├── why-arch.md └── README.md /why-arch.md: -------------------------------------------------------------------------------- 1 | # Why Arch Linux? 2 | 3 | Linux, more than anything else, gives you choices. There are hundreds of distributions, many desktop environments, and a near infinite variety of ways to set up your system. Some distributions give you a slick installer and a fully configured system right out of the box, other distros require more work to set up. Arch Linux is the later. So why do I choose to run it? 4 | 5 | ## Arch is minimalist 6 | 7 | The base Arch Linux installation contains only the minimum necessary packages to boot into a terminal on a working system. It comes with no desktop environment, no printer, bluetooth, or audio drivers, no network connectivity packages, very few utilities, and no user-space applications. It makes zero assumptions as to what any particular user might need, allowing them to build exactly the system they want, with nothing they don't. 8 | 9 | ## Arch demands competence 10 | 11 | Because of its minimalism, Arch demands that you become a competent system administrator. Arch does nothing for you. You have to roll up your sleeves, install and set up the base system from the command line, and install and configure every detail of the entire system to your liking. To develop enough skill to do that takes a lot of time and effort. You will learn a lot building an Arch system. And when you're done, you will not only understand your system far more deeply, you will feel much more connected to it. 12 | 13 | ## Arch is always up-to-date 14 | 15 | With Arch, there is no "version". You are always running the latest packages. Many distros have stable, slow release cycles, which makes an update something you perform every year or two. An update can be a big event--a scary one, even, since so much changes in one fell swoop. With Arch, updates are available every single day, and as long as you stay current, if something does break, it's pretty easy to identify the problem and fix it. And if you really want to be on the bleeding edge you can enable the testing and unstable repos. 16 | 17 | ## Arch has killer repositories 18 | 19 | Arch has an excellent, well regarded package management system, along with some of the largest, most up-to-date repositories. I have yet to find anything I needed that wasn't available in either the official Arch repos, or the AUR. And when a new package version is released by a developer, it's usually added to the Arch repositories very quickly. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Installing Arch Linux on a LUKS Encrypted Drive using LVM booting with UEFI 2 | 3 | This document describes my preferred way to install Arch Linux. 4 | 5 | * __LUKS__ allows full disk encryption. 6 | 7 | * __LVM__ (Logical Volume Management) is a more flexible way to set up a hard drive, as it allows partitions to be dynamically resized. 8 | 9 | * __UEFI__ is the modern replacement for Legacy BIOS. 10 | 11 | If you are curious as to why I use Arch you can read __[Why Arch Linux](https://github.com/rickellis/Arch-Linux-Install-Guide/blob/master/why-arch.md)__. 12 | 13 | --- 14 | 15 | Before you begin you must prepare your installation media and make sure your BIOS is configured correctly: 16 | 17 | ## Prepare Installation Media 18 | 19 | [Download](https://www.archlinux.org/download/) the Arch Linux ISO and create a bootable USB drive. The simplest way to create bootable media on Linux is using the dd command: 20 | 21 | $ sudo dd bs=4M if=/path_to_arch_.iso of=/dev/sd* && sync 22 | 23 | On Mac use Etcher or UNetBootin. On Windows use Rufus. 24 | 25 | --- 26 | 27 | ## BIOS Configuration 28 | 29 | Hold F12 (or whatever key is used on your system) during startup to access bios. Then... 30 | 31 | * __Make sure UEFI is ON__. Most modern systems use UEFI, so it's generally on by default. 32 | 33 | * __Disable Secure Boot__. If secure boot is enabled it must be turned off since Linux boot loaders don't typically have digital signatures. Note that if you intend on running a dual-boot system with Windows and Linux you won't be able to use disk encryption on the partition containing Windows, as it requires secure boot. 34 | 35 | * __Disable Fast Startup Mode__. If you are dual booting with Windows turn off Fast Startup. This feature puts Windows into hibernation when you power off. Because some systems are still active during hibernation, booting into Linux can cause various nasty problems. 