-
-
Save guneydoganer/b8133e07448f53d7755cb43db2d3b182 to your computer and use it in GitHub Desktop.
Minimal instructions for installing arch linux on an UEFI NVMe system with full system encryption using dm-crypt, luks and systemd-boot
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Install ARCH Linux with encrypted file-system and UEFI | |
| # The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description. | |
| # Download the archiso image from https://www.archlinux.org/ | |
| # Copy to a usb-drive | |
| dd if=archlinux.img of=/dev/sdX bs=16M && sync # on linux | |
| # Boot from the usb. If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration. | |
| # To list all available keymaps, use the following command: | |
| localectl list-keymaps | |
| # Set your keymap, default keymap is named 'us' | |
| loadkeys us | |
| # This assumes a wifi only system... | |
| #wifi-menu | |
| # Add settings for ethernet here... | |
| # perhaps the following two packages: netctl dhcpcd | |
| # Create partitions | |
| cgdisk /dev/nvme0n1 | |
| 1 512MB EFI partition # Hex code ef00 | |
| 2 100% size partiton # (to be encrypted) Hex code 8300 | |
| mkfs.vfat -F32 /dev/nvme0n1p1 | |
| mkfs.ext2 /dev/nvme0n1p2 | |
| # Setup the encryption of the system with 256 bit effective size | |
| cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 3000 -y --use-random luksFormat /dev/nvme0n1p2 | |
| cryptsetup luksOpen /dev/nvme0n1p2 luks | |
| # Create encrypted partitions | |
| # This creates one partions for root, modify if /home or other partitions should be on separate partitions | |
| pvcreate /dev/mapper/luks | |
| vgcreate vg0 /dev/mapper/luks | |
| lvcreate --size 16G vg0 --name swap | |
| lvcreate -l +100%FREE vg0 --name root | |
| # Create filesystems on encrypted partitions | |
| mkfs.ext4 /dev/mapper/vg0-root | |
| mkswap /dev/mapper/vg0-swap | |
| # Mount the new system | |
| mount /dev/mapper/vg0-root /mnt # /mnt is the installed system | |
| swapon /dev/mapper/vg0-swap # Not needed but a good thing to test | |
| mkdir /mnt/boot | |
| mount /dev/nvme0n1p1 /mnt/boot | |
| # Install the system also includes stuff needed for starting wifi when first booting into the newly installed system | |
| # Unless vim and zsh are desired these can be removed from the command | |
| pacstrap /mnt base base-devel linux linux-firmware zsh vim git efibootmgr mkinitcpio lvm2 dialog networkmanager wireless_tools wpa_supplicant os-prober | |
| xdg-user-dirs xorg-server xorg-apps xorg-xinit xterm ttf-dejavu gvfs gvfs-smb gvfs-mtp pulseaudio pavucontrol pulseaudio-alsa alsa-utils unzip xf86-input-libinput polkit-gnome network-manager-applet | |
| # 'install' fstab | |
| genfstab -pU /mnt >> /mnt/etc/fstab | |
| # Make /tmp a ramdisk (add the following line to /mnt/etc/fstab) | |
| tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0 | |
| # Change relatime on all non-boot partitions to noatime (reduces wear if using an SSD) | |
| # Enter the new system | |
| arch-chroot /mnt /bin/bash | |
| # Setup system clock | |
| ln -s /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime | |
| hwclock --systohc --utc | |
| # Set the hostname | |
| echo MYHOSTNAME > /etc/hostname | |
| # Generate locale | |
| # Uncomment wanted locales in /etc/locale.gen | |
| vim /etc/locale.gen | |
| locale-gen | |
| localectl set-locale LANG=en_US.UTF-8 | |
| # To avoid problems with gnome-terminal set locale system wide | |
| # Do NOT set LC_ALL=C. It overrides all the locale vars and messes up special characters | |
| # Pay attention to the UTF-8. Capital letters ! | |
| echo LANG=en_US.UTF-8 >> /etc/locale.conf | |
| echo LC_ALL= >> /etc/locale.conf | |
| # Set password for root | |
| passwd | |
| # Add real user remove -s flag if you don't whish to use zsh | |
| useradd -m -g users -G wheel -s /bin/zsh MYUSERNAME | |
| passwd MYUSERNAME | |
| # Configure mkinitcpio with modules needed for the initrd image | |
| vim /etc/mkinitcpio.conf | |
| # Add 'ext4' to MODULES | |
| # Add 'encrypt' and 'lvm2' to HOOKS before filesystems | |
| # Add 'resume' after 'lvm2' (also has to be after 'udev') | |
| # Regenerate initrd image | |
| mkinitcpio -p linux | |
| # Setup systembootd (grub will not work on nvme at this moment) | |
| bootctl --path=/boot install | |
| # Create loader.conf | |
| echo 'default arch' >> /boot/loader/loader.conf | |
| echo 'timeout 5' >> /boot/loader/loader.conf | |
| # Create arch.conf (or XYZ.conf for default XYZ in loader.conf) | |
| vim /boot/loader/entries/arch.conf | |
| # Add the following content to arch.conf | |
| # <UUID> is the the one of the raw encrypted device (/dev/nvme0n1p2). It can be found with the 'blkid' command | |
| title Arch Linux | |
| linux /vmlinuz-linux | |
| initrd /initramfs-linux.img | |
| options cryptdevice=UUID=<UUID>:vg0 root=/dev/mapper/vg0-root resume=/dev/mapper/vg0-swap rw intel_pstate=no_hwp | |
| # Exit new system and go into the cd shell | |
| exit | |
| # Unmount all partitions | |
| umount -R /mnt | |
| swapoff -a | |
| # Reboot into the new system, don't forget to remove the cd/usb | |
| reboot | |
| # Bonus: Fix the system-clock if dual booting with Windows 10 | |
| # This command makes Linux use local time, just like Win10. | |
| timedatectl set-local-rtc 1 --adjust-system-clock | |
| #For during chroot or after logging in for the first time: | |
| systemctl enable dhcpcd.service | |
| systemctl enable NetworkManager.service | |
| systemctl enable cpupower.service |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment