[HowTo] Install Manjaro fully encrypted using Manjaro Architect

Contributions Tutorials
,
1

Difficulty: ★★★★☆

We will be creating an LVM on LUKS encrypted Manjaro installation with UEFI and GPT using Manjaro Architect. This can currently be considered the happy medium between complete Full Disk Encryption and usability. While technically not FDE, both / and /home are fully encrypted (with the exception of a small 0.5GiB /boot partition), but at the same time, boot times are great and complexity is minimal.

Make sure to boot the Manjaro-Architect iso in UEFI mode, otherwise the GRUB UEFI boot entry cannot be added. If 2 UEFI installation media (partitions) show up, use the largest one.

When booted, you will have the option to set a few initial options:

  • Keyboard
  • Language
  • Timezone
  • Drivers (this includes graphics: use non-free option)

Afterwards, push enter on the Manjaro Architect boot option.
Log in with user manjaro, password manjaro, and enter setup.
This will bring you into the ‘Main Menu’, where we’ll have to work through 2 big steps:

  1. Prepare Installation
  2. Install Desktop System

If you get stuck anywhere, check out this Manjaro Architect Tutorial or this Manjaro Architect LVM on LUKS Tutorial for more detailed information.

I. Prepare Installation

1. Set Virtual Console

A keyboard layout (vconsole) will already be chosen automatically based on your language choice. If the expected default works for you, you can skip this menu entry. Alternatively, open it to see your current configuration and decide on keeping/altering it.

2. List Devices

Here you can see the available drives and storage devices if you like.
You can safely skip this step.

3. Partition Disk

Two partitions are required:

  • A FAT32 partition of at least half a GiB with the ESP flag set, which has to be left unencrypted to serve as boot partition.
  • The remaining space as 1 partition that could even be left unformatted, since it will be encrypted anyway to serve as the LVM Volume Group that will allow for multiple Logical Volumes inside.
(parted) mklabel gpt
(parted) mkpart "EFI system partition" fat32 1MiB 512MiB
(parted) set 1 esp on
(parted) mkpart "Encrypted system partition" ext4 512MiB 100%
(parted) print

See Parted Tutorial and Parted Archwiki for more information.

6. LUKS Encryption

  • Choose Automatic LUKS Encryption and select the large partition on your SSD we previously created.
  • Specify a name for the encrypted block device: cryptroot
  • When completed, press Back and Cancel the LUKS Encryption menu to return to the Prepare Installation Menu, and continue with Logical Volume Management.

5. Logical Volume Management

  • Create VG and LV(s):
    • Enter the name of the Volume Group (VG) to create: LVM-VG
    • Select the partition(s) to use for the Physical Volume:
      [*] /dev/mapper/cryptroot
    • Enter the number of Logical Volumes (LVs) to create in [LVM-VG]: 2
      Only a root and swap partition; a separate /home partition is not required
      since symlinks provide more power and control to put specific /home dirs
      (like e.g. Pictures or Downloads) on other drives or partitions.
    • Enter the name of the Logical Volume (LV) to create: lvol-root
    • Enter the size of the Logical Volume (LV) in Megabytes (M) or Gigabytes (G): 920G
      On a 1TB SSD this will keep ca. 33GB for the swap partition.
      If you plan on using hibernation (aka suspend to disk), the size of the swap partition should at least equal your RAM (32GB for me). Otherwise, you can get by with a lot less swap space.
    • Enter the name of the Logical Volume (LV) to create: lvol-swap
    • Do you wish to view the new LVM scheme? Yes
      Check to see if everything looks ok, then press Back and Cancel the Logical Volume Management menu to return to the Prepare Installation Menu, and continue with Mount Partitions.

8. Mount Partitions

  • First select the ROOT Partition, where Manjaro will be installed:

    • E.g. /dev/mapper/LVM--VG-lvol--root
    • Choose Filesystem: ext4
    • Mount options: noatime
      This option reduces disk IO by preventing read accesses to update
      the atime information. This has no impact on the last modified time.
      If noatime is not set, each read access will also result in a write operation.
      This means using noatime can lead to significant performance gains.

  • Select SWAP Partition:
    E.g. /dev/mapper/LVM--VG-lvol--swap

  • When choosing the UEFI boot partition choose the FAT32 partition from before, with mountpoint /boot/efi (not /boot!).

9. Configure Installer Mirrorlist

  1. Edit Pacman Configuration: Not required

  2. Edit Pacman Mirror Configuration:
    Optionally configure your country/neighbouring countries, so the upcoming ‘Rank Mirrors’ will take less time:

    ## Branch Pacman should use (stable, testing, unstable)
Branch = stable

## Generation method
## 1) rank   - rank mirrors depending on their access time
## 2) random - randomly generate the output mirrorlist
Method = rank

## Specify to use only mirrors from specific a country.
## Can add multiple countries separated by a comma (ex: Germany,France)
## Empty means all
OnlyCountry = Belgium,Netherlands,Germany,France

## Mirrors directory
# MirrorlistsDir = /etc/pacman.d/mirrors

## Output file
# OutputMirrorlist = /etc/pacman.d/mirrorlist

## When set to True prevents the regeneration of the mirrorlist if
## pacman-mirrors is invoked with the --no-update argument.
## Useful if you don't want the mirrorlist regenerated after a
## pacman-mirrors package upgrade.
# NoUpdate = False

    Press Ctrl+O then Enter to save, and Ctrl+x to exit.

  3. Rank Mirrors by Speed:
    Select those that came out on top.

10. Refresh Pacman Keys

This, and the following preparations are not strictly required.
We can go back to the main menu, and choose 2. Install Desktop System.

II. Install Desktop System

1. Install Manjaro Desktop

  • Install Base:
    First we have to select the Linux kernel to use; it makes sense to choose an alternative kernel here already, so we won’t need to install a backup kernel later manually. The base-devel group is required to use the AUR in your installed system. Select them with the Space key:

    [*] yay + base-devel
[*] linux-lts
[*] linux-latest
[ ] ...

  • Install Desktop Environment:
    I prefer GNOME for its minimalism and consistency.

  • Extra packages:
    Type the extra packages you want to install and select them with tab.
    Useful apps/packages:

    • audacity: Audio editing
    • blender: 3D Graphics
    • calibre: Ebook management
    • darktable: Photo editing
    • gocryptfs: File encryption
    • gthumb: Image viewer and manager
    • handbrake (& handbrake-cli): Video transcoder
    • inkscape: Vector graphics
    • krita: Digital painting
    • mpv: Media player
    • onlyoffice-desktopeditors: Office suite
    • qbittorrent: Torrent client
    • rsync: File transfer
    • syncthing (& optional GUI: syncthing-gtk): Continuous file synchronization
    • tesseract (& tesseract-data-eng): OCR engine
    • veracrypt: Disk/folder encryption
    • vlc: Media player

    Press Enter to continue.

  • Choose between a full or minimal install:
    Full is recommended unless you want to have absolute control
    and don’t mind manually installing more packages.

  • Now you can inspect the packages to be installed in nano:
    You can still remove something if you made an error previously.
    Ctrl+o and Enter to save, and Ctrl+x to exit.
    The install will now happen, which might take some time.

  • Install Display Driver:
    Auto-install proprietary drivers is recommended.
    Afterwards, press Enter to continue.

2. Install Bootloader

  • Install UEFI Bootloader: grub
  • Enter your encryption passphrase.
  • Press Yes to set grub as default bootloader.

3. Configure Base

  • Generate fstab: Use the UEFI Part UUID option.
  • Set Hostname: Name your computer.
  • Set System Locale: en_US
  • Set Desktop Keyboard Layout: us
  • Set Timezone and Clock: Europe > Brussels
    Then select utc.
  • Set Root Password: *********
  • Add New User(s):
    • Enter user name (lower case letters only)
    • Choose the default shell (zsh, bash or fish)
    • Provide the password(s)!

4. System Tweaks

2. Enable Hibernation

Enable hibernation automatically.

With this, we are done! Exit the installer, and enter reboot at the command line to boot into your new desktop.

III. Additional tweaks and configuration

If your display’s colors have an orange tinge to them, most likely GNOME’s Night Light feature is enabled, which reduces blue light to help you sleep better. You can turn it off (or decide to keep it) in Settings > Display > Night Light.

Debugging Hibernation

It also seems that the last System Tweak, to ‘Enable hibernation automatically’ does not work out of the box with encryption. Do the following to fix it:

  • If you get ERROR: resume: hibernation device y not found when booting, make sure the correct UUID is present in the resume= parameters of GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub:

    GRUB_CMDLINE_LINUX_DEFAULT="quiet resume=UUID=c0ddf00f-35dd-4356-a24e-9f778a4e70f1 resume=/dev/disk/by-uuid/c0ddf00f-35dd-4356-a24e-9f778a4e70f1"

  • Make sure the resume HOOK in /etc/mkinitcpio.conf is listed last:

    HOOKS=(base udev autodetect keymap modconf block encrypt lvm2 filesystems keyboard resume)

  • Regenerate grub:

    sudo mkinitcpio -P
sudo update-grub

  • To test hibernation, pm-hibernate of the pm-utils is very useful:

    pamac install pm-utils
sudo pm-hibernate

    If everything went well, your computer should now be in hibernation.