36 | 37 | --- 38 | 39 | ## Important: Regarding Disk Node Names 40 | 41 | All references to disk nodes in this document are shown as: 42 | 43 | /dev/sd* 44 | 45 | You will need to change `sd*` to the actual node name you want to use on your drive. To get this info use either of these commands: 46 | 47 | $ fdisk -l 48 | 49 | $ lsblk 50 | 51 | Drive nodes might be called "sda", "sdb", etc., or they might be something completely different. On my Dell XPS, for example, they are called "nvme0n1" to indicate they are interfaced via PCIe. 52 | 53 | --- 54 | 55 | # Installation Steps 56 | 57 | Here we go... 58 | 59 | ## Boot Arch from the USB Drive 60 | 61 | Hold F12 (or whatever key is used on your system) during startup to access startup menu. Select the USB drive and boot into Arch. 62 | 63 | ---- 64 | 65 | ## Establish an Internet Connection 66 | 67 | The most reliable way is to use a wired connection, as Arch is setup by default to connect to DHCP. However, you can usually get WiFi working by running: 68 | 69 | $ wifi-menu 70 | 71 | To test your connection: 72 | 73 | $ ping -c 3 www.google.com 74 | 75 | --- 76 | 77 | ## Increase Terminal Font Size 78 | 79 | If the terminal font is too small, which can happen if you have a high res display, then install terminus fonts. 80 | 81 | First, update the pacman databases: 82 | 83 | $ pacman -Sy 84 | 85 | Then install the fonts: 86 | 87 | $ pacman -S terminus-font 88 | 89 | Update font cache 90 | 91 | $ fc-cache -fv 92 | 93 | Set the font to a large size: 94 | 95 | $ setfont ter-v32b 96 | 97 | --- 98 | 99 | ## Remove existing drive partitions 100 | 101 | If you are installing Arch on a previously used hard drive you can remove partitions using `fdisk` 102 | 103 | First, get the drive node name containing the partition(s) you want to remove and run: 104 | 105 | $ fdisk /dev/sd* 106 | 107 | Then enter "p" for the partition list: 108 | 109 | $ p 110 | 111 | Then enter "d" to delete: 112 | 113 | $ d 114 | 115 | You'll be prompted to enter the number corresponding to the partition you want to remove. 116 | 117 | To commit the changes enter: 118 | 119 | $ w 120 | 121 | --- 122 | 123 | ## Zero Hard Drive with Random Data 124 | 125 | Optional step if you are using a hard drive with existing data. Here's how to do it using dd: 126 | 127 | $ dd if=/dev/urandom of=/dev/sd* status=progress 128 | 129 | Or if you're paranoid (and have a couple days to wait) you can use a multi-pass tool like shred. 130 | 131 | $ shred -vfz -n 3 /dev/sd* 132 | 133 | --- 134 | 135 | ## Partition Hard Drive 136 | 137 | __NOTE:__ Since we're using LVM we only need two drive partitions: boot and root. The LVM will be created on root later, where we will use the device mapper to define root, home and swap partitions. 138 | 139 | First, launch __parted__ on your desired drive node: 140 | 141 | $ parted /dev/sd* 142 | 143 | Then run the following commands with your particular size values. Sizes can be specified in `MiB`, `GiB`, or as a percentage: 144 | 145 | $ (parted) mklabel gpt 146 | $ (parted) mkpart primary 1MiB 512MiB name 1 boot 147 | $ (parted) set 1 boot on 148 | $ (parted) mkpart primary 512MiB 100% name 2 root 149 | $ (parted) quit 150 | 151 | --- 152 | 153 | ## Disk Encryption 154 | 155 | Before we setup our LVM we need to encrypt the root partition we just created. I use AES 256. Note that cryptsetup splits the supplied key in half, so to use AES-256 we set the key size to 512. For more information about LUKS you can visit the [Arch Wiki](https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption). 156 | 157 | $ cryptsetup luksFormat -v -s 512 -h sha512 /dev/sd* 158 | 159 | Now let's decrypt it so we can use it. 160 | 161 | __Note__: I'm labeling this partition as "lvm". We will use this label later when we create the LVM. 162 | 163 | $ cryptsetup open --type luks /dev/sd* lvm 164 | 165 | To verify our "lvm" label we can use: 166 | 167 | $ ls /dev/mapper/lvm 168 | 169 | --- 170 | 171 | ## LVM Setup 172 | 173 | ### Create a Physical Volume 174 | 175 | $ pvcreate /dev/mapper/lvm 176 | 177 | ### Create a Volume Group 178 | 179 | __Note:__ I'm labelling my volume group as "vg". If you use something else, make sure to replace every instance of it, not only in this section, but in the bootloader config section much later. 