Install Doc - TheContortion1st/Arch-Linux-install-doc GitHub Wiki
Install-doc
Enough from the clown, let's start doing.
Disk-Preparation
First of all we wipe the disk to erase all traces of any past data. There are a fair amount of ways and tools to do so, so I won't describe them here in detail.
Lenovo has a tool within the security section of its UEFI to securely wipe the disk. More ways are described in the Arch Wiki.
Disable secure boot
Yeah sure, this documentation includes secure boot for linux and it is possible to keep secure boot enabled and sign the Archiso bootloader first, but it is way easier to simply disable secure boot for now, so do it. Later on I show how to sign your final bootloaders for secure boot.
Create Arch-ISO install media
I prefer a USB-Key. If you come from Windows use rufus to copy the Arch ISO to your USB-Key, otherwise simply use dd. The Arch Wiki has a great how-to create your own USB flash installation media.
Boot live environment
After creating the stick, boot from it. This requires to turn off secure boot for most modern Laptops that have had Windows installed (which is the case for probably all Windows preinstalled machines).
Change keyboard layout and connect to internet
This is just an example since I use the german keyboard layout, you can use any available keyboard layout found under /usr/share/kbd/keymaps/.
loadkeys de-latin1
Sets german keyboard layout ( "y" = "z" and "-" = "ß")
wifi-menu
A dialog for connecting to nearby wifi if ethernet is not an option
Create partitions
First of all, 99% of my doc comes from the Arch Wiki directly, thanks to it and especially the part Encrypting an entire system.
So let's start with creating the partitions. I use fdisk to comfortably create my three needed partitions: efi, data and swap. Since I have a nvme-ssd installed, the commands follow my own system specs.
fdisk /dev/nvme0n1
Commands within fdisk are found with m
, it's quite intuitive
- create new gpt-partitiontable for UEFI-boot (
g
) - 1st partition = EFI System, 550MiB (
n
> 'Enter' > 'Enter' >+550M
> 'Enter' >t
>1
) - 2nd partition = Linux filesystem, (Size of RAM + 2GB) for encrypted swap (
n
> 'Enter' > 'Enter' >+16G
> 'Enter' >t
>19
)
(NOTE: +16G
= (16GiB - 2GiB (for integrated Graphics on Lenovo ThinkPad E495)) + 2 GiB. Regarding swap necessity there are numerous discussions and several different conclusions. For example see here and here. I decided for myself that a moderate swap-space doesn't hurt so I add it. )
- 3rd partition = Linux filesystem, rest of space available (
n
> 'Enter' > 'Enter' > 'Enter' > 'Enter') p
to show the changes to the disk
If you feel comfortable with your job you can type w
to write the changes to the disk.
(NOTE: This will delete the old partition table and partitions, any old data is most likely lost.)
Encrypt data partition
NOTE: GRUB2 only supports LUKS1 encryption of /boot (and is the only bootloader to support encryption of /boot at all, which is why I use it) as of Dec 2019! The default type for cryptsetup, using cryptsetup without the type
-option is luks2. To see the progress on GRUB2 supporting LUKS2 go here.
cryptsetup -v --type luks1 --cipher aes-xts-plain64 --key-size 256 --hash sha256 --iter-time 2000 --use-urandom --verify-passphrase luksFormat /dev/nvme0n1p3
Any option but --type luks1
is optional, since they are the defaults. See the Arch Wiki for the options and defaults. You will be prompted twice for a password.
Open encrpyted container and name it
Command | Description |
---|---|
cryptsetup open /dev/nvme0n1p3 cryptroot |
Open encrypted drive, name cryptroot |
Format partitions
EFI has to be FAT32 and for our data-partition we use btrfs.
mkfs.vfat -F32 -n EFI /dev/nvme0n1p1
(/dev/sda1 on non-nvme) You can also use mkfs.fat
, mkfs.vfat
is in fact a symlink to mkfs.fat
. The -F32
makes it FAT32 to support bigger filesystems and is needed for 512MiB+ up to 2GiB filesystems. The -n
labels the partition as 'EFI' and is optional. The EFI system partition must not be encrypted! To learn more about FAT go here for a shortversion and here for the FAT Wiki from the Arch Wiki.
mkfs.btrfs -l btrfs_main /dev/nvme0n1p3
(/dev/sda3 on non-nvme) The -l
labels the filesystem as "btrfs_main". It is optional. This is the encrypted btrfs-partition homing root, home and .snapshots
Create subvolumes within device-mapper
Mount the device-mapper cryptroot to /mnt.
| mount /dev/mapper/cryptroot /mnt
| Mount decrypted device to /mnt
|
Create subvolumes
Create subvolumes at /mnt, at least one for root and home.
Command | Description |
---|---|
btrfs subvolume create /mnt/@ |
This will be the root-subvolume. |
btrfs subvolume create /mnt/@home |
This will be the home-subvolume. |
btrfs subvolume create /mnt/@snapshots |
This will contain our snapshots. |
You can choose yourself how to name the subvolumes. To distinguish them, I use "@", but you can also use something like "__"(two underscores), to distinguish them from physical partitions. Refer to the wiki or the sysadmin guide.
Create mount-points and mount subvolumes
mount -o compress=lzo,subvol=@ /dev/mapper/cryptroot /mnt
mkdir /mnt/home
mount -o compress=lzo,subvol=@home /dev/mapper/cryptroot /mnt/home
mkdir /mnt/.snapshots
mount -o compress=lzo,subvol=@home /dev/mapper/cryptroot /mnt/.snapshots
Install packages into root-subvolume
pacstrap /mnt base base-devel efibootmgr grub-efi-x86_64 btrfs-progs dialog amd-ucode linux linux-firmware bash-completion vim dkms git linux-headers mesa xf86-video-amdgpu dosfstools netctl
Packages were chosen for my Lenovo E495 and depend on the hardware and the overall setup. They are not all necessary.
However, I recommend at least all packages up to bash-completion
.
Install Guide
Follow steps on the Arch LinuxFollow the guide up to the point Initramfs.
Note: when generating the /etc/fstab make sure to have mounted all partitions and subvolumes in their final place, e.g. /dev/nvme0n1p1 at /efi. Otherwise you would have to correct the entries manually afterwards.
genfstab -U /mnt >> /mnt/etc/fstab
creates the entries with their UUIDs, which I recommend.
See my final fstab
for comparison.
Modify mkinitcpio.conf for encryption and btrfs
We need to modify the config file that configures the initramfs image-creation like following:
vim /etc/mkinitcpio.conf
Instead of vim
you can use whatever editor you like of course.
We need to add the encrypt
hook. The hooks need to be loaded in correct order to work, so the line looks like this:
HOOKS=(base udev autodetect keyboard keymap modconf block encrypt filesystems fsck)
Also optionally add the path to the btrfs-tools to be able to recover from disastrous btrfs failures at boot (never seen any, but documentation says they exist).
BINARIES=("/usr/bin/btrfs")
Also see the whole mkinitcpio.conf
Setup USB-key for decrypting data-partition
In this setup our /boot resides on an encrypted data-partition. So at startup you have to enter your password for the efi-bootloader to access grub (there is no way around this, except having /boot unencrypted). Then at the initramfs-loading stage the system has to mount the encrypted partition again wherefore you need to enter the password again... or in GRUB you refer to a keyfile instead of a password.
This spares you entering your password at boot twice.
I did this from within the arch-chroot, therefore I installed the dosfstools
. Since they are part of the archiso install media you can create the USB key directly there.
fdisk /dev/sdb
mkfs.fat -F32 -n CRYPTUSB /dev/sdb1
Create mount-point for the key and mount it
mkdir /mnt/CRYPTUSB
mount /dev/sdb1 /mnt/CRYPTUSB
Create keyfile for cryptroot and write it onto stick
dd bs=512 count=4 if=/dev/random of=/mnt/CRYPTUSB/crypto_keyfile iflag=fullblock
Refer to the Arch Wiki again.
Permit readability only to root
chmod 600 /mnt/CRYPTUSB/crypto_keyfile
Add keyfile to a LUKS-keyslot
cryptsetup luksAddKey /dev/nvme0n1p3 /mnt/CRYPTUSB/crypto_keyfile
Within the mkinitcpio.conf you have to add the vfat
module to load for accessing the usb-key at initramfs:
MODULES=(amdgpu vfat)
The amdgpu module is for the ryzen graphics card.
Modify GRUB for encryption and to unlock cryptroot with keyfile
vim /etc/default/grub
If there is no such file, you first have to install the grub-package.