11 Likes
2

Note:

If you do not need multiple encrypted partitions, a better approach is to replace the swap partition with a swapfile. That way, only a single encrypted partition is necessary, and we can ditch LVM, freeing us from its performance penalty and further simplifying everything. It is then best to select /boot over /boot/efi as EFI mount point for better performance.

So, to sum it up:

  • Automatic partitioning.
  • Create LUKS container in the bigger volume.
  • Mount the LUKS container to /. Choose ext4 or xfs if you want to use a swapfile.
  • For swap, choose swap file.
  • For extra mounts, don’t choose anything.
  • For EFI mount point, choose /boot and the smaller automatically created partition.
3 Likes
3

Are you able to wake-up after hibernation with this method?

4

I am mounting the ESP on /efi and mounting a sub-directory of it at /boot, which enables me to share the ESP between different linux distros :wink:
I also do this in systemd unit files instead of the fstab:

systemctl cat {efi,boot}.{auto,}mount | xclip

# /etc/systemd/system/efi.automount
[Unit]
Description=ESP
Documentation=man:systemd.mount(5)
Documentation=man:systemd.automount(5)

[Automount]
Where=/efi
DirectoryMode=0775
TimeoutIdleSec=30

[Install]
#WantedBy=multi-user.target
WantedBy=local-fs.target
Also=boot.automount

# /etc/systemd/system/efi.mount
#
# To install use:
#       systemctl enable --now efi.automount
#       systemctl disable --now efi.automount
#
[Unit]
Description=ESP
Documentation=man:systemd.mount(5)
Documentation=man:systemd.automount(5)
After=swap.target

# These get set automatically
#Conflicts=umount.target
#Before=umount.target
#After=-.mount

# We use noauto, so leave this commented.
#Before=local-fs.target

[Mount]
Where=/efi
Type=vfat
Options=noauto,nofail,rw,gid=adm,relatime,fmask=0002,dmask=0002,codepage=437,iocharset=iso8859-1,shortname=mixed,utf8,errors=remount-ro
TimeoutSec=30

# /etc/systemd/system/efi.mount.d/hd.conf
[Unit]
Description=ESP (HD)
After=blockdev@dev-disk-by\x2dlabel-ESP.target
BindsTo=dev-disk-by\x2dlabel-ESP.device

# Do a fsck on the partition
Requires=systemd-fsck@dev-disk-by\x2dlabel-ESP.service
After=systemd-fsck@dev-disk-by\x2dlabel-ESP.service

[Mount]
What=/dev/disk/by-label/ESP

# /etc/systemd/system/boot.automount
[Unit]
Description=/boot
Documentation=man:systemd.mount(5)
Documentation=man:systemd.automount(5)
After=efi.automount
BindsTo=efi.automount

[Automount]
Where=/boot
DirectoryMode=0775
TimeoutIdleSec=30

[Install]
#WantedBy=multi-user.target
WantedBy=local-fs.target
Also=efi.automount

# /etc/systemd/system/boot.mount
#
# To install use:
#       systemctl enable --now boot.automount
#       systemctl disable --now boot.automount
#
[Unit]
Description=/boot
Documentation=man:systemd.mount(5)
Documentation=man:systemd.automount(5)
Conflicts=umount.target
Before=local-fs.target umount.target
RequiresMountsFor=/efi
After=efi.mount
BindsTo=efi.mount

[Mount]
Where=/boot
What=/efi/Manjaro
Type=none
Options=bind
TimeoutSec=30

Note the entry What=/efi/Manjaro in boot.mount above.

Note:
I am using a LUKS2 partition as / and systemd-boot as boot loader.

2 Likes
5

Thanks a lot for this guide. It helped me a lot to set up my system.

Just one more hint for other people that struggle with the hibernation problem (ERROR: resume: hibernation device y not found on boot). The “correct UUID” to use for the GRUB_CMDLINE_LINUX_DEFAULT parameter is the UUID of your swap partition. You can find it in your /etc/fstab file.

1 Like