Table of Contents
Before the installation
Save things that you need to be saved
- The public and private GPG keys:
gpg --export --armor > public.key
gpg --export-secret-key --armor > private.key- Your shared GPG and SSH files.
- Your data.
REMEMBER: if you have some dotfiles or other projects in your PC, make sure that you have pushed your changes.
Make sure the drive security is not frozen
If you are running a pre-installed system, you can cleaning all the storage (in my case, a SSD NVMe), you can wipe your storage to clean all things inside it. To do it on a SSD NVMe, you can do these things:
Run the following command:
nvme id-ctrl /dev/nvme0 -H |grep "Format \|Crypto Erase\|Sanitize"Erase all data from your storage (SSD NVMe)
You can run the ‘nvme sanitize` command to erase all data from the storage. You can see an example of the command here:
nvme sanitize <device> -a <action>The possible actions that you can use is:
-a <action>
--sanact=<action>
Sanitize Action
000b - Reserved
001b - Exit Failure Mode
010b - Start a Block Erase sanitize operation
011b - Start an Overwrite sanitize operation
100b - Start a Crypto Erase sanitize operationATTENTION: When you running the sanitize command, you should replace your
binary value by their decimal part, e.g. 000b = 0, 001b = 1, 010b = 2, etc…
References
Wipe on an Empty Disk
Create a temporary encrypted container on the complete device to be encrypted
cryptsetup open --type plain -d /dev/urandom /dev/nvme0n1 to_be_wipedWipe the container with zeros
dd if=/dev/zero of=/dev/mapper/to_be_wiped bs=4096 status=progressInstallation
Disk partitioning (UEFI)
The partiotining that follows the concerns the UEFI installation.
Introduction
First of all, I have differente names for the partitions, but don’t be lost for so little:
| Mount point | Partition name | Partition type | Bootable flags | Size |
|---|---|---|---|---|
| /boot | /dev/nvme0n1p1 | EFI System | Yes | 1 Gb |
| / | /dev/nvme0n1p2 | Linux LVM | No | Remainder of the device |
Where / will be a LVM-encrypted partition having a group volume containing a
physical volume and rootas a logical volume.
Finally, as mentioned in the introduction, we will format the / volume as Btrfs
and create two sub-volume:
/rootswap/home
Creation of the File System
In order to know the name of your disk, it is necessary to list the partition tables for the specified device:
fdisk -lLet’s select our disk to build the table:
cfdisk /dev/nvme0n1Then create a new empty GPTpartition table.
And now, you can setup all the partiions in a “visual” way.
Setup the Disk Encryption
In order to enable disk encryption, we will first create a root LUKS volume, open it and then format it.
In a brief explaination, LUKS is a container format that will be used to encrypt containers, where our encryption key will be stored.
Creation of a root LUKS volume
To encrypt our / partition, we will use the cryptsetup tool:
cryptsetup --hash sha512 --use-random --verify-passhphrase luksFormat /dev/nvme0n1p2
Are you sure? YES
Enter passhphrase (twice)Opening the root LUKS volume as block device
The / partition being encrypted, we will open the LUKS container on /dev/nvme0n1p2
disk and name it cryptlvm:
cryptsetup open /dev/nvme0n1p2 cryptlvm
Enter passhphraseThe decrypted container is now available at /dev/mapper/cryptlvm.
Setup the LVM
LVM is a logical volume manager for the Linux kernel. It is thank to to it that we can easily resize our partitions if necessary.
Create a physical volume on top of the opened LUKS container
pvcreate /dev/mapper/cryptlvmAdd the previously created physical volume to a volume group
vgcreate vg /dev/mapper/cryptlvmCreate the swap logical volume on the volume group
Create the root logical volume on the volume group
lvcreate -l 100%FREE vg -n rootFormatting the filesystem
mkfs.fat -F32 /dev/nvme0n1p1
mkfs.btrfs -L btrfs /dev/mapper/vg-rootBtrfs subvolumes
Subvolumes are part of the filesystem with its own and independnet file/directory hierarchy, where each subvolume can share file extents.
Create Btrfs subvolumes
mount /dev/mapper/vg-root /mnt
btrfs subvolume create /mnt/root
btrfs subvolume create /mnt/home
umount /mntMounting Btrfs subvolumes
SSD_MOUNTS="autodefrag,compress=lzo,discard,noatime,nodev,rw,space_cache,ssd"
mount -o subvol=root,$SSD_MOUNTS /dev/mapper/vg-root /mnt
mkdir -p /mnt/{boot,home}
mount -o discard,noatime,nodev,noexec,nosuid,rw /dev/nvme0n1p1 /mnt/boot
mount -o $SSD_MOUNTS,nosuid,subvol=homeSome details about the option on -o flag:
autodefrag: enable automatic file defragmentation for small random writes in files with a maximum file size of 64K;compress=lzo: compresses files with the lzo type which is a lossless data compression algorithm that is focused on decompression speed;discard: enable discarding of freed file blocks using TRIM operation (useful for SSD devices);noatime: allows measurable performance gains by eliminating the need for the system to write to the file system for files that are simply read;nodev: disallows creating and accessing device nodes (used in particular for special files in /dev);noexec: does not allow the execution of executable binaries in the mounted file system;nosuid: specifies that the filesystem cannot contain set userid files;rw: allows reading and writing;space_cache: control the free space cache. This greatly improves performance when reading block group free space into memory;ssd: by default,Btrfswill enable or disable SSD allocation heuristics depending on whether a rotational or non-rotational device is in use.
Base system
Update the mirrors
pacman -S reflector
reflector --threads 8 --protocol http --protocol https --verbose --sort rate --country Brazil --save /etc/pacman.d/mirrorlistInstallation of the packages onto a given root file system
pacstrap /mnt base linux-firmware linux-zen lvm2 sudo man-db base-devel linux-tools git hdsentinel fwupd sudoConfiguration of the system
We will configure the system base in order to have a decent environment.
Generate a fstab file
genfstab -U /mnt >> /mnt/etc/fstabChange root into the new system
arch-chroot /mntCreate the swap file
To create the swap file, we will create a zero length file, set the No_COW attribute
and make sure compression is disabled:
truncate -s 0 /swapfile
chattr +C /swapfile
btrfs property set /swapfile compression noneIs recommended to set the size of swap file being 4-8GB if you don’t intend to use hibernation (suspend-to-disk):
dd if=/dev/zero of=/swapfile bs=1M count=16384 status=progress && syncSet the permission for the file (a world-readable swap file is a huge local vulnerability):
chmod 600 /swapfileFormat the /swapfile file to swap and activate it:
mkswap /swapfile
swapon /swapfileFinally, add an entry for the swap file in the fstab:
echo "/swapfile none swap defaults 0 0" >> /etc/fstabSet the timezone
Install the Network Time Protocol and enable it as daemon:
pacman -S ntp
systemctl enable ntpdCreate a symlink of the timezone:
ln -sf /usr/share/zoneinfo/America/Sao_Paulo /etc/localtimeGenerate /etc/adjtime:
hwclock --systohcNetwork configuration
Install and enable network management daemon:
pacman -S networkmanager
systemctl enable NetworkManagerSo add a hostname to the machine:
echo ThinkPad > /etc/hostnameNOTE: Remember that you can replace ThinkPad with whatever you like.
Add matching entries to /etc/hosts:
127.0.0.1 localhost
::1 localhost
127.0.1.1 ThinkPad.localdomain ThinkPadSet the root passsword
passwdCreate the main user
useradd -mG storage,wheel -s /bin/bash someone
passwd someoneFinally, change the /etc/sudoers file according to the config that you want
to deal with sudo command.
Create a initial ramdisk environment
nano /etc/mkinitcpio.confYou should the HOOKS field with these things:
...
HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt lvm2 filesystems btrfs)
...Finally, recreate the initramfsimage:
mkinitcpio -p linux-zenSetup the boot manager
Install systemd-boot into the EFI system partition
bootctl installConfiguring the loader
On /boot/loader/loader.confinsert this:
default arch
timeout 10
console-mode max
editor noSome details about the parameters:
default: default entry to select;timeout: menu timeout in second, useful to allow people who have multiple operating systems;console-mode: changes UEFI console mode;editor: whether to enable the kernel parameters editor or not. Strongly recommended to set this option to no to avoid bypass root password and gain root access.
