In this post I describe the steps I follow in order to install Arch Linux with disk encryption and TPM2.
This is basically a howto/notes for myself.
After booting from the USB installation drive, these are the first steps:
Setting up Networking
Connecting to internet:
iwctl station wlan0 scan
iwctl station wlan0 connect $YourESSID
ip a
passwd #we setup a password, so we can login via ssh
Connect via SSH from another computer (so you can copy & paste commands):
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null $YOURIP -l root
Partition
Setup EFI and Root partitions:
#DISK=/dev/sda
#DISK=/dev/nvme0n1
sgdisk -I $DISK --new=0:0:+512M --change-name=0:boot --typecode=0:ef00
sgdisk -I $DISK --new=0:0: --change-name=0:archlinux --typecode=0:8304
About Sector Size
https://wiki.archlinux.org/title/Advanced_Format#Advanced_Format_hard_disk_drives
hdparm -I $DISK | grep 'Sector size:'
nvme id-ns -H $DISK | grep "Relative Performance"
Encrypting the Linux partition
ROOTDEV=/dev/disk/by-partlabel/archlinux
cryptsetup luksFormat --type luks2 --key-size 256 --sector-size=4096 $ROOTDEV
cryptsetup luksOpen $ROOTDEV root
# Allow fstrim and performance tuning
cryptsetup --allow-discards --perf-no_write_workqueue --perf-no_read_workqueue --persistent refresh root
Making filesystems and installing Linux
ROOTDEV=/dev/mapper/root
mkfs -t ext4 -b 4096 $ROOTDEV
mount --mkdir $ROOTDEV /mnt
mkfs -t vfat /dev/disk/by-partlabel/boot
mount --mkdir /dev/disk/by-partlabel/boot /mnt/boot
Installing Arch
# Tune package manager
sed -i "s/^#ParallelDownloads/ParallelDownloads/" /etc/pacman.conf
# Deploy new filesystem and chroot into it
pacstrap -K /mnt base linux linux-firmware bash-completion \
less sudo git base-devel iwd vim man-db man-pages openssh
arch-chroot /mnt
# Setup variables
MYHOSTNAME=mylaptop
MYUSERNAME=myname
ROOTPASSWORD=securerootpassword
USERPASSWORD=secureuserpassword
# Setup time & locales
echo $MYHOSTNAME > /etc/hostname
hwclock --systohc
echo en_US.UTF-8 UTF-8 >> /etc/locale.gen
locale-gen
ln -sf /usr/share/zoneinfo/Region/City /etc/localtime
# Create users
chpasswd <<< root:$ROOTPASSWORD
useradd -m $MYUSERNAME
chpasswd <<< $MYUSERNAME:$USERPASSWORD
echo "$MYUSERNAME ALL=(ALL) ALL" > /etc/sudoers.d/$MYUSERNAME
# Enable Services
systemctl enable iwd systemd-networkd systemd-resolved
# Prepare network interfaces
cat > /etc/systemd/network/20-wired.network <<EOF
[Match]
Name=enp*
[Link]
RequierdForOnline=routable
[Network]
DHCP=yes
EOF
cat > /etc/systemd/network/25-wireless.network <<EOF
[Match]
Name=wl*
[Link]
RequierdForOnline=routable
[Network]
DHCP=yes
IngoreCarreierLoss=3s
EOF
Setup Bootloader
bootctl install
Generating the initrd
Edit /etc/mkinitcpio.conf HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)
mkinitcpio --allpresets
# Configure systemd-boot
cat >/boot/loader/entries/arch.conf <<EOF
title Arch Linux
linux /vmlinuz-linux
#initrd /amd-ucode.img
initrd /intel-ucode.img
initrd /initramfs-linux.img
options root=LABEL=root rootfstype=ext4 quiet audit=0 mitigations=off threadirqs
EOF
# Install Intel or AMD microcode
pacman -Sy intel-ucode
Reboot
Enrolling a TPM key
# Install the TPM tools
pacman -S tpm2-tools
# Check the name of the kernel module for our TPM
systemd-cryptenroll --tpm2-device=list
# Generate a key in the TPM2 and add it to a key slot in the LUKS devic
systemd-cryptenroll --tpm2-device=auto /dev/gpt-auto-root-luks --wipe-slot=tpm2 --tpm2-pcrs="1+7"
# Generate a recovery key (not mandatory but strongly recommended)
systemd-cryptenroll --recovery-key /dev/gpt-auto-root-luks