Dual Booting (UEFI) Arch and Windows 10 with Encryption
Windows Installation
Manually create EFI partation using Windows installation media Before the partitioning step:
(Technically, you could also do this on the partitioning step and click Refresh afterwards.)
Press Shift+F10 to open Command Line. Type diskpart Enter. Diskpart will take a while to launch. Type list disk Enter A list of disks will be printed. Note the number next to yours (most likely 0). Select that disk: select disk 0 Enter. clean and convert to GPT Create ESP: create partition efi size=512 Enter (512 is partition size in MiB). Exit Diskpart: exit Enter.
Arch Installation
Disk Partitioning
root@archiso ~ # timedatectl set-ntp true
root@archiso ~ # cfdisk /dev/sda
Encrypting and Configuring the ROOT
1. Encrypt the root partition
root@archiso ~ # lsblk
root@archiso ~ # cryptsetup luksFormat --type luks1 --use-random -S 1 -s 512 -h sha512 -i 5000 /dev/sda4
2. Open the LUKS device
root@archiso ~ # cryptsetup open /dev/sda2 cryptroot
Enter passphrase for /dev/sda4:
3. Format the root partation with btrfs and create subvolume
root@archiso ~ # mkfs.btrfs --force --label cryptroot /dev/mapper/cryptroot
root@archiso ~ # mount -t btrfs -o compress=lzo /dev/mapper/cryptroot /mnt
root@archiso ~ # cd /mnt
root@archiso ~ # btrfs subv create @
root@archiso ~ # btrfs subv create @home
root@archiso ~ # btrfs subv create @var
root@archiso ~ # btrfs subv create @snapshots
root@archiso ~ # cd ..
root@archiso ~ # umount /mnt
Mount btrf cryptroot and boot directory
1. Mount option for BTRFS
root@archiso ~ # o=defaults,x-mount.mkdir
root@archiso ~ # o_btrfs=$o,compress=lzo,ssd,noatime
1. Remount partition
root@archiso ~ # mount -o compress=lzo,subvol=@,$o_btrfs /dev/mapper/cryptroot /mnt
root@archiso ~ # mount -o compress=lzo,subvol=@home,$o_btrfs /dev/mapper/cryptroot /mnt/home
root@archiso ~ # mount -o compress=lzo,subvol=@var,$o_btrfs /dev/mapper/cryptroot /mnt/var
root@archiso ~ # mount -o compress=lzo,subvol=@snapshots,$o_btrfs /dev/mapper/cryptroot /mnt/.snapshots
root@archiso ~ # mkdir -p /mnt/boot/efi
root@archiso ~ # mount /dev/sda1 /mnt/boot/efi
Enable parallel download
root@archiso ~ # nano /etc/pacman.conf
remove `#` ParallelDownloads = 5
Install base packages on the root file system
root@archiso ~ # pacstrap /mnt base base-devel btrfs-progs cryptsetup linux linux-firmware grub openssh grub-btrfs os-prober efibootmgr neovim intel-ucode networkmanager git ntfs-3g dialog mtools dosfstools
Generate fstab
root@archiso ~ # genfstab -U /mnt >> /mnt/etc/fstab
System Configuration
1. Chroot into root
root@archiso ~ # arch-chroot /mnt /bin/bash
2. Set timezone and hardware clock
[root@archiso /]# ln -sf /usr/share/zoneinfo/Asia/Kolkata /etc/localtime
[root@archiso /]# hwclock --systohc
3. Uncomment en_US.UTF-8 and generate locale
[root@archiso /]# nvim /etc/locale.gen
remove `#` from en_US.UTF-8
[root@archiso /]# locale-gen
4. Set the LANG variable
[root@archiso /]# echo "LANG=en_US.UTF-8" >> /etc/locale.conf
5. Set hostname
[root@archiso /]# echo "arch" >> /etc/hostname
6. Edit nvim /etc/hosts
127.0.0.1 localhost
::1 localhost
127.0.1.1 arch.local arch
7. Edit nvim /etc/vconsole.conf
KEYMAP=us
Adding a secrect key file to LUKS because it will ask twice for unlocking disk
[root@archiso /]# mkdir /root/secrets && chmod 700 /root/secrets
[root@archiso /]# head -c 64 /dev/urandom > /root/secrets/crypto_keyfile.bin && chmod 600 /root/secrets/crypto_keyfile.bin
[root@archiso /]# cryptsetup -v luksAddKey -i 1 /dev/sda4 /root/secrets/crypto_keyfile.bin
changes in mkinitcpio and Grub
1. Changes in mkinitcpio.conf
[root@archiso /]# nvim /etc/mkinitcpio.conf
BINARIES=(btrfs)
FILES=(/root/secrets/crypto_keyfile.bin)
HOOKS="base udev autodetect modconf block encrypt filesystems keyboard fsck"
2. Build initramfs with Linux present
[root@archiso /]# mkinitcpio -p linux
3. Determine the UUID of root partition
[root@archiso /]# blkid
4. Edit /etc/default/grub, add GRUB_ENABLE_CRYPTODISK=y
[root@archiso /]# nvim /etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:cryptroot:allow-discards root=/dev/mapper/cryptroot cryptkey=rootfs:/root/secrets/crypto_keyfile.bin"
GRUB_ENABLE_CRYPTODISK=y
5. Install grub and generate configuration
[root@archiso /]# grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB
[root@archiso /]# grub-mkconfig -o /boot/grub/grub.cfg
Before Reboot
1. Set root Password
[root@archiso /]# passwd
2. Add a user and set password
[root@archiso /]# useradd -mG wheel -s /bin/bash hyper
[root@archiso /]# passwd hyper
3. Enter visudo and add user to group of wheel
[root@archiso /]# EDITOR=nvim visudo
## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL
4. Enable Networking & Rebooting
[root@archiso /]# systemctl enable NetworkManager
[root@archiso /]# systemctl enable sshd
[root@archiso /]# exit
[root@archiso /]# umount -R /mnt
[root@archiso /]# reboot
Correcting Errors
If something went wrong and you need to go back back in from the live image:
root@archiso ~ # cryptsetup open /dev/sda2 cryptroot
root@archiso ~ # o=defaults,x-mount.mkdir
root@archiso ~ # o_btrfs=$o,compress=lzo,ssd,noatime
root@archiso ~ # mount -o compress=lzo,subvol=@,$o_btrfs /dev/mapper/cryptroot /mnt
root@archiso ~ # mount -o compress=lzo,subvol=@home,$o_btrfs /dev/mapper/cryptroot /mnt/home
root@archiso ~ # mount -o compress=lzo,subvol=@var,$o_btrfs /dev/mapper/cryptroot /mnt/var
root@archiso ~ # mount -o compress=lzo,subvol=@snapshots,$o_btrfs /dev/mapper/cryptroot /mnt/.snapshots
root@archiso ~ # mount /dev/sda1 /mnt/boot/efi
arch-chroot /mnt /bin/bash