This is more-so notes for myself that would also be understandable for others.
It will NOT be an in-depth guide explaining my choices.
It will NOT tell you the function of every option for every command, as I assume you will look up any that you find interesting or confusing.
I WILL link to general info about the main parts being used, or if some info is harder to find.
This will guide you through the installation from after booting from the USB to booting Arch from your SSD/HDD.
Arch Linux with linux-zen and linux-lts kernel.
rEFInd boot manager.
btrfs single partiton system with subvolumes.
Full-disk encryption with LUKS.
Set up some enviourment variables that are gonna make your life a lot easier down the line.
btrfs mounting options
btrfso=defaults,x-mount.mkdir,compress=lzo,ssd,noatime
or if installing on a HDD instead of an SSD you can omit the ssd option
Set up variable for the drive that should be worked on, this will help prevent accidentally wiping a wrong drive.
Remeber to subtitute for what ever drive you're using often will it be /dev/sda or /dev/nvme0n1
DRIVE=/dev/<DRIVE>
You can use lsblk to find your drive
I'll be using the method found on the dm-crypt archwiki article
Create a temporary encrypted container on the disk.
cryptsetup open --type plain $DRIVE container --key-file /dev/urandom
Optionally verify that it was created
lsblk
Now wipe the container with zeroes, using /dev/urandom here is not necesarry as randomness comes from the cipher.
dd if=/dev/zero of=/dev/mapper/container status=progress bs=1M
sgdisk --zap-all $DRIVE
Our partition scheme will look somehting like this
- EFI Partition. FAT32
This will contain the rEFInd boot manager. This will out of neccesity not be encrypted. - SWAP Partition. dm-crypt(Linux SWAP)
This will be our swap partiton. It will be encrypted with straight dm-crypt using a random keyfile.
Make this larger than your RAM capacity if you wan't to use hibernation else i recommend making it minumum 8G.
I used 32G for my laptop with 16 gigabytes of RAM as i need more than 40 gigabytes of ramspace for some tasks.
For my desktop with 128 gigabytes I don't have a swap partiton. - System Partition. dm-crypt(btrfs)
This will be the main partition which is gonna be encrypted using LUKS and the passphrase of your choice.
It will be structured using 3 btrfs subvolumes, root, home, and snapshots.
sgdisk --clear \
--new=1:0:+512MiB --typecode=1:ef00 --change-name=1:EFI \
--new=2:0:+<SWAPSIZE>GiB --typecode=2:8200 --change-name=2:cryptswap \
--new=3:0:0 --typecode=3:8300 --change-name=3:cryptsystem \
$DRIVE
You can change the labels which are defined by the --change-name option to whatever you prefer.
I use EFI, cryptswap, and cryptsystem as they are clear and and concise.
Formating the EFI partition is pretty straight forward.
mkfs.fat -F32 -n EFI /dev/disk/by-partlabel/EFI
NOTE: Change EFI for whatever you used in the change-name option in the Partitioning section.
We used partlabel in the next section aswell so remeber to change there aswell if you used something different
First we format the cryptsystem partition using LUKS. using the aes-xts-plain64 cipher and a aes keysize of 256 bits.
These are the standard at the time of writing but I like being verbose as to not break anything if new defaults are introduced.
cryptsetup luksFormat --align-payload=8192 -s 256 -c aes-xts-plain64 /dev/disk/by-partlabel/cryptsystem
The align-payload option is used by suggestion for SSD optimization per the dm-crypt mailing list
Here we are encrypting the swap partition using a random keyfile.
cryptsetup open --type plain --key-file /dev/urandom /dev/disk/by-partlabel/cryptswap swap
We make the swap partition and enable it.
mkswap -L swap /dev/mapper/swap
swapon -L swap
Format the opened luks partition with btrfs.
mkfs.btrfs --force --label system /dev/mapper/system
Now we mount the drive so we can create our subvolumes on it and then unmounting it, so we can mount the subvolumes instead.
mount -t btrfs LABEL=system /mnt
btrfs subvolume create /mnt/root
btrfs subvolume create /mnt/home
btrfs subvolume create /mnt/snapshots
umount -R /mnt
Now we mount the subvolumes using the options we defined in the very beginning.
mount -t btrfs -o subvol=root,$btrfso LABEL=system /mnt
mount -t btrfs -o subvol=home,$btrfso LABEL=system /mnt/home
mount -t btrfs -o subvol=snapshots,$btrfso LABEL=system /mnt/.snapshots
mkdir /mnt/boot
mount LABEL=EFI /mnt/boot
genfstab -L -p /mnt >> /mnt/etc/fstab
Installing the system
We use pacstrap to install the required packages without needing to chroot into the system.