Adding the loader
First install the microcode:
pacman -S amd-ucodeAfter it, insert on /boot/loader/entries/arch.conf this:
title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options rd.luks.name=$(blkid /dev/nvme0n1p2 -s UUID -o value)=cryptlvm rd.luks.options=discard root=/dev/mapper/vg-root resume=/dev/mapper/vg-root rootfstype=btrfs resume_offset=$(filefrag -v /swapfile | sed '4q;d' | awk '{print $4}' | cut -d'.' -f1) quiet nowatchdog splash rwGraphical environment
Install the window manager
First of all, install xorg:
pacman -S xorg-serverFinally, install the xmonad:
pacman -S xmonad xmonad-contribInstall a display manager
pacman -S lightdm
systemctl enable lightdmInstall a AUR helper
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -sri
cd .. && rm -r yayKeyring
pacman -S gnome-keyring seahorseTerminal
pacman -S alacritty tmuxShell
pacman -S fishImage manipulations
pacman -S gimp inkscapeNTFS
pacman -S ntfs-3gSound system
pacman -S pulseaudio alsa-utils pavucontrol alsamixerOther
In order to save the read and write cycles of the SSD and thus extend the lifetime of the SSD, the browser profile can be moved in RAM with profile-sync-daemon:
pacman -S profile-sync-daemonFinally, enable and activate the service:
systemctl --user enable psd --nowAfter installation
Enable fstrim
First enable and start fstrim timer. On Arch-based system you can do it running
this commands:
sudo systemctl enable fstrim.timer
sudo systemctl start fstrim.timerAfter this, if you running with LUKS encryption, you should add some things on
the Arch entry from systemd-boot, inside /boot/loader/entries/arch.conf, add it:
...
options rd.luks.name=<UUID>=cryptlvm ... rd.luks.options=discard
...Reboot the system. And now, you can check if it’s running correctly executing this
command: lsblk --discard. If has no-zero entries on DISC-GRAN and DISC-MAX
columns means TRIM is enabled.
References
Disable watchdog
Append on your boot parameters (probably /boot/loader/entries/arch.conf) the following option:
...
options rd.luks.name=<UUID>=cryptlvm ... nowatchdog
...After it, you can optionally disable the loading of the module responsible of the hardware watchdog, too. Do it blacklisting the related module.
Creating a .conf inside /etc/modprobe.d/ and append a line for the module you
want to blacklist with blacklist keyword. Here an example:
# /etc/modprobe.d/nowatchdog.conf
blacklist iTCO_wdtReferences
Troubleshooting
Thinkpad T14 Gen 1 Brazillian keyboard layout
If you are using this installation on a Thinkpad T14 Gen 1 with a Brazillian keyboard layout (ABNT2) like me, you should use this rule to turns the keyboard usable. You should run this command:
setxkbmap -model thinkpad60 -layout br -variant anbt2Or just paste the “text” below on the following path: /etc/X11/xorg.conf.d:
Section "InputClass"
Identifier "system-keyboard"
MatchIsKeyboard "on"
Option "XkbLayout" "br"
Option "XkbModel" "thinkpad60"
Option "XkbVariant" "abnt2"
EndSectionOther installation tutorials
- GitHub: rememberYou/dotfiles
- Manjaro UEFI using systemd-boot, LUKS and btrfs
- Installing Arch Linux with Btrfs, systemd-boot and LUKS
- Arch Linux, with LUKS, btrfs, systemd-homed, systemd-oomd, zram swap, encrypted DNS
- Install Arch Linux with full encrypted btrfs subvolume inside luks
- EduardoRFS’s gist: arch-tutorial.md
- Arch Linux with LUKS and (almost) no configuration
- ARCH LINUX - UEFI, SYSTEMD-BOOT, LUKS, AND BTRFS
- Arch Linux install with BTRFS and encrypted root
- ArchWiki: User:M0p/LUKS Root on Btrfs
- Install Arch Linux w/ LVM + LUKS + Systemd-boot