An opinionated guide to a complete Arch Linux installation. There are two paths, one that includes full-disk encryption and one that doesn't.
Sources:
- https://wiki.archlinux.org/title/Installation_guide
- https://wiki.archlinux.org/title/GRUB#Installation_2
- https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS
- https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB)
- https://github.com/ejmg/an-idiots-guide-to-installing-arch-on-a-lenovo-carbon-x1-gen-6
https://wiki.archlinux.org/title/Installation_guide#Boot_the_live_environment
If ethernet with DHCP is connected, it should come up automatically.
WiFi may be operated via iwctl.
device list
station wlan0 scan
station wlan0 get-networks
station wlan0 connect <SSID>
I want to boot in EFI mode. Let's verify.
ls /sys/firmware/efi/efivarsThe live CD should take care of this once a connection to the internet is established. Verify that time is correct via:
timedatectl statusIf you want full-disk encryption, go to 2B. Full disk encryption instead.
Partition with cfdisk /dev/sda, use GPT and the following scheme.
| mount | fs | size |
|---|---|---|
| /efi | FAT32 | 512 MiB |
| /boot | ext4 | 512 MiB |
| swap | swap | |
| / | btrfs |
mkfs.fat -F32 /dev/sda1
mkfs.ext4 /dev/sda2
mkswap /dev/sda3
mkfs.btrfs /dev/sda4swapon /dev/sda3
mount /dev/sda4 /mnt
mkdir /mnt/{efi,boot}
mount /dev/sda1 /mnt/efi
mount /dev/sda2 /mnt/bootpacstrap /mnt base base-devel linux linux-firmware
genfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mntmkinitcpio -P
pacman -S grub efibootmgr os-prober
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfgNow go to 3. Final configuration.
We will encrypt the entire drive (including /boot) using the LVM on LUKS scheme. The only unencrypted partition is /efi. Since GRUB supports encrypted boot partition with LUKS1 only, we cannot use LUKS2.
Partition with cfdisk /dev/sda, use GPT and the following scheme.
| partition | purpose | size |
|---|---|---|
| /dev/sda1 | /efi | 512 MiB |
| /dev/sda2 | LVM on LUKS | the rest |
cryptsetup luksFormat --type luks1 /dev/sda2
cryptsetup open /dev/sda2 systempvcreate /dev/mapper/system
vgcreate system_group /dev/mapper/system
lvcreate -L 8G system_group -n swap
lvcreate -l 100%FREE system_group -n rootmkfs.fat -F32 /dev/sda1
mkfs.btrfs /dev/mapper/system_group-root`
mkswap /dev/mapper/system_group-swapmount /dev/mapper/system_group-root /mnt
mkdir /mnt/efi
mount /dev/sda1 /mnt/efi
swapon /dev/mapper/system_group-swappacstrap /mnt base base-devel linux linux-firmware
genfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mntMake sure the lvm2 package is installed and add the keyboard, keymap, encrypt and lvm2 hooks to mkinitcpio.conf:
HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt lvm2 filesystems fsck)Regenerate initramfs and install Grub:
mkinitcpio -p linux
pacman -S grub efibootmgrEdit /etc/default/grub like this:
(Find out the UUID of /dev/sda2 via lsblk -f, this may only work outside of chroot.)
GRUB_ENABLE_CRYPTODISK=y
GRUB_CMDLINE_LINUX="cryptdevice=UUID=</dev/sda2 UUID>:system"Install grub:
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --recheck
grub-mkconfig -o /boot/grub/grub.cfgThe way things are set up so far would work, but we would need to enter the LUKS password twice on each boot. Once for grub and a second time for the kernel.
Instead, we may create a keyfile that will be read by the kernel automatically. This is secure, since the keyfile itself lives on the encrypted filesystem and is accessible only after entering the LUKS password.
Create the keyfile:
dd bs=512 count=4 if=/dev/random of=/root/system.keyfile iflag=fullblock
chmod 000 /root/system.keyfile
cryptsetup -v luksAddKey /dev/sda2 /root/system.keyfileEdit /etc/mkinitcpio.conf:
FILES=(/root/system.keyfile)Recreate the initramfs image and secure the embedded keyfile:
mkinitcpio -p linux
chmod 600 /boot/initramfs-linux*Edit /etc/default/grub:
GRUB_CMDLINE_LINUX="... cryptkey=rootfs:/root/system.keyfile"Regenerate grub config:
grub-mkconfig -o /boot/grub/grub.cfgln -sf /usr/share/zoneinfo/Europe/Prague /etc/localtime
hwclock --systohcEdit /etc/locale.gen and uncomment en_US.UTF-8 UTF-8 and other needed locales. Generate the locales by running:
locale-genCreate the /etc/locale.conf file, and set the LANG variable accordingly:
LANG=en_US.UTF-8Create the /etc/hostname file with the desired hostname.
The simplest way to get wired network to work is to install the dhcpcd package and enable dhcp for the network interface (here enp1s0 for example).
systemctl enable dhcpcd@enp1s0WiFi and more: https://wiki.archlinux.org/title/Network_configuration
passwd
First exit the chroot and then reboot. If everything went well we should see Grub with the option to boot into Arch. The Arch install still needs a lot of setup, e.g. users, desktop environment, common software.
useradd -m -U -G wheel -s /usr/bin/zsh <user>-m - create home
-U - create a group with the same name as the user
-G - additional groups
-s - login shell
pacman -S pipewire wireplumber pipewire-pulse pipewire-alsahttps://wiki.archlinux.org/title/Libinput#Via_xinput
Install xf86-input-libinput and make sure that xf86-input-synaptics is not installed.
https://wiki.archlinux.org/index.php/Backlight#ACPI
I had to add udev rules so that users that are in the video group can change brightness level.