Arch Linux ciphered install
In my opinion, Arch Linux is the greatest rolling release distribution. The thing that pushes me to say this is that if you want to make a totally custom distribution, it’s possible (and it’s made for). Let’s drive right in.
Information and requirements
These elements are to be taken in consideration to follow this article:
- The following steps are performed on my laptop that has an NVMe (you will understand later).
- The installation is a monoboot (no shitty Windows alongside).
- I assume that the computer or laptop that will receive the installation is directly connected to your router.
Prepare the USB key
Download the image
Download the latest image here.
Check the file integrity
At the moment of writing this article, it is the August release (2022.08.05). The SHA-256 digest is is 187cf50f8f0619426e98835fdeaa4f3b3dd6a3471b2efc496f50d25ffe0e19db
.
[adrien@laptop ~]$ curl -LOsSf https://mirror.archlinux.ikoula.com/iso/2022.08.05/archlinux-2022.08.05-x86_64.iso
[adrien@laptop ~]$ sha256sum archlinux-2022.08.05-x86_64.iso
187cf50f8f0619426e98835fdeaa4f3b3dd6a3471b2efc496f50d25ffe0e19db archlinux-2022.08.05-x86_64.iso
The file is good. Let’s continue.
Write the image
Plug your USB key and locate it. Mine is /dev/sda
(use sudo fdisk -l
).
[adrien@laptop ~]$ sudo dd if=archlinux-2022.08.05-x86_64.iso of=/dev/sda status=progress
Wait until the end. When it’s done, plug your USB to your computer or laptop and boot from the USB key.
Installation
Once the boot process is done, you are directly connected as root. The installation can begin.
Keyboard mapping
I have a French keyboard, let’s change it.
root@archiso ~ # loadkeys fr
Synchronize packages
root@archiso ~ # pacman -Syyy
Rank mirrors for speed download
Mirrors are servers from where you download package, if you rank them by the country where you are, you’ll download packages faster.
root@archiso ~ # reflector -c France -a 6 -p https --sort rate --save /etc/pacman.d/mirrorlist
Modify your country in accordance with your location.
Synchronize packages again.
root@archiso ~ # pacman -Syyy
Disk modification
List disk’s details.
root@archiso ~ # fdisk -l
My disk is located at /dev/nvme0n1
, yours can be at /dev/sda
if you have a SSD. Once you’ve executed the first statement, fdisk
acts like a prompt, send to it the commands (except ones surrounded with <>
, where you have to press the key specified). Do not write the elements in parenthesis, it’s just a brief explanation for you.
root@archiso ~ # fdisk /dev/nvme0n1
p (show partitions)
g (use GPT partitioning style)
n
<ENTER>
<ENTER>
+512M
t
1
n (create the EFI partition)
<ENTER>
<ENTER>
+512M
n
<ENTER>
<ENTER>
<ENTER> (it takes the space available)
t
<ENTER>
30 (set partition type to Linux LVM)
w (write changes)
Format the new partitions
The partition /dev/nvme0n1p1
is the EFI partition, format it in FAT32.
root@archiso ~ # mkfs.fat -F32 /dev/nvme0n1p1
The partition /dev/nvmen1p2
is the Linux filesystem, format it in Ext4.
root@archiso ~ # mkfs.ext4 /dev/nvme0n1p2
Setup the disk encryption
We are going to use LUKS (Linux Unified Key Setup) because it’s a great disk encryption specification.
root@archiso ~ # cryptsetup luksFormat --use-random /dev/nvme0n1p3
YES
<passphrase>
<confirm>
cryptsetup open --type=luks /dev/nvme0n1p3 lvm
<passphrase>
Initialize physical volumes and volume group
Because we use LVM (Logical Volume Manager), we have to set up a physical volume.
root@archiso ~ # pvcreate --dataalignment 1m /dev/mapper/lvm
root@archiso ~ # vgcreate volgroup /dev/mapper/lvm
root@archiso ~ # lvcreate -L 100GB volgroup -n lv_root
root@archiso ~ # lvcreate -l 100%FREE volgroup -n lv_home
Our volume group (to manipulate our logical volumes) is called volgroup
(but you can call it whatever you want). We have two logical volumes, lv_root
for the root filesystem and lv_home
for the home filesystem. Obviously, you can give the names you want.
Format the new logical volumes
root@archiso ~ # mkfs.ext4 /dev/volgroup/lv_root
root@archiso ~ # mkfs.ext4 /dev/volgroup/lv_home
Mount the devices
root@archiso ~ # mount /dev/volgroup/lv_root /mnt
root@archiso ~ # mkdir /mnt/home
root@archiso ~ # mount /dev/volgroup/lv_home /mnt/home
root@archiso ~ # mkdir /mnt/boot
root@archiso ~ # mount /dev/nvme0n1p2 /mnt/boot
root@archiso ~ # mkdir /mnt/etc
Generate the filesystem hierarchy
root@archiso ~ # genfstab -U -p /mnt >> /mnt/etc/fstab
Install essential packages
Use the pacstrap script to install the base package, Linux kernel and firmware for common hardware.
root@archiso ~ # pacstrap -i /mnt base base-devel
Chroot
Change root in the new filesystem.
root@archiso ~ # arch-chroot /mnt/
Install the kernel
root@archiso ~ # pacman -S linux linux-headers linux-firmware
Install usefull packages
root@archiso ~ # pacman -S wpa_supplicant wireless_tools netctl dialog lvm2 dhcpcd git vim
Modify the initramfs configuration
Because our filesystem is encrypted, we have to modify the hooks. Add encrypt lvm2
in the HOOKS
section of the /etc/mkinitcpio.conf
file. The line concerned should look like the following statement.
