Install Doc - TheContortion1st/Arch-Linux-install-doc GitHub Wiki

Install-doc

Enough from the clown, let's start doing.

Disk-Preparation

First of all we wipe the disk to erase all traces of any past data. There are a fair amount of ways and tools to do so, so I won't describe them here in detail.

Lenovo has a tool within the security section of its UEFI to securely wipe the disk. More ways are described in the Arch Wiki.

Disable secure boot

Yeah sure, this documentation includes secure boot for linux and it is possible to keep secure boot enabled and sign the Archiso bootloader first, but it is way easier to simply disable secure boot for now, so do it. Later on I show how to sign your final bootloaders for secure boot.

Create Arch-ISO install media

I prefer a USB-Key. If you come from Windows use rufus to copy the Arch ISO to your USB-Key, otherwise simply use dd. The Arch Wiki has a great how-to create your own USB flash installation media.

Boot live environment

After creating the stick, boot from it. This requires to turn off secure boot for most modern Laptops that have had Windows installed (which is the case for probably all Windows preinstalled machines).

Change keyboard layout and connect to internet

This is just an example since I use the german keyboard layout, you can use any available keyboard layout found under /usr/share/kbd/keymaps/.

loadkeys de-latin1

Sets german keyboard layout ( "y" = "z" and "-" = "ß")

wifi-menu

A dialog for connecting to nearby wifi if ethernet is not an option

Create partitions

First of all, 99% of my doc comes from the Arch Wiki directly, thanks to it and especially the part Encrypting an entire system.

So let's start with creating the partitions. I use fdisk to comfortably create my three needed partitions: efi, data and swap. Since I have a nvme-ssd installed, the commands follow my own system specs.

fdisk /dev/nvme0n1

Commands within fdisk are found with m, it's quite intuitive

  • create new gpt-partitiontable for UEFI-boot (g)
  • 1st partition = EFI System, 550MiB (n > 'Enter' > 'Enter' > +550M > 'Enter' > t > 1)
  • 2nd partition = Linux filesystem, (Size of RAM + 2GB) for encrypted swap (n > 'Enter' > 'Enter' > +16G > 'Enter' > t > 19)

(NOTE: +16G = (16GiB - 2GiB (for integrated Graphics on Lenovo ThinkPad E495)) + 2 GiB. Regarding swap necessity there are numerous discussions and several different conclusions. For example see here and here. I decided for myself that a moderate swap-space doesn't hurt so I add it. )

  • 3rd partition = Linux filesystem, rest of space available (n > 'Enter' > 'Enter' > 'Enter' > 'Enter')
  • p to show the changes to the disk

If you feel comfortable with your job you can type w to write the changes to the disk. (NOTE: This will delete the old partition table and partitions, any old data is most likely lost.)

Encrypt data partition

NOTE: GRUB2 only supports LUKS1 encryption of /boot (and is the only bootloader to support encryption of /boot at all, which is why I use it) as of Dec 2019! The default type for cryptsetup, using cryptsetup without the type-option is luks2. To see the progress on GRUB2 supporting LUKS2 go here.

cryptsetup -v --type luks1 --cipher aes-xts-plain64 --key-size 256 --hash sha256 --iter-time 2000 --use-urandom --verify-passphrase luksFormat /dev/nvme0n1p3

Any option but --type luks1 is optional, since they are the defaults. See the Arch Wiki for the options and defaults. You will be prompted twice for a password.

Open encrpyted container and name it

Command Description
cryptsetup open /dev/nvme0n1p3 cryptroot Open encrypted drive, name cryptroot

Format partitions

EFI has to be FAT32 and for our data-partition we use btrfs.

mkfs.vfat -F32 -n EFI /dev/nvme0n1p1

(/dev/sda1 on non-nvme) You can also use mkfs.fat, mkfs.vfat is in fact a symlink to mkfs.fat. The -F32 makes it FAT32 to support bigger filesystems and is needed for 512MiB+ up to 2GiB filesystems. The -n labels the partition as 'EFI' and is optional. The EFI system partition must not be encrypted! To learn more about FAT go here for a shortversion and here for the FAT Wiki from the Arch Wiki.

mkfs.btrfs -l btrfs_main /dev/nvme0n1p3

(/dev/sda3 on non-nvme) The -l labels the filesystem as "btrfs_main". It is optional. This is the encrypted btrfs-partition homing root, home and .snapshots

Create subvolumes within device-mapper

Mount the device-mapper cryptroot to /mnt.

| mount /dev/mapper/cryptroot /mnt | Mount decrypted device to /mnt |

Create subvolumes

Create subvolumes at /mnt, at least one for root and home.

Command Description
btrfs subvolume create /mnt/@ This will be the root-subvolume.
btrfs subvolume create /mnt/@home This will be the home-subvolume.
btrfs subvolume create /mnt/@snapshots This will contain our snapshots.

You can choose yourself how to name the subvolumes. To distinguish them, I use "@", but you can also use something like "__"(two underscores), to distinguish them from physical partitions. Refer to the wiki or the sysadmin guide.

Create mount-points and mount subvolumes

mount -o compress=lzo,subvol=@ /dev/mapper/cryptroot /mnt mkdir /mnt/home mount -o compress=lzo,subvol=@home /dev/mapper/cryptroot /mnt/home mkdir /mnt/.snapshots mount -o compress=lzo,subvol=@home /dev/mapper/cryptroot /mnt/.snapshots

Install packages into root-subvolume

pacstrap /mnt base base-devel efibootmgr grub-efi-x86_64 btrfs-progs dialog amd-ucode linux linux-firmware bash-completion vim dkms git linux-headers mesa xf86-video-amdgpu dosfstools netctl

Packages were chosen for my Lenovo E495 and depend on the hardware and the overall setup. They are not all necessary. However, I recommend at least all packages up to bash-completion.

Follow steps on the Arch Linux Install Guide

Follow the guide up to the point Initramfs.

Note: when generating the /etc/fstab make sure to have mounted all partitions and subvolumes in their final place, e.g. /dev/nvme0n1p1 at /efi. Otherwise you would have to correct the entries manually afterwards. genfstab -U /mnt >> /mnt/etc/fstab creates the entries with their UUIDs, which I recommend. See my final fstab for comparison.

Modify mkinitcpio.conf for encryption and btrfs

We need to modify the config file that configures the initramfs image-creation like following:

vim /etc/mkinitcpio.conf

Instead of vim you can use whatever editor you like of course.

We need to add the encrypt hook. The hooks need to be loaded in correct order to work, so the line looks like this:

HOOKS=(base udev autodetect keyboard keymap modconf block encrypt filesystems fsck)

Also optionally add the path to the btrfs-tools to be able to recover from disastrous btrfs failures at boot (never seen any, but documentation says they exist).

BINARIES=("/usr/bin/btrfs")

Also see the whole mkinitcpio.conf


Setup USB-key for decrypting data-partition

In this setup our /boot resides on an encrypted data-partition. So at startup you have to enter your password for the efi-bootloader to access grub (there is no way around this, except having /boot unencrypted). Then at the initramfs-loading stage the system has to mount the encrypted partition again wherefore you need to enter the password again... or in GRUB you refer to a keyfile instead of a password.

This spares you entering your password at boot twice.

I did this from within the arch-chroot, therefore I installed the dosfstools. Since they are part of the archiso install media you can create the USB key directly there.

fdisk /dev/sdb mkfs.fat -F32 -n CRYPTUSB /dev/sdb1

Create mount-point for the key and mount it

mkdir /mnt/CRYPTUSB mount /dev/sdb1 /mnt/CRYPTUSB

Create keyfile for cryptroot and write it onto stick

dd bs=512 count=4 if=/dev/random of=/mnt/CRYPTUSB/crypto_keyfile iflag=fullblock

Refer to the Arch Wiki again.

Permit readability only to root

chmod 600 /mnt/CRYPTUSB/crypto_keyfile

Add keyfile to a LUKS-keyslot

cryptsetup luksAddKey /dev/nvme0n1p3 /mnt/CRYPTUSB/crypto_keyfile

Within the mkinitcpio.conf you have to add the vfat module to load for accessing the usb-key at initramfs:

MODULES=(amdgpu vfat)

The amdgpu module is for the ryzen graphics card.


Modify GRUB for encryption and to unlock cryptroot with keyfile

vim /etc/default/grub

If there is no such file, you first have to install the grub-package.

Edit the default kernel command:

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=cc363e8e-ef59-4033-bdf6-b7efc6319bdb:cryptroot cryptkey=/dev/disk/by-uuid/C4F0-A67A:vfat:/crypto_keyfile root=/dev/mapper/cryptroot amd_iommu=pt irvs_ioapic[32]=00:14.0 acpi_backlight=vendor"

Note: The cryptdevice=UUID= is the UUID of /dev/nvme0n1p3, not of /dev/mapper/cryptroot. You find it out with blkid. There you also find the UUID for the USB-key referred at the cryptkey= kernel option. Since you have more than one USB-slot and probably also more than one USB-device I advice to address it by it's UUID. Also consult the Arch Wiki

Install GRUB-EFI-application to ESP

grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=arch_grub --recheck --debug

See the Arch Wiki for help.

Correct any errors that might occur, as this is essential for a working system!

Generate GRUB

grub-mkconfig -o /boot/grub/grub.cfg

This is another crucial step, so make sure no errors occur.

Set root password

If not done yet, create a root password with the command passwd.


Encrypted swap partition

Yet we don't have a swap partition. Since having a swap is not fully necessary for a system to run, there are lots of recommendations, therefore we created the partition and now we configure it for usage.

About the necessity of encrypting the swap everyone has to decide for himself. Most likely my swap partition will never be used due to more than enough RAM for my expected use-cases. An unencrypted swap is easy as this: swapon /dev/nvme0n1p2 and don't forget to add the fstab entry.

Encrypting the swap needs a few more steps.

Hibernation or not?

If swap is about to be encrypted, it has to be recreated with random data every time on boot anew, to assure no data can be read from it.

There will not be a guide for encrypted swap with hibernation/suspend-to-disk support due to the number of warnings everywhere that it is insecure as hell and can possibly cause data-loss as easy as shutting the lid and opening it up again. Plus, I don't need hibernation, I'm from the old "poweroff" school.

If you want to hibernate or suspend-to-disk besides all warning, go ahead and try your luck!.

Create encrypted swap partition without hibernation or suspend-to-disk

Create a small filesystem on the exisiting swap-partition just for having a persistent UUID or LABEL for the swap, which will be recreated and reencrypted on every bootup and therefore will have a new UUID.

mkfs.ext2 -L cryptswap /dev/nvme0n1p2 1M

Note: The 1M indicates, that this partition is just 1MiB, leaving enough space for swap behind it. This is more than enough for only holding a persistent UUID. The -L leaves the choice to us to either use the UUID or the LABEL of the placeholder partition in /etc/fstab later.

Note: If /dev/nvme0n1p2 was (accidentally) encrypted with LUKS already, the LUKS-header has to be wiped first.

head -c 1052672 /dev/urandom > /dev/nvme0n1p2

*"A LUKS1 header with one single default 256 bit size keyslot is 1024 KiB in size. It is advised to also overwrite the first 4 KiB written by dm-crypt, so 1028 KiB have to be wiped. That is 1052672 Byte."

You can of course overwrite a bigger part:

dd if=/dev/urandom of=/dev/nvme0n1p2 bs=512 count=40960 to overwrite the first 20MiB on the partition.

See the Arch Wiki for reference.

Recreate LABEL or UUID-placeholder

mkfs.ext2 -L cryptswap /dev/nvme0n1p2 1M

Modify crypttab

Example /etc/crypttab

Modify fstab for cryptswap

Read the UUID or LABEL of the ext2-placeholder partition with blkid and create an entry in /etc/fstab.

Example /etc/fstab


Finally generate initramfs with modified mkinitcpio.conf

mkinitcpio -p linux

No Errors or warnings at the image generation should appear here, or your system will probably not boot correctly.

Exit the arch-chroot by simply typing exit. Unmount all partitions:

umount -R /mnt

Reboot system and boot from hard-disk

reboot


Optional Steps

Setting up secure-boot
The easy way with signed keys and PreLoader

For sb = secure-boot in this guide I use PreLoader. It is a simple-to-setup, doing-it's-job tool to sign your bootloaders and prohibits executing unsingned bootloaders.

All you have to do is follow this guide from the arch wiki.

Load the Keys

Download preloader-signed from the AUR or load the keys manually from here.

Copy the PreLoader.efi and HashTool.efi into /efi/EFI/arch_grub/ directory and rename the bootx64.efi into loader.efi.

Now simply reboot and choose the Setup Mode for secure boot in UEFI and you will be prompted to the PreLoader signing menu where you can sign your bootloaders. Just follow the on-screen instructions.

After that you can set the secure boot mode back to it's default User Mode.

Up-to-date Pacman-mirrors: reflector

In the arch wiki install guide there is a nice and comfy link how to set up a pacman mirror list that is not just up-to-date but also country specific and chooses the fastest mirrors from your location.

Installing sddm, kde plasma and setting up xorg server with i3-gaps