We will be creating an LVM on LUKS encrypted Manjaro installation with UEFI and GPT using Manjaro Architect. This can currently be considered the happy medium between complete Full Disk Encryption and usability. While technically not FDE, both
/home are fully encrypted (with the exception of a small 0.5GiB /boot partition), but at the same time, boot times are great and complexity is minimal.
Make sure to boot the Manjaro-Architect iso in UEFI mode, otherwise the GRUB UEFI boot entry cannot be added. If 2 UEFI installation media (partitions) show up, use the largest one.
When booted, you will have the option to set a few initial options:
- Drivers (this includes graphics: use
Afterwards, push enter on the Manjaro Architect boot option.
Log in with user
manjaro, and enter
This will bring you into the ‘Main Menu’, where we’ll have to work through 2 big steps:
- Prepare Installation
- Install Desktop System
I. Prepare Installation
1. Set Virtual Console
A keyboard layout (vconsole) will already be chosen automatically based on your language choice. If the expected default works for you, you can skip this menu entry. Alternatively, open it to see your current configuration and decide on keeping/altering it.
2. List Devices
Here you can see the available drives and storage devices if you like.
You can safely skip this step.
3. Partition Disk
Two partitions are required:
- A FAT32 partition of at least half a GiB with the ESP flag set, which has to be left unencrypted to serve as boot partition.
- The remaining space as 1 partition that could even be left unformatted, since it will be encrypted anyway to serve as the LVM Volume Group that will allow for multiple Logical Volumes inside.
(parted) mklabel gpt (parted) mkpart "EFI system partition" fat32 1MiB 512MiB (parted) set 1 esp on (parted) mkpart "Encrypted system partition" ext4 512MiB 100% (parted) print
6. LUKS Encryption
Automatic LUKS Encryptionand select the large partition on your SSD we previously created.
- Specify a name for the encrypted block device: cryptroot
- When completed, press
LUKS Encryptionmenu to return to the
Prepare InstallationMenu, and continue with
Logical Volume Management.
5. Logical Volume Management
- Create VG and LV(s):
- Enter the name of the Volume Group (VG) to create: LVM-VG
- Select the partition(s) to use for the Physical Volume:
- Enter the number of Logical Volumes (LVs) to create in
Only a root and swap partition; a separate /home partition is not required
since symlinks provide more power and control to put specific /home dirs
(like e.g. Pictures or Downloads) on other drives or partitions.
- Enter the name of the Logical Volume (LV) to create: lvol-root
- Enter the size of the Logical Volume (LV) in Megabytes (M) or Gigabytes (G): 920G
On a 1TB SSD this will keep ca. 33GB for the swap partition.
If you plan on using hibernation (aka suspend to disk), the size of the swap partition should at least equal your RAM (32GB for me). Otherwise, you can get by with a lot less swap space.
- Enter the name of the Logical Volume (LV) to create: lvol-swap
- Do you wish to view the new LVM scheme? Yes
Check to see if everything looks ok, then press
Logical Volume Managementmenu to return to the
Prepare InstallationMenu, and continue with
8. Mount Partitions
First select the ROOT Partition, where Manjaro will be installed:
- Choose Filesystem: ext4
- Mount options: noatime
This option reduces disk IO by preventing read accesses to update
the atime information. This has no impact on the
last modified time.
noatimeis not set, each read access will also result in a write operation.
This means using
noatimecan lead to significant performance gains.
Select SWAP Partition:
When choosing the UEFI boot partition choose the FAT32 partition from before, with mountpoint
9. Configure Installer Mirrorlist
Edit Pacman Configuration: Not required
Edit Pacman Mirror Configuration:
Optionally configure your country/neighbouring countries, so the upcoming ‘Rank Mirrors’ will take less time:
## Branch Pacman should use (stable, testing, unstable) Branch = stable ## Generation method ## 1) rank - rank mirrors depending on their access time ## 2) random - randomly generate the output mirrorlist Method = rank ## Specify to use only mirrors from specific a country. ## Can add multiple countries separated by a comma (ex: Germany,France) ## Empty means all OnlyCountry = Belgium,Netherlands,Germany,France ## Mirrors directory # MirrorlistsDir = /etc/pacman.d/mirrors ## Output file # OutputMirrorlist = /etc/pacman.d/mirrorlist ## When set to True prevents the regeneration of the mirrorlist if ## pacman-mirrors is invoked with the --no-update argument. ## Useful if you don't want the mirrorlist regenerated after a ## pacman-mirrors package upgrade. # NoUpdate = False
Press Ctrl+O then Enter to save, and Ctrl+x to exit.
