Intro:

I wish you all a new and healthy year. This post is all about installing artix linux (a systemd-free alternative to archlinux) with UEFI and “full” disk encryption (LVM on LUKS).

FDE - the term “full disk encryption” might be a off.. My setup exists out of two partitions boot and a LVM partition/physical volume (PV). The LVM partition contains two logical volumes (LV) root and swap where your user and system data will be saved are full encrypted. For more informations check out: LVM on LUKS

The next part of this post is a to my preference customized combination from:

• Artix Linux Wiki - Installation
• Artix Linux Wiki - Installation With Full Disk Encryption

The whole installation process with all outputs and dialogs was cut down to in my opinion most important points/decisions i’ve made.

Grab your 🍵 and lets go!

Installation

create and boot from UEFI usb

I’ve used etecher on my windows gaming machine.. Yeah shame on my. Real linux users would use: Where if= stands for path to the artix_linux.iso and the of= for the path to the usb e.g. /dev/sdc

dd if=artix_linux.iso of=/dev/sdc bs=1M

When you boot from usb you should select the right keyboard layout. In my case: de. Than boot to launch the basic artix linux from usb.

preperations

Also important to know. I have connected my notebook to ethernet and used dhcp to connect it with the internet. I case you only have WIFI follow this instructions: The login data are provided in the console log are artix:artix.

Partitioning & Encrypting & Mounting

I’ve installed parted for partitioning my disks:

pacman -Sy parted

we need will need:

• MBR partition table on sda

and at least two partitions

• on /dev/sda1 will be /boot
• on /dev/sda2 will be our encrytped LVM

show the actual partition list

parted -l

on my system was linux mint installed so there are some EFI (boot, esp) and ext4 partitions.. which we should delete first.

dd bs=4096 if=/dev/zero iflag=nocache of=/dev/sda oflag=direct status=progress
CTRL+C/CTRL+Z
sync

Now we will create the partitions

parted -s /dev/sda mklabel msdos
parted -s -a optimal /dev/sda mkpart "primary" "fat16" "0%" "1024MiB"
parted -s /dev/sda set 1 boot on
parted -s /dev/sda print
parted -s /dev/sda align check optimal 1
parted -s -a optimal /dev/sda mkpart "primary" "ext4" "1024MiB" "100%"
parted -s /dev/sda set 2 lvm on

awesome. Next we will encrypt the second partition with LUKS and create an LVM PV inside the LUKS container.

• cryptsetup for LUKS (linux unified key setup) creation
• dm-crypt (device-mapper crypt)

pacman -Sy cryptsetup dm-crypt

I’ve benchmarked my notebook for best encryption performance:

cryptsetup benchmark

For me the following parameters are best. This could be different on your system so choose your personal best. I’VE CHANGED MY KEYBOARD_LAYOUT TO US BECAUSE GRUB WILL USE IT FOR ENTERING THE DECRYPTION PASSPHRASE TOO!

loadkeys us
cryptsetup --verbose --type luks1 --cipher aes-xts-plain64 --key-size 512 --hash whirlpool --iter-time 10000 --use-random --verify-passphrase luksFormat /dev/sda2
YES
ENTER PASSPHRASE 2-times
loadkeys de

now open encrypted luks partition/container

cryptsetup luksOpen /dev/sda2 lvm-system

create the physical volume inside the luks-container

pvcreate /dev/mapper/lvm-system

Now we can a create logical volumes and/inside our volume group

vgcreate lvmSystem /dev/mapper/lvm-system
lvcreate -L 16G lvmSystem -n volSwap
lvcreate -l 100%FREE lvmSystem -n volRoot

We have to format our logical volumes

mkfs.fat -n BOOT /dev/sda1
mkswap /dev/lvmSystem/volSwap

Creating the SWAP partition will output the UUID. Please write it down for later

UUID=738704ce-d966-6d66-84c6-e123456a2a7

Create the root parititon

mkfs.ext4 -L volRoot /dev/lvmSystem/volRoot

Now we finally can mount:

swapon /dev/lvmSystem/volSwap
mount /dev/lvmSystem/volRoot /mnt
mkdir /mnt/boot
mount /dev/sdX1 /mnt/boot

base installation

basestrap /mnt base base-devel openrc elogind-openrc
basestrap /mnt linux linux-firmware
fstabgen -U /mnt >> /mnt/etc/fstab

If you are using solid state disks (SSDs) may considering:

sed -i "s/ordered/ordered,discard/g" /mnt/etc/fstab

Inform you about the advantages and disadvantages at: archlinux wiki

We can now chroot inside the base installation and modify/configure our linux

artix-chroot /mnt /bin/bash

First set/change the root password

passwd

Then install an editor and adjust the language

pacman -Sy vim
vim /etc/locale.gen

remove # from deDE and enUS … UTF-8.

Now set the hostname

vim /etc/conf.d/hostname

add your language to locale.gen

echo LANG=de_DE.UTF-8 > /etc/locale.conf
export LANG=de_DE.UTF-8
locale-gen

Edit the mkinitpico.conf

vim /etc/mkinitcpio.conf
HOOKS=(base udev autodetect modconf block encrypt keyboard keymap lvm2 resume filesystems fsck)

pacman -S lvm2 cryptsetup linux mkinitcpio
mkinitcpio -p linux
pacman -S grub

It’s time to configure the bootloader grub

GRUB_TIMEOUT=15
GRUB*CMDLINE*LINUX_DEFAULT="quiet splash"

# to get UUID from luks encrypted partition
:wq!

blkid /dev/sda2 >> /etc/default/grub

# now only copy the UUID from /dev/sda2 UUID="xxx-yyy" into

GRUB*CMDLINE*LINUX_DEFAULT="cryptdevice=UUID=xxx-yyy:lvm-system loglevel=3 quiet resume=UUID=yyy net.ifnames=0"
GRUB*ENABLE*CRYPTODISK=y

pacman -S os-prober efibootmgr
grub-install --target=x86_64-efi --efi-directory=/boot --bootloeader-id=grub (for UEFI systems)
grub-mkconfig -o /boot/grub/grub.conf WRONG should be .cfg

add your normal user

useradd -m YOURUSERNAME
passwd YOURUSERNAME

configure network

vim /etc/hosts

pacman -S dhcpcd
pacman -S cryptsetup-openrc device-mapper-openrc lvm2-openrc

now we can reboot

umount -R /mnt
swapoff -a
loginctl poweroff

This Guide will be continued