dev/sdb`, do NOT append a partition number
     sudo dd bs=4M if=/path/to/archlinux.iso of=/dev/sdX status=progress && sync
     ```
-    - See [windows](https://wiki.archlinux.org/index.php/USB_flash_installation_media#In_Windows) or [macOS](https://wiki.archlinux.org/index.php/USB_flash_installation_media#In_macOS) instructions if you don't have access to a Linux machine.
+  - See [windows](https://wiki.archlinux.org/index.php/USB_flash_installation_media#In_Windows) or [macOS](https://wiki.archlinux.org/index.php/USB_flash_installation_media#In_macOS) instructions if you don't have access to a Linux machine.
diff --git a/arch-install.md b/arch-install.md
@@ -3,10 +3,11 @@
 ## Create a bootable Arch Linux USB
 
 1. Download arch ISO from https://www.archlinux.org/download/
-1. From a Linux machine, copy the ISO to the USB drive:
+1. Copy the ISO to the USB drive:
+   - From a Linux machine: 
     ```
     # replace sdX with usb drive listed by `fdisk -l`,
     # e.g. `/dev/sdb`, do NOT append a partition number
     sudo dd bs=4M if=/path/to/archlinux.iso of=/dev/sdX status=progress && sync
     ```
-    1. See [windows](https://wiki.archlinux.org/index.php/USB_flash_installation_media#In_Windows) or [macOS](https://wiki.archlinux.org/index.php/USB_flash_installation_media#In_macOS) instructions if you don't have access to a Linux machine.
+    - See [windows](https://wiki.archlinux.org/index.php/USB_flash_installation_media#In_Windows) or [macOS](https://wiki.archlinux.org/index.php/USB_flash_installation_media#In_macOS) instructions if you don't have access to a Linux machine.
diff --git a/arch-install.md b/arch-install.md
@@ -9,4 +9,4 @@
     # e.g. `/dev/sdb`, do NOT append a partition number
     sudo dd bs=4M if=/path/to/archlinux.iso of=/dev/sdX status=progress && sync
     ```
-1. See [windows](https://wiki.archlinux.org/index.php/USB_flash_installation_media#In_Windows) or [macOS](https://wiki.archlinux.org/index.php/USB_flash_installation_media#In_macOS) instructions if you don't have access to a Linux machine.
+    1. See [windows](https://wiki.archlinux.org/index.php/USB_flash_installation_media#In_Windows) or [macOS](https://wiki.archlinux.org/index.php/USB_flash_installation_media#In_macOS) instructions if you don't have access to a Linux machine.
diff --git a/arch-install.md b/arch-install.md
@@ -3,7 +3,7 @@
 ## Create a bootable Arch Linux USB
 
 1. Download arch ISO from https://www.archlinux.org/download/
-1. From a Linux machine:
+1. From a Linux machine, copy the ISO to the USB drive:
     ```
     # replace sdX with usb drive listed by `fdisk -l`,
     # e.g. `/dev/sdb`, do NOT append a partition number

diff --git a/arch-install.md b/arch-install.md
@@ -4,10 +4,9 @@
 
 1. Download arch ISO from https://www.archlinux.org/download/
 1. From a Linux machine:
-
-  ```
-  # replace sdX with usb drive listed by `fdisk -l`,
-  # e.g. `/dev/sdb`, do NOT append a partition number
-  sudo dd bs=4M if=/path/to/archlinux.iso of=/dev/sdX status=progress && sync
-  ```
+    ```
+    # replace sdX with usb drive listed by `fdisk -l`,
+    # e.g. `/dev/sdb`, do NOT append a partition number
+    sudo dd bs=4M if=/path/to/archlinux.iso of=/dev/sdX status=progress && sync
+    ```
 1. See [windows](https://wiki.archlinux.org/index.php/USB_flash_installation_media#In_Windows) or [macOS](https://wiki.archlinux.org/index.php/USB_flash_installation_media#In_macOS) instructions if you don't have access to a Linux machine.
diff --git a/arch-install.md b/arch-install.md
@@ -4,6 +4,7 @@
 
 1. Download arch ISO from https://www.archlinux.org/download/
 1. From a Linux machine:
+
   ```
   # replace sdX with usb drive listed by `fdisk -l`,
   # e.g. `/dev/sdb`, do NOT append a partition number

diff --git a/arch-install.md b/arch-install.md
@@ -0,0 +1,12 @@
+# Install Arch Linux
+
+## Create a bootable Arch Linux USB
+
+1. Download arch ISO from https://www.archlinux.org/download/
+1. From a Linux machine:
+  ```
+  # replace sdX with usb drive listed by `fdisk -l`,
+  # e.g. `/dev/sdb`, do NOT append a partition number
+  sudo dd bs=4M if=/path/to/archlinux.iso of=/dev/sdX status=progress && sync
+  ```
+1. See [windows](https://wiki.archlinux.org/index.php/USB_flash_installation_media#In_Windows) or [macOS](https://wiki.archlinux.org/index.php/USB_flash_installation_media#In_macOS) instructions if you don't have access to a Linux machine.
No results found