180 | 181 | $ vgcreate vg /dev/mapper/lvm 182 | 183 | ### Create the Logical Volumes 184 | 185 | At minimum we need two volumes. One for swap, the other for root. We can additionally put home on its own volume. 186 | 187 | __Note:__ The sizes below can be specified in megabytes (100M) or gigs (10G). 188 | 189 | __Also__ the "L" arguments below are case sensitive. The capital L is used when you want to specify a fixed size volume, the lowercase l lets you specify percentages. 190 | 191 | $ lvcreate -L 4G vg -n swap 192 | $ lvcreate -L 80G vg -n root 193 | $ lvcreate -l 100%FREE vg -n home 194 | 195 | ### Create the Filesystems 196 | 197 | __Note:__ The boot partition is on the non-LVM partition, so use the disk node you specified when you created that partition. 198 | 199 | $ mkfs.vfat -F32 /dev/sd* 200 | $ mkfs.ext4 /dev/mapper/vg-root 201 | $ mkfs.ext4 /dev/mapper/vg-home 202 | $ mkswap /dev/mapper/vg-swap 203 | 204 | ### Mount the volumes 205 | 206 | We need to create a couple directories while we're at it. 207 | 208 | $ mount /dev/mapper/vg-root /mnt 209 | 210 | $ mkdir /mnt/home 211 | $ mount /dev/mapper/vg-home /mnt/home 212 | 213 | $ mkdir /mnt/boot 214 | $ mount /dev/sd* /mnt/boot 215 | 216 | ### Enable Swap 217 | 218 | $ swapon -s /dev/mapper/vg-swap 219 | 220 | --- 221 | 222 | ## Update Mirrorlist 223 | 224 | Before we download the Arch packages we should rank the mirrorlist to ensure our download speeds are as good as possible, and that the server being used is from our locale. There are two ways to accomplish this. The first (rankmirrors, which is what I typically use) does not require any additional packages, the other (reflector) requires that we install a package. Both methods are described next. Pick one. 225 | 226 | ### Rankmirrors 227 | 228 | Open the mirrorlist file using: 229 | 230 | $ nano /etc/pacman.d/mirrorlist 231 | 232 | Then make sure that __only__ servers in your country are un-commented. Alternately (what I do), you can `shift + arrow down` to highlight servers you don't want and `Ctrl + K` to cut them. Save the file. Then: 233 | 234 | Make a backup copy of the mirrorlist file: 235 | 236 | $ sudo cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.backup 237 | 238 | Now run `rankmirrors`. It will take the server data from the backup mirrorlist, rank them, then copy the data to the original mirrorlist file: 239 | 240 | $ rankmirrors -n 6 /etc/pacman.d/mirrorlist.backup > /etc/pacman.d/mirrorlist 241 | 242 | 243 | ### Reflector 244 | 245 | First, make sure the pacman databases are up-to-date: 246 | 247 | $ pacman -Sy 248 | 249 | Install __Reflector__: 250 | 251 | $ pacman -S reflector rsync curl 252 | 253 | Now generate the new mirrorlist. Note: If you are in a different country change "United States" to your country. 254 | 255 | $ reflector --verbose --country 'United States' -l 5 --sort rate --save /etc/pacman.d/mirrorlist 256 | 257 | --- 258 | 259 | ## Install Arch Linux 260 | 261 | If you only want a base Arch install with no additional packages, run: 262 | 263 | $ pacstrap -i /mnt base base-devel 264 | 265 | Typically I also install `git` so I can clone my __[post-install setup and config scripts](https://github.com/rickellis/ArchMatic)__, along with `dialog` and `wpa_supplicant` so that `wifi-menu` will work after booting into the new system. I also install `intel-ucode` to allow the Linux kernel to update the __[processor microcode](https://wiki.archlinux.org/index.php/microcode)__. 266 | 267 | $ pacstrap -i /mnt base base-devel git dialog wpa_supplicant intel-ucode 268 | --- 269 | 270 | ### Generate fstab 271 | 272 | We now need to update the filesystem table on the new installation. Fstab contains the association between filesystems and mountpoints. 273 | 274 | $ genfstab -U -p /mnt >> /mnt/etc/fstab 275 | 276 | You can verify fstab with: 277 | 278 | $ cat /mnt/etc/fstab 279 | 280 | --- 281 | 282 | ## Change Root 283 | 284 | Since we're still booted via USB, in order to configure our new system we need to change root. If we don't do that, every change we make will be applied to the USB installation. 