This article is more a memo to keep the details regarding the encrypted install of my Arch Linux distribution.
I’m using systemd, sd-vconsole, sd-encrypt and sd-plymouth mkinitcpio hooks. This is important for what comes after.
Now this is the layout of my SSD disk being identified as /dev/sda.
lsblk -o NAME,UUID
NAME UUID
sda
├─sda1 7244-DD77
├─sda2
├─sda7 f92638e9-21ba-4ee2-82d1-3bfc2ac8f6e8
├─sda8 b7c05834-a995-412f-bb0e-63069778d21a
│ └─luks-b7c05834-a995-412f-bb0e-63069778d21a cd9d2579-f4dc-4aaa-878f-d54e9ea9bb83
└─sda9 44739df0-7605-45e1-ab30-eb2e7d4f00c8
└─luks-44739df0-7605-45e1-ab30-eb2e7d4f00c8 1aea47d1-1bb3-4a90-b1bc-e9354cca1417
/dev/sda1
is the efi partition/dev/sda7
is a partition I created for /boot
, but I’m not using it anymore. I now mount /dev/sda1
on /mnt/efi
and then mount bind /mnt/efi/EFI/arch
on /boot
./dev/sda8
is a swap partition/dev/sda9
is the partition used for the system and my home, I use BTRFS subvolumes.
/dev/sda8and
/dev/sda9` are encrypted using Luks.So basically /dev/sda8
has an UUID as device (b7c05834-a995-412f-bb0e-63069778d21a) and gets another UUID when decrypted through Luks (cd9d2579-f4dc-4aaa-878f-d54e9ea9bb83). This is the same for the swap partition.
/dev/sda8
- (decryption makes it available as) -> /dev/dm-1
(or /dev/mapper/luks-44739df0-7605-45e1-ab30-eb2e7d4f00c8
)/dev/sda9
- (decryption makes it available as) -> /dev/dm-0
(or /dev/mapper/luks-b7c05834-a995-412f-bb0e-63069778d21a
)
This is configured in /etc/crypttab.Once this is understood it’s possible to create the kernel arguments line that is required to boot this system.
root=UUID=1aea47d1-1bb3-4a90-b1bc-e9354cca1417 rw rootflags=subvol=root luks.uuid=44739df0-7605-45e1-ab30-eb2e7d4f00c8 luks.uuid=b7c05834-a995-412f-bb0e-63069778d21a resume=/dev/mapper/luks-b7c05834-a995-412f-bb0e-63069778d21a initrd=\EFI\arch\intel-ucode.img initrd=\EFI\arch\initramfs-linux.img
This can be split as the following units
Now I can add en entry to the UEFI boot manager using efibootmgr. I’ve added a few more arguments to pass to the kernel, but they’re not mandatory. We can finally check the result with the second command.
sudo efibootmgr --disk /dev/sda --part 0 --create --gpt --label "Arch Linux" --loader /EFI/arch/vmlinuz-linux --unicode "root=UUID=1aea47d1-1bb3-4a90-b1bc-e9354cca1417 rw rootflags=subvol=root luks.uuid=44739df0-7605-45e1-ab30-eb2e7d4f00c8 luks.uuid=b7c05834-a995-412f-bb0e-63069778d21a resume=/dev/mapper/luks-b7c05834-a995-412f-bb0e-63069778d21a intel_iommu=on initrd=\EFI\arch\intel-ucode.img initrd=\EFI\arch\initramfs-linux.img quiet splash"
sudo efibootmgr -v
BootCurrent: 0011
Timeout: 0 seconds
BootOrder: 000D,0011,0012,000E,000B,000C,0012,0000,0001,0002,0003,0004,0005,0006,0007,0008,0009,000F,000A
Boot0000 Startup Menu FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)....ISPH
[...]
Boot0011* Arch Linux HD(1,GPT,be65cb5c-c9ba-4aae-aaa6-ab8670046434,0x800,0xb4000)/File(\EFI\arch\vmlinuz-linux)r.o.o.t.=.U.U.I.D.=.1.a.e.a.4.7.d.1.-.1.b.b.3.-.4.a.9.0.-.b.1.b.c.-.e.9.3.5.4.c.c.a.1.4.1.7. .r.w. .r.o.o.t.f.l.a.g.s.=.s.u.b.v.o.l.=.r.o.o.t. .l.u.k.s...u.u.i.d.=.4.4.7.3.9.d.f.0.-.7.6.0.5.-.4.5.e.1.-.a.b.3.0.-.e.b.2.e.7.d.4.f.0.0.c.8. .l.u.k.s...u.u.i.d.=.b.7.c.0.5.8.3.4.-.a.9.9.5.-.4.1.2.f.-.b.b.0.e.-.6.3.0.6.9.7.7.8.d.2.1.a. .r.e.s.u.m.e.=./.d.e.v./.m.a.p.p.e.r./.l.u.k.s.-.b.7.c.0.5.8.3.4.-.a.9.9.5.-.4.1.2.f.-.b.b.0.e.-.6.3.0.6.9.7.7.8.d.2.1.a. .i.n.t.e.l._.i.o.m.m.u.=.o.n. .i.n.i.t.r.d.=.\.E.F.I.\.a.r.c.h.\.i.n.t.e.l.-.u.c.o.d.e...i.m.g. .i.n.i.t.r.d.=.\.E.F.I.\.a.r.c.h.\.i.n.i.t.r.a.m.f.s.-.l.i.n.u.x...i.m.g. .q.u.i.e.t. .s.p.l.a.s.h.
After that you should be able to boot on next reboot from the entry labelled “Arch Linux” in you UEFI boot manager.