root@archiso ~ # grep HOOKS /etc/mkinitcpio.conf | tail -1
HOOKS=(base udev autodetect modconf block encrypt lvm2 filesystems keyboard fsck)
Create the initramfs
Initramfs is a scheme for loading a temporary root filesystem into memory, which may be used as part of the Linux startup process.
root@archiso ~ # mkinitcpio -p linux
Modify and generate the locale
I want to define my locale to en_US.UTF-8
. If you don’t know which locale to use, I advise you to open the file and find the one that fits to you. Don’t use sed
if you don’t know what you do to avoid file destructuring).
root@archiso ~ # sed -i "s/#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/" /etc/locale.gen
root@archiso ~ # locale-gen
Modify the root password
root@archiso ~ # passwd
Add your user
Choose your own username at the end of the following statement.
root@archiso ~ # useradd -m -g users -G wheel <username>
Then, define your password.
root@archiso ~ # passwd <username>
Give you sudo access
If you want to be able to install packages, connect to a Wi-Fi newtork and much more, I advise you to uncomment the line starting with %wheel
. By doing this, you allow users in group wheel
(we do this earlier with -G wheel
) to execute the sudo
command.
root@archiso ~ # visudo
%wheel ALL=(ALL) ALL
The visudo command locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later.
Install bootloader related stuff
GRUB is going to be our bootloader.
root@archiso ~ # pacman -S grub efibootmgr dosfstools os-prober mtools
Edit the GRUB configuration
In the same way that we have edited hooks for the initramfs, we have to edit the bootloader configuration to tell to GRUB that we have an encrypted filesystem. Add cryptdevice=/dev/nvme0n1p3:volgroup:allow-discards
in the GRUB_CMDLINE_LINUX_DEFAULT
section. Make sure that you write the exact sentence, otherwise your system won’t boot.
root@archiso ~ # grep "GRUB_CMDLINE_LINUX_DEFAULT" /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 cryptdevice=/dev/nvme0n1p3:volgroup:allow-discards quiet"
Uncomment GRUB_ENABLE_CRYPTODISK=y
in /etc/default/grub
file. The line concerned should look like the following statement.
root@archiso ~ # grep "GRUB_ENABLE_CRYPTODISK" /etc/default/grub
GRUB_ENABLE_CRYPTODISK=y
If set to y
, grub-mkconfig
and grub-install
will check for encrypted disks and generate additional commands needed to access them during boot. Note that in this case unattended boot is not possible because GRUB will wait for passphrase to unlock encrypted container.
Prepare the bootloader installation
root@archiso ~ # mkdir /boot/EFI
root@archiso ~ # mount /dev/nvme0n1p1 /boot/EFI
root@archiso ~ # grub-install --target=x86_64-efi --bootloader-id="Arch Linux" --recheck
The --bootloader-id
flag defines the bootloader identifier. A directory of that name will be created in /boot/EFI/
to store the EFI binary and it is the name that will appear in the UEFI boot menu to identify the GRUB boot entry.
Copy the English GRUB messages
root@archiso ~ # cp /usr/share/locale/en\@quot/LC_MESSAGES/grub.mo /boot/grub/locale/en.mo
Generate the configuration
root@archiso ~ # grub-mkconfig -o /boot/grub/grub.cfg
Install processor microcode and video driver
Processor manufacturers release stability and security updates to the processor microcode. These updates provide bug fixes that can be critical to your system’s stability. Without them, you may experience spurious crashes or unexpected system halts that can be difficult to track down.
For an Intel based CPU and GPU, install the following package.
root@archiso ~ # pacman -S intel-ucode mesa
For an AMD based processor, install this one.
root@archiso ~ # pacman -S amd-ucode mesa
For a nVidia based GPU, install this one.
root@archiso ~ # pacman -S nvidia nvidia-utils
Exit and unmount our brand new filesystem
root@archiso ~ # exit
root@archiso ~ # umount -R /mnt
root@archiso ~ # reboot
At this point, your system reboots. GRUB should appears and ask you which operating system he has to execute. We have only one OS, so choose Arch Linux. The second screen requires the passphrase to unlock your filesystem. The last screen asks you to login. I advise you to login with your user and not as root for two reasons: first, it’s not a good idea to execute things as superuser and then we have created a user so, use it.
Post-installation
Once connected with your user, you may want to use yay (the tools to install community packages). If you have a French keyboard, don’t forget to execute sudo loadkeys fr
to avoid typing crazy things.
Install yay
adrien@archiso ~ $ git clone https://aur.archlinux.org/yay.git
adrien@archiso yay $ cd yay/
adrien@archiso yay $ makepkg -si
adrien@archiso yay $ cd
adrien@archiso ~ $ rm -rf yay/
Miscellaneous configurations
Add some fancy to pacman and yay.
adrien@archiso ~ $ sudo sed -i "s/#Color/Color/" /etc/pacman.conf
Control how much disk space the journal may use up at most.
adrien@archiso ~ $ sudo sed -i "s/#SystemMaxUse=/SystemMaxUse=50M/" /etc/systemd/journald.conf
Great, you have now a fresh encryted Arch Linux installed on your computer or laptop. In this article, we will setup Spectrwm: a small dynamic tiling window manager for X11. Yes, currently our brand new Arch Linux is not very ergonomic, pretty rustic and not easy to use. Indeed, all GUI (Graphical User Interface) can’t spawn without a windowing system.