285 | 286 | $ arch-chroot /mnt 287 | 288 | --- 289 | 290 | ## Install and configure bootloader 291 | 292 | While there are various bootloaders that may be used, since the Linux kernel has a built-in EFI image, all we need is a way to execute it. For that we will install systemd-boot: 293 | 294 | $ bootctl --path=/boot install 295 | 296 | ### Update the loader.conf file 297 | 298 | Using nano we can edit the config file: 299 | 300 | $ nano /boot/loader/loader.conf 301 | 302 | Make sure that __only__ the following lines are in the file: 303 | 304 | default arch 305 | timeout 3 306 | editor 0 307 | 308 | __Notes:__ The timeout setting is the number of seconds the menu is displayed before it automatically boots the default choice. For security, setting editor 0 disables kernel parameter editing via the terminal. These can always be edited in the `mkinitcpio.conf` file. 309 | 310 | ### Get the UUID for root 311 | 312 | In the next step we will update the boot loader config file. But first, we need to determine the __UUID__ of our __root__ partition. The root partition is where we installed our LVM on. If you don't recall the name of that node you can look it up using: 313 | 314 | $ lsblk 315 | 316 | Now use the node name you just looked up to get the UUID: 317 | 318 | $ blkid /dev/sd* 319 | 320 | You can either write down the UUID (which is painful given the length), or what I prefer to do is pipe the output of the above command into the config file that we will need that information in: 321 | 322 | $ blkid /dev/sda2 > /boot/loader/entries/arch.conf 323 | 324 | Then open the config file in nano: 325 | 326 | $ nano /boot/loader/entries/arch.conf 327 | 328 | Arrow over to the UUID and `shift + arrow` to highlight it (only the ID, not the surrounding quotes). Use `Ctl+K` to cut the line, putting into the clipboard. 329 | 330 | Now __delete everything__ in that file and add the following info. Make sure to replace __YOUR_ID__ with the ID gathered previously, which you can paste from your clipboard using `Ctrl+U`. 331 | 332 | title Arch Linux 333 | linux /vmlinuz-linux 334 | initrd /initramfs-linux.img 335 | options cryptdevice=UUID=YOUR_ID:vg root=/dev/mapper/vg-root quiet splash rw 336 | 337 | __Note:__ If you installed the `intel-ucode` package earlier your arch.conf file will need an additional line: 338 | 339 | title Arch Linux 340 | linux /vmlinuz-linux 341 | initrd /intel-ucode.img 342 | initrd /initramfs-linux.img 343 | options cryptdevice=UUID=YOUR_ID:vg root=/dev/mapper/vg-root quiet splash rw 344 | 345 | ### Update Bootloader 346 | 347 | $ bootctl update 348 | 349 | --- 350 | 351 | ## Update mkinitcpio 352 | 353 | Since we're using disk encryption we need to make sure that the LUKS module gets initialized by the kernel so we can decrypt our drive prior to booting. We also need to make sure that the keyboard is available for use prior to initializing the filesystem, otherwise we will have no input device to type in our password. 354 | 355 | Edit the following config file: 356 | 357 | $ nano /etc/mkinitcpio.conf 358 | 359 | Scroll down to the HOOKS section. It should look similar to this: 360 | 361 | HOOKS=("base udev autodetect modconf block filesystems keyboard fsck") 362 | 363 | Change it to this: 364 | 365 | HOOKS=("base udev autodetect modconf block keyboard keymap encrypt lvm2 filesystems fsck") 366 | 367 | If you installed terminus fonts earlier in order to increase the font size of the temrinal, add `consolefont` to the HOOKS as well. I put the hook first, so that it gets initiallzed early enough to increase the font size during boot. Note that the fonts will have to be installed once you've booted into the new system. 