Skip to content

Scripts for an encrypted Arch system

License

Notifications You must be signed in to change notification settings

piazzai/archluks

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

archluks

These are my scripts for an encrypted Arch installation on a 64-bit UEFI system. The scripts take a target NVMe drive, wipe it, and partition it into an EFI boot and a LUKS-encrypted physical root. The physical root is further partitioned into two logical volumes, swap and (logical) root. The OS is installed on the logical root and the encryption key set during installation is required for booting into it.

The scripts require you to specify a target drive, your CPU make (either Intel or AMD), and the desired size of EFI and swap partitions. All remaining space on the drive is allocated to the filesystem. You are also given the option to securely erase all data from the drive by overwriting it with pseudorandom numbers. Depending on the size of the device this can be time-consuming (about 12 hours for 2TB), but because old data could be recoverable otherwise it is cryptographically safer.

Please be aware that partitioning the drive, even without secure erasure, can result in the irrevocable loss of existing data. Make sure you target the right drive and understand what the scripts are doing. I decline responsibility for any unintended loss caused by these scripts.

During installation, you are also required to specify your timezone, locale, hostname, and the credentials of a sudo user account. The Arch installation will be a pure command-line environment with the packages base, base-devel, intel-ucode or amd-ucode (depending on CPU make), linux, linux-firmware, lvm2, networkmanager, sudo, and their dependencies. Everything else can be added afterward.

Usage

Before installing, you should read the official installation guide and prepare a bootable installation medium, such as a USB drive flashed with a verified Arch ISO image.

After booting from the medium, connect to a network to download the install script. If you have a wired connection it should work automatically; if you don't, you can authenticate into a wifi using iwctl.

iwctl station wlan0 connect '<your-wifi>'

You can test your connection with ping -c3 archlinux.org. If it works, download the script and run it.

curl -fsSLO https://github.com/piazzai/archluks/raw/refs/heads/master/install.sh
bash install.sh

You will be prompted for input and encryption keys. When execution terminates, chroot into the logical volume to download and run the next script.

arch-chroot /mnt
curl -fsSLO https://github.com/piazzai/archluks/raw/refs/heads/master/chroot.sh
bash chroot.sh

When it terminates, you can delete the script, exit, unmount, and reboot into the OS.

rm chroot.sh
exit
umount -R /mnt
reboot

Once into the OS, you can access the wireless network through nmcli.

sudo systemctl start NetworkManager
nmcli device wifi connect '<your-wifi>' --ask

You can now use pacman to install anything else you want. The post-install.sh script installs additional software based on my needs. This is unlikely to be what you want, but it can be a helpful reference.