pacstrap /mnt base base-devel vim linux-zen linux-lts refind-efi btrfs-progs zsh ttf-hack otf-overpass dhcpcd opendoas linux-firmware man-db man-pages intel-ucode
The packages that we install are
- base - provides neccesary packages to boot the system
- base-devel - provides some essential packages for utilising the system
- intel-ucode - microcode for intel cpus, change this to amd-ucode if you're running an amd based system
- linux-zen - is the zen linux kernel which has some optimizations for linux when used for daily drive
- linux-lts - longterm kernel which i have as a backup incase something in the newer linux-zen kernel breaks
- linux-firmware - provides firmware for most devices, example network cards or other devices
- refind-efi - provides the boot manager and bootloader
- man-db and man-pages - provides the ability to look up programs man pages in the terminal
- vim - is the text editor i install as a base, other options include vi, neovim, nano, emacs, or ed
- zsh and dash - zsh is my prefered shell and dash is used as the lightweight posix compliant shell for running scripts
- ttf-hack and otf-overpass - my prefered fonts, hack for monospace and overpass for sans-serif
- dhcpcd - dhcp client can't connect to the internet without it
- opendoas - a lighter and simpler alternative to sudo
chroot'ing into the system
You can either do this with regular arch-chroot or with systemd-nspawn.
I will not be covering the systemd method here, as it's simply too much of a hassle in my opinion.
Getting a shell using arch-chroot is as follows
arch-chroot /mnt
Then setup a hostname variable for use inside the system.
HOSTNAME=Your desired hostname
Edit the /etc/locale.gen and uncomment the needed lines.
vim /etc/locale.gen
----------------------
...
cy_GB ISO-8859-14
da_DK.UTF-8 UTF-8
de_AT.UTF-8 UTF-8
...
en_CA ISO-8859-1
en_DK.UTF-8 UTF-8
en_GB.UTF-8 UTF-8
...
en_SG ISO-8859-1
en_US.UTF-8 UTF-8
en_US ISO-8859-1
en_ZA.UTF-8 UTF-8
...
or add the ones you need by just appending them.
echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
Now we can generate the locales using
locale-gen
And then finally we set the locale we wanna use.
systemd-firstboot --prompt-locale
First enable NTP syncing
timedatectl set-ntp 1
Set your timezone.
timedatectl set-timezone LOCATION/CITY
example
timedatectl set-timezone Europe/Copenhagen
Set your hostname using
hostnamectl set-name $HOSTNAME
Then add the following to your hosts file
/etc/hosts
------------
127.0.0.1 localhost.localdomain localhost
::1 localhost.localdomain localhost
127.0.1.1 HOSTNAME.localdomain HOSTNAME
or using echo
echo "127.0.0.1\tlocalhost.localdomain\tlocalhost\n \
::1\t\tlocalhost.localdomain\tlocalhost\n \
127.0.1.1\t$HOSTNAME.localdomain\t$HOSTNAME > /etc/hosts
This is done by editing the /etc/crypttab
This is what it should look like
swap /dev/disk/by-partlabel/cryptswap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=256
system /dev/disk/by-partlabel/cryptsystem none offset=2048,cipher=aes-xts-plain64,size=256
This is needed since we need to include the encrypt and btrfs hooks into our initramfs.
Edit /etc/mkinitcpio.conf
to contain the following
MODULES=""
BINARIES=""
FILES=""
HOOKS="systemd modconf keyboard block filesystems btrfs sd-encrypt fsck"
Then generate the initramfs for our kernels using
mkinitpcio -p linux-zen
mkinitpcio -p linux-lts
Install rEFInd to your EFI partition.
refind-install --usedefault /dev/sdXY --alldrivers
Create or edit /boot/EFI/BOOT/refind.conf
/boot/EFI/BOOT/refind.conf
-------
timeout 20 Timeout how long ReFind wait for user input
use_graphics_for windows Specify the simpler "mac-style" behaviour
also_scan_dirs +,@/ Search for boot loaders in the specified directory
Create or edit /boot/refind_linux.conf
"Boot with standard options" "rd.luks.name=*FILL IN UUID FROM PARTITION*=cryptsystem root=UUID=*UUID FROM encrypted root rw rootflags=subvol=root initrd=/intel-ucode.img initrd=/initramfs-linux-zen.img add_efi_memmap"
NOTE: replace intel-ucode.img with amd-ucode.img for amd based systems.
Getting the UUIDS can be found with
lsblk -fs
and the UUIDs you need are
- The one from the partition that has type: crypto_LUKS 2
- The one from the partition that has type: btrfs
passwd
shutdown now