368 | 369 | HOOKS=(consolefont base udev autodetect modconf block keyboard keymap encrypt lvm2 filesystems fsck) 370 | 371 | Lastly, If your computer is running PCIe storage rather than SATA add `nvme` to MODULES. NVMe is a specification for accessing SSDs attached through the PCI Express bus. The Linux kernel includes an NVMe driver, so we just need to tell the kernel to load it. 372 | 373 | Scroll up to the MODULES section and change it to: 374 | 375 | MODULES=(nvme) 376 | 377 | Now update the initramfs image with our changes: 378 | 379 | $ mkinitcpio -p linux 380 | 381 | If you're curious what modules are available as intcpio hooks: 382 | 383 | $ ls /usr/lib/initcpio/install 384 | 385 | --- 386 | 387 | ## Set Language 388 | 389 | Open the locale.gen file and uncomment your preferred language (I'm using en_US.UTF-8): 390 | 391 | $ nano /etc/locale.gen 392 | 393 | Now save the file and generate the locale: 394 | 395 | $ locale-gen 396 | 397 | Copy your language choice to the locale.conf file: 398 | 399 | $ echo LANG=en_US.UTF-8 > /etc/locale.conf 400 | 401 | Export the language as an environmental shell variable: 402 | 403 | $ export LANG=en_US.UTF-8 404 | 405 | --- 406 | 407 | ## Set Timezone 408 | 409 | Run this command to find your timezone: 410 | 411 | $ tzselect 412 | 413 | Now use the timezone you just looked up to create a symbolic link to /etc/localtime. __Note:__ Be sure to change __America/Denver__ to your timezone. 414 | 415 | $ ln -s /usr/share/zoneinfo/America/Denver /etc/localtime 416 | 417 | __Note:__ If you get an error that says `failed to create symbolic link '/etc/localtime': File exists`, you must first delete the localtime file: 418 | 419 | $ rm /etc/localtime 420 | 421 | Then you should be able to create the above symbolic link. 422 | 423 | Update the hardware clock. I use UTC: 424 | 425 | $ hwclock --systohc --utc 426 | 427 | --- 428 | 429 | ## Set Hostname 430 | 431 | This is the name of your computer. I name mine "Arch", but you can change it to whatever you want your host to be. 432 | 433 | $ echo Arch > /etc/hostname 434 | 435 | --- 436 | 437 | ## Set the Root Password 438 | 439 | $ passwd 440 | 441 | --- 442 | 443 | ## Create a User Account 444 | 445 | Make sure to replace <username> with your username. 446 | 447 | $ useradd -m -G wheel,users -s /bin/bash 448 | 449 | And set the user password: 450 | 451 | $ passwd 452 | 453 | --- 454 | 455 | ## Grant User Sudo Powers 456 | 457 | Install sudo: 458 | 459 | $ pacman -S sudo 460 | 461 | Then run the following command, which will open the sudoers file: 462 | 463 | $ EDITOR=nano visudo 464 | 465 | Find this line and un-comment it: 466 | 467 | $ %wheel ALL=(ALL) ALL 468 | 469 | --- 470 | 471 | ## Enable AUR and Multilib Repositories 472 | 473 | Open the pacman.conf file: 474 | 475 | $ nano /etc/pacman.conf 476 | 477 | If you want to be able to run 32bit software on a 64bit system then __uncomment__: 478 | 479 | #[multilib] 480 | #Include = /etc/pacman.d/mirrorlist 481 | 482 | If you plan on downloading packages from the Arch User Repository, add this: 483 | 484 | [archlinuxfr] 485 | SigLevel = Never 486 | Server = http://repo.archlinux.fr/$arch 487 | 488 | In that same file add these (or uncomment if either are there). The `color` directive gives you colored output when running pacman commands, and `ILoveCandy` enables the little yellow pacman animation. 489 | 490 | color 491 | ILoveCandy 492 | 493 | Then save the file. 494 | 495 | --- 496 | 497 | ## Update all packages 498 | 499 | The installation is basically done so we now update the databases and all installed packages: 500 | 501 | $ pacman -Syu 502 | 503 | --- 504 | 505 | ## Congratulations! 506 | 507 | You should now have a working Arch Linux installation. It doesn't have a desktop environment or any applications yet...for that you can 508 | check out my __[ArchMatic](https://github.com/rickellis/ArchMatic)__ repo, but the base installation is done. 509 | 510 | First, exit chroot: 511 | 512 | $ exit 513 | 514 | Now unmount and reboot 515 | 516 | $ umount -R /mnt 517 | 518 | $ reboot 519 | 520 | Or, if you prefer you can shutdown: 521 | 522 | $ poweroff 523 | 524 | --- 525 | 526 | ## If you are installing Arch on VirtualBox 527 | 528 | Instead of rebooting, as indicated above, shut down the virtual machine and do the following; 529 | 530 | Remove the ISO you booted from at: 531 | 532 | Settings > Storage > Controller:IDE 533 | 534 | Make sure EFI is enabled: 535 | 536 | Settings > System > Enable EFI 537 | 538 | For WiFi connectivity, first get the name of your connection using: 539 | 540 | $ ip link 541 | 542 | It should be something like `enp0s3`. Then run: 543 | 544 | $ sudo ip link set dev enp0s3 up 545 | $ sudo dhcpcd enp0s3 --------------------------------------------------------------------------------