Edit the default kernel command:
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=cc363e8e-ef59-4033-bdf6-b7efc6319bdb:cryptroot cryptkey=/dev/disk/by-uuid/C4F0-A67A:vfat:/crypto_keyfile root=/dev/mapper/cryptroot amd_iommu=pt irvs_ioapic[32]=00:14.0 acpi_backlight=vendor"
Note: The cryptdevice=UUID=
is the UUID of /dev/nvme0n1p3, not of /dev/mapper/cryptroot. You find it out with blkid
. There you also find the UUID for the USB-key referred at the cryptkey=
kernel option. Since you have more than one USB-slot and probably also more than one USB-device I advice to address it by it's UUID. Also consult the Arch Wiki
Install GRUB-EFI-application to ESP
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=arch_grub --recheck --debug
See the Arch Wiki for help.
Correct any errors that might occur, as this is essential for a working system!
Generate GRUB
grub-mkconfig -o /boot/grub/grub.cfg
This is another crucial step, so make sure no errors occur.
Set root password
If not done yet, create a root password with the command passwd
.
Encrypted swap partition
Yet we don't have a swap partition. Since having a swap is not fully necessary for a system to run, there are lots of recommendations, therefore we created the partition and now we configure it for usage.
About the necessity of encrypting the swap everyone has to decide for himself. Most likely my swap partition will never be used due to more than enough RAM for my expected use-cases. An unencrypted swap is easy as this: swapon /dev/nvme0n1p2
and don't forget to add the fstab
entry.
Encrypting the swap needs a few more steps.
Hibernation or not?
If swap is about to be encrypted, it has to be recreated with random data every time on boot anew, to assure no data can be read from it.
There will not be a guide for encrypted swap with hibernation/suspend-to-disk support due to the number of warnings everywhere that it is insecure as hell and can possibly cause data-loss as easy as shutting the lid and opening it up again. Plus, I don't need hibernation, I'm from the old "poweroff" school.
If you want to hibernate or suspend-to-disk besides all warning, go ahead and try your luck!.
Create encrypted swap partition without hibernation or suspend-to-disk
Create a small filesystem on the exisiting swap-partition just for having a persistent UUID or LABEL for the swap, which will be recreated and reencrypted on every bootup and therefore will have a new UUID.
mkfs.ext2 -L cryptswap /dev/nvme0n1p2 1M
Note: The 1M indicates, that this partition is just 1MiB, leaving enough space for swap behind it. This is more than enough for only holding a persistent UUID. The -L
leaves the choice to us to either use the UUID or the LABEL of the placeholder partition in /etc/fstab later.
Note: If /dev/nvme0n1p2 was (accidentally) encrypted with LUKS already, the LUKS-header has to be wiped first.
head -c 1052672 /dev/urandom > /dev/nvme0n1p2
*"A LUKS1 header with one single default 256 bit size keyslot is 1024 KiB in size. It is advised to also overwrite the first 4 KiB written by dm-crypt, so 1028 KiB have to be wiped. That is 1052672 Byte."
You can of course overwrite a bigger part:
dd if=/dev/urandom of=/dev/nvme0n1p2 bs=512 count=40960
to overwrite the first 20MiB on the partition.
See the Arch Wiki for reference.
Recreate LABEL or UUID-placeholder
mkfs.ext2 -L cryptswap /dev/nvme0n1p2 1M
Modify crypttab
Modify fstab for cryptswap
Read the UUID or LABEL of the ext2-placeholder partition with blkid
and create an entry in /etc/fstab.
Finally generate initramfs with modified mkinitcpio.conf
mkinitcpio -p linux
No Errors or warnings at the image generation should appear here, or your system will probably not boot correctly.
Exit the arch-chroot
by simply typing exit
.
Unmount all partitions:
umount -R /mnt
Reboot system and boot from hard-disk
reboot
Optional Steps
Setting up secure-boot
The easy way with signed keys and PreLoader
For sb = secure-boot in this guide I use PreLoader. It is a simple-to-setup, doing-it's-job tool to sign your bootloaders and prohibits executing unsingned bootloaders.
All you have to do is follow this guide from the arch wiki.
Load the Keys
Download preloader-signed from the AUR or load the keys manually from here.
Copy the PreLoader.efi and HashTool.efi into /efi/EFI/arch_grub/ directory and rename the bootx64.efi into loader.efi.
Now simply reboot and choose the Setup Mode for secure boot in UEFI and you will be prompted to the PreLoader signing menu where you can sign your bootloaders. Just follow the on-screen instructions.
After that you can set the secure boot mode back to it's default User Mode.
Up-to-date Pacman-mirrors: reflector
In the arch wiki install guide there is a nice and comfy link how to set up a pacman mirror list that is not just up-to-date but also country specific and chooses the fastest mirrors from your location.