Install Arch Linux with full disk encryption (including /boot) and UEFI.
# Desired layout:
+---------------+----------------+----------------+----------------+
|ESP partition: |Boot partition: |Volume 1: |Volume 2: |
| | | | |
|/boot/efi |/boot |root |swap |
| | | | |
| | |/dev/vg0/root |/dev/vg0/swap |
|/dev/sda1 |/dev/sda2 +----------------+----------------+
|unencrypted |LUKS encrypted |/dev/sda3 encrypted LVM on LUKS |
+---------------+----------------+---------------------------------+
# Download the archiso image from https://www.archlinux.org/
# Check md5 and sha1 sums
md5sum archlinux.iso
sha1sum archlinux.iso
# Copy to a usb-drive
dd if=archlinux.iso of=/dev/sdX bs=16M && sync
# Insert this flash-drive into PC and boot this image
# Securely wipe drive according this article
# https://wiki.archlinux.org/index.php/Dm-crypt/Drive_preparation
# Connect to Wi-Fi, skip this if you have wired connection
wifi-menu
# Test Internet connection
ping google.com
# Enable network time synchronization
timedatectl set-ntp true
# Check it
timedatectl status
# Create partitions
gdisk /dev/sda
# Use "o" to create GPT table
# "n" to create partitions:
# Number Start (sector) End (sector) Size Code Name
# 1 2048 1050623 512.0 MiB EF00 EFI System
# 2 1050624 1460223 200.0 MiB 8300 Linux filesystem
# 3 1460224 1679181823 800.0 GiB 8E00 Linux LVM
# "w" to write changes
# "q" to quit
# Make filesystem for EFI
mkfs.fat -F32 /dev/sda1
# Create crypted /boot container
cryptsetup luksFormat /dev/sda2
cryptsetup open /dev/sda2 cryptboot
mkfs.ext2 /dev/mapper/cryptboot
# Create crypted LVM with /root and swap
cryptsetup luksFormat /dev/sda3
cryptsetup open /dev/sda3 cryptlvm
pvcreate /dev/mapper/cryptlvm
vgcreate vg0 /dev/mapper/cryptlvm
lvcreate -L 16G vg0 -n swap
lvcreate -l 100%FREE vg0 -n root
mkfs.ext4 /dev/mapper/vg0-root
mkswap /dev/mapper/vg0-swap
# Mount
swapon /dev/mapper/vg0-swap
mount /dev/mapper/vg0-root /mnt
mkdir /mnt/boot
mount /dev/mapper/cryptboot /mnt/boot
mkdir /mnt/boot/efi
mount /dev/sda1 /mnt/boot/efi
# Check
lsblk
# You will have something like this:
#
# NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
# loop0 7:0 0 347.9M 1 loop /run/archiso/sfs/airootfs
# sdb 8:32 1 3.8G 0 disk
# ├─sdb2 8:34 1 40M 0 part
# └─sdb1 8:33 1 797M 0 part /run/archiso/bootmnt
# sda 8:0 0 931.5G 0 disk
# ├─sda2 8:2 0 200M 0 part
# │ └─cryptboot 254:0 0 198M 0 crypt /mnt/boot
# ├─sda3 8:3 0 800G 0 part
# │ └─cryptlvm 254:1 0 800G 0 crypt
# │ ├─vg0-swap 254:2 0 16G 0 lvm [SWAP]
# │ └─vg0-root 254:3 0 784G 0 lvm /mnt
# └─sda1 8:1 0 512M 0 part /mnt/boot/efi
# Install system
pacstrap /mnt base base-devel grub-efi-x86_64 vim git efibootmgr dialog wpa_supplicant
# Generate fstab
genfstab -pU /mnt >> /mnt/etc/fstab
# Chroot into our newly installed system
arch-chroot /mnt
# Set timezone, hostname...
ln -sf /usr/share/zoneinfo/Europe/Minsk /etc/localtime
hwclock --systohc --utc
echo archlinux > /etc/hostname
# Configure locales
echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
echo LANG=en_US.UTF-8 >> /etc/locale.conf
# Set root password
passwd
# Open this file
vim /etc/mkinitcpio.conf
# and replace HOOKS="..." with HOOKS="base udev autodetect modconf block keymap encrypt lvm2 resume filesystems keyboard fsck"
# use "i" key to edit (insert something), ESC and ":wq" to write changes and quit
# Regenerate initrd image
mkinitcpio -p linux
# If you got warnings about missing firmware for wd719x and aic94xx, you can ignore it, with high probability you don't even have this hardware
# But you can install it from AUR if you actually use it
# Change grub config
echo "GRUB_ENABLE_CRYPTODISK=y" >> /etc/default/grub
sed -i "s#^GRUB_CMDLINE_LINUX=.*#GRUB_CMDLINE_LINUX=\"cryptdevice=UUID=$(blkid /dev/sda3 -s UUID -o value):lvm resume=/dev/mapper/vg0-swap\"#g" /etc/default/grub
grub-mkconfig -o /boot/grub/grub.cfg
# If you got errors "/run/lvm/lvmetad.socket: connect failed: No such file or directory", that's OK
# you can get rid of this errors with some workarounds, but this is not really necessary
# but in any case DO NOT disable lvmetad! This installation will not work without it
# Install grub
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchLinux
# It is necessary for mounting /boot without password request
dd bs=512 count=8 if=/dev/urandom of=/etc/key
chmod 400 /etc/key
cryptsetup luksAddKey /dev/sda2 /etc/key
echo "cryptboot /dev/sda2 /etc/key luks" >> /etc/crypttab
# Same thing: open LVM without password prompt
dd bs=512 count=8 if=/dev/urandom of=/crypto_keyfile.bin
chmod 000 /crypto_keyfile.bin
cryptsetup luksAddKey /dev/sda3 /crypto_keyfile.bin
sed -i 's\^FILES=.*\FILES="/crypto_keyfile.bin"\g' /etc/mkinitcpio.conf
mkinitcpio -p linux
chmod 600 /boot/initramfs-linux*
# Enable Intel microcode CPU updates (if you use Intel processor, of course)
pacman -S intel-ucode
grub-mkconfig -o /boot/grub/grub.cfg
# Some additional security
chmod 700 /boot
chmod 700 /etc/iptables
# Create non-root user, set password
useradd -m -g users -G wheel YOUR_USER_NAME
passwd YOUR_USER_NAME
# Open file
vim /etc/sudoers
# and uncomment string %wheel ALL=(ALL) ALL
# Exit from chroot, unmount system, shutdown, extract flash stick. You made it! Now you have fully encrypted system.
exit
umount -R /mnt
swapoff -a
shutdown now
# For additional security, start PC, login in UEFI menu during boot (in most cases by pressing F2 or DEL)
# enable Secure boot option, and choose our EFI image as trusted. Path will be something like this:
# HDD0 -> EFI -> ArchLinux -> grubx64.efi
# Of course, you must protect UEFI menu with password.
# Choose DIFFERENT password from that you used for encryption, because some lazy manufacturers store this password not securely enough.
# Reboot again, login as user, use sudo for installation all other software you want: drivers, display server, desktop environment, etc...