Skip to content

Instantly share code, notes, and snippets.

@vstepchik

vstepchik/arch-linux-install.md

Forked from kylemanna/arch-linux-install.md
Last active October 26, 2020 20:31
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save vstepchik/3f81b0ffa96bfa000f9464aa17529496 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save vstepchik/3f81b0ffa96bfa000f9464aa17529496 to your computer and use it in GitHub Desktop.
Download ZIP
Minimal instructions for installing arch linux on an UEFI NVMe system with full system encryption using dm-crypt and luks side-by-side with existing Windows 10
Raw
arch-linux-install.md

Install ARCH Linux with encrypted file-system and UEFI for dual-boot with existing Windows 10 EFI

The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.

Download the Arch ISO

Copy to a USB drive

dd if=archlinux.img of=/dev/sdX bs=16M && sync # on linux

Boot from USB drive

If the usb fails to boot, make sure that secure boot is disabled in the BIOS configuration.

If lsblk does not show drives other than USB drive, switch drive mode from RAID to AHCI in BIOS, note that this will prevent Windows from booting. In order to keep Windows bootable, prior to switching to AHCI follow this instructions.

This assumes a wifi only system...

wifi-menu

Create partitions

cgdisk /dev/nvme0n1
1 100% size partiton # (to be encrypted) Hex code 8300

Locate EFI partition

fdisk -l /dev/sdx

The list of partitions on the disk: Look for the EFI system partition in the list, it is usually at least 100 MiB in size and has the type EFI System or EFI (FAT-12/16/32). To confirm this is the ESP, mount it and check whether it contains a directory named EFI, if it does this is definitely the ESP.

Setup the encryption of the system with 256 bit effective size

Note: Many NVMe drives can exceed 2GB/s, consider your crypto algorithm wisely, review cryptsetup benchmark, the defaults are viewable end of cryptsetup --help, defaults are commonly the fastest with good security from my experience with cryptsetup (AES 256, sha256, 2000ms)

cryptsetup --use-random luksFormat /dev/nvme0n1p1
cryptsetup luksOpen /dev/nvme0n1p1 luks

Create encrypted partitions

This creates one partions for root, modify if /home or other partitions should be on separate partitions

pvcreate /dev/mapper/luks
vgcreate vg0 /dev/mapper/luks
lvcreate -l +100%FREE vg0 --name root

Create filesystems on encrypted partitions

mkfs.ext4 -L root /dev/mapper/vg0-root

Mount the new system

Here, the <EFI_PARTITION> placeholder is a device/partition found in the Locate EFI partition step.

mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
mkdir /mnt/boot
mount /dev/<EFI_PARTITION> /mnt/boot

Install the system

Also includes stuff needed for starting wifi when first booting into the newly installed system Unless vim and zsh are desired these can be removed from the command. Dialog is needed by wifi-menu

pacstrap /mnt base base-devel zsh neovim git sudo efibootmgr dialog wpa_supplicant tmux intel-ucode linux linux-firmware lvm2 vim

Generate fstab

genfstab -pU /mnt | tee -a /mnt/etc/fstab

Make /tmp a ramdisk (add the following line to /mnt/etc/fstab)

tmpfs	/tmp	tmpfs	defaults,noatime,mode=1777	0	0

Also change relatime on all non-boot partitions to noatime (reduces wear if using an SSD)

Enter the new system

arch-chroot /mnt /bin/bash

Setup system clock

ln -s /usr/share/zoneinfo/Region/City /etc/localtime
hwclock --systohc --utc

Set the hostname

echo MYHOSTNAME > /etc/hostname

Generate locale

Uncomment wanted locales in /etc/locale.gen

vim /etc/locale.gen
locale-gen
localectl set-locale LANG=en_US.UTF-8

To avoid problems with gnome-terminal set locale system wide Do NOT set LC_ALL=C. It overrides all the locale vars and messes up special characters Pay attention to the UTF-8. Capital letters !

echo LANG=en_US.UTF-8 >> /etc/locale.conf
echo LC_ALL= >> /etc/locale.conf

Set password for root

passwd

Add user

groupadd MYUSERNAME
useradd -m -g MYUSERNAME -G wheel,storage,power,network,uucp -s /bin/zsh MYUSERNAME
passwd MYUSERNAME

Configure mkinitcpio with modules needed for the initrd image

vim /etc/mkinitcpio.conf
  • Add 'ext4' to MODULES
  • Add 'encrypt' and 'lvm2' to HOOKS before filesystems
  • Add 'resume' after 'lvm2' (also has to be after 'udev')

Regenerate initrd image

mkinitcpio -p linux

Setup systembootd (grub will not work on nvme at this moment)

bootctl --path=/boot install

Create loader.conf

echo default arch >> /boot/loader/loader.conf
echo timeout 5 >> /boot/loader/loader.conf

Create arch.conf (or XYZ.conf for default XYZ in loader.conf)

nvim /boot/loader/entries/arch.conf

Add the following content to arch.conf

<UUID> is the the one of the raw encrypted device (/dev/nvme0n1p2). It can be found with the blkid command

title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options cryptdevice=UUID=<UUID>:vg0 root=/dev/mapper/vg0-root resume=/dev/mapper/vg0-swap rw intel_pstate=no_hwp

Exit new system

exit

Unmount all partitions

umount -R /mnt
swapoff -a

Reboot into the new system, don't forget to remove the cd/usb

reboot
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment