1. Home
  2. Docs
  3. Installation
  4. Encrypted installation

Encrypted installation

Install EndeavourOS encrypted with swapfile, as the only OS on a Notebook/Laptop (mobile used systems) or on your Desktop.

If you want to create a dual-boot first get knowledge on how to do this.

This tutorial is for installing EndeavourOS as the only OS on the device.

Boot the Live ISO

Read our Preliminary information!

At the moment it is the safest way to erase the partition/s you want to use to install EndeavourOS on.

When you have an EFI-Firmware System you can do this with GParted (click Create Partitions)

Click on the menu point “device” and choose gpt partition table type, and Apply
cleared disk for EndeavourOS installation

Close the partition program and start to install EndeavourOS to disk.

Select your Language
Your Region will mostly be detected automatic, if not choose region and zone manually
By default, Calamares selects the keyboard model corresponding your region, but you can change this to fit your hardware, just try it out if the selection is right.
Double-check your chosen partitions in the partition screen, and make sure you’ve chosen the right harddisk for your installation!

At the partition screen, choose the hard disk of your choice to install EndeavourOS (same as the one we did erase before) It will be shown as Free Space on the graphical view in the bottom (current).

Click erase disk, but do not choose swap (No Swap) mark to Encrypt System.

Enter a secure password you can remember (twice)

[Choose only letters and numbers, this will be suffice as the prompt on bootup is only in US-English!] –> needs improvement

If someone knows how to use system keyboard layout at this point we will be happy to put it in here!

Click next:

user creation and options

Enter your name, username and user password, then enable autologin if desired and choose if you want te the same password for user and admin (root).

For security reason, I would not recommend autologin on a mobile device, but you can enable it if you want to. If the system is turned off and switched on again, it will need the encryption passphrase before booting, so it is convenient not to choose a desktop login password…

Click next:

Summary of your set up for installation, read again and double-check again…

After clicking install a warning window will appear….

The installer gives the last warning before install

Click install now, and the installation will start.

the installation will take some time you can see what it is doing under the bottom progress bar…

Now the installer will perform all the steps to create partitions, encrypt them, install the system itself and the install boot process and loaders.

After the installation was successful it says all done, then mark Restart now and click on Done.

The system will now reboot into decryption phrase prompt:

The system including the Grub bootloader is secured.

Enter your encryption passphrase (keep in mind that the prompt does not have the possibility to change the keyboard to another one then default US-Englisch so it doesn’t recognize local punctuation marks)

if you decrypt filesystem grub will boot into system!

Now we still need to get swap implemented into the encrypted system, for now, the easiest variant is to use a swap file under your encrypted root filesystem.

For this open a terminal and follow these steps:

Make a swapfile

If you want to use hibernation, then you must add swap because the content of the RAM will be written to the swap partition/file. This also means that the swap size should be at least the size of RAM.

The following commands will produce a swapfile the size of 8GB. copy and paste them one after the other inside terminal and give your root password.

If you want more or less swap change 8G to what you want to use as swap.

sudo fallocate -l 8G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile

To check …

swapon --show

Edit /etc/fstab to enable the swapfile after reboot

sudo leafpad /etc/fstab

Add the following line …

/swapfile none swap defaults,pri=-2 0 0

Save and exit.

Activate hibernation

sudo filefrag -v /swapfile | awk '{if($1=="0:"){print $4}}'

returns the swapfile offset. For example 997376.. , which means 997376.

sudo leafpad /etc/default/grub

Change to the following; remember to use your offset.

It will first look like this: (*** are the long snake of UUID numbers)

GRUB_CMDLINE_LINUX_DEFAULT=“quiet cryptdevice=UUID=***:luks-*** root=/dev/mapper/luks-*** resume=/dev/mapper/luks-*** loglevel=3”

Add resume_offset=***** to the end of this line (after loglevel=3).

Insert offset number we got from the command before here.

Save and exit

Add resume to /etc/mkinitcpio.conf, do this now …

sudo leafpad /etc/mkinitcpio.conf

Change the HOOKS=… line by adding resume .

HOOKS=“base udev autodetect modconf block keyboard keymap encrypt lvm2 resume filesystems fsck”

Save and exit

rebuild kernel images and grub.cfg:

EFI and Bios systems:

sudo mkinitcpio -p linux
sudo grub-mkconfig -o /boot/grub/grub.cfg

that’s all!

Your system is now in a secure state so if someone steals your laptop/notebook it does not matter if the device is off or suspended, your data is encrypted!

Are you ready to reboot? Everything is working as it should? No typos? Commands giving no errors on execution?

Then… reboot your system now.

It is recommended to set up power saving on mobile devices, as we do not do this by default so feel free to follow this tutorial:

https://endeavouros.com/docs/hardware-and-network/power-saving-made-easy/

Thanks to @2000 for contributing how to create the swapfile at his advanced encryption tutorial at our forum:

https://forum.endeavouros.com/t/howto-gpt-uefi-install-with-full-disk-encryption-lvmonluks-with-a-separate-home-partition-and-working-hibernation-with-a-swapfile/985

Follow us
Was this article helpful to you? Yes 3 No

How can we help?