Rank Mirrors by Speed:
Select those that came out on top.
10. Refresh Pacman Keys
This, and the following preparations are not strictly required.
We can go back to the main menu, and choose
2. Install Desktop System.
II. Install Desktop System
1. Install Manjaro Desktop
First we have to select the Linux kernel to use; it makes sense to choose an alternative kernel here already, so we won’t need to install a backup kernel later manually. The base-devel group is required to use the AUR in your installed system. Select them with the
[*] yay + base-devel [*] linux-lts [*] linux-latest [ ] ...
Install Desktop Environment:
I prefer GNOME for its minimalism and consistency.
Type the extra packages you want to install and select them with tab.
- audacity: Audio editing
- blender: 3D Graphics
- calibre: Ebook management
- darktable: Photo editing
- gocryptfs: File encryption
- gthumb: Image viewer and manager
- handbrake (& handbrake-cli): Video transcoder
- inkscape: Vector graphics
- krita: Digital painting
- mpv: Media player
- onlyoffice-desktopeditors: Office suite
- qbittorrent: Torrent client
- rsync: File transfer
- syncthing (& optional GUI: syncthing-gtk): Continuous file synchronization
- tesseract (& tesseract-data-eng): OCR engine
- veracrypt: Disk/folder encryption
- vlc: Media player
Choose between a full or minimal install:
Fullis recommended unless you want to have absolute control
and don’t mind manually installing more packages.
Now you can inspect the packages to be installed in nano:
You can still remove something if you made an error previously.
Enterto save, and
The install will now happen, which might take some time.
Install Display Driver:
Auto-install proprietary driversis recommended.
2. Install Bootloader
- Install UEFI Bootloader: grub
- Enter your encryption passphrase.
Yesto set grub as default bootloader.
3. Configure Base
- Generate fstab: Use the
UEFI Part UUIDoption.
- Set Hostname: Name your computer.
- Set System Locale: en_US
- Set Desktop Keyboard Layout: us
- Set Timezone and Clock: Europe > Brussels
- Set Root Password: *********
- Add New User(s):
- Enter user name (lower case letters only)
- Choose the default shell (zsh, bash or fish)
- Provide the password(s)!
4. System Tweaks
2. Enable Hibernation
Enable hibernation automatically.
With this, we are done! Exit the installer, and enter
reboot at the command line to boot into your new desktop.
III. Additional tweaks and configuration
If your display’s colors have an orange tinge to them, most likely GNOME’s
Night Light feature is enabled, which reduces blue light to help you sleep better. You can turn it off (or decide to keep it) in
Settings > Display > Night Light.
It also seems that the last
System Tweak, to ‘Enable hibernation automatically’ does not work out of the box with encryption. Do the following to fix it:
If you get
ERROR: resume: hibernation device y not foundwhen booting, make sure the correct UUID is present in the
GRUB_CMDLINE_LINUX_DEFAULT="quiet resume=UUID=c0ddf00f-35dd-4356-a24e-9f778a4e70f1 resume=/dev/disk/by-uuid/c0ddf00f-35dd-4356-a24e-9f778a4e70f1"
Make sure the
/etc/mkinitcpio.confis listed last:
HOOKS=(base udev autodetect keymap modconf block encrypt lvm2 filesystems keyboard resume)
sudo mkinitcpio -P sudo update-grub
To test hibernation,
pm-utilsis very useful:
pamac install pm-utils sudo pm-hibernate
If everything went well, your computer should now be in hibernation.