Refer to main Arch Linux install guide for more information.
ip link
ping archlinux.org
Refer to main Arch Linux install guide for more information.
These steps probably aren't really necessary but they are traditional and you should probably just do them. You can tab-complete TZ to find your proper zone.
timedatectl set-ntp true
timedatectl set-timezone America/Los_Angeles
timedatectl status
We will use the LVM on LUKS pattern to achieve full disk encryption. You can read about other strategies here.
Here is a breakdown of what we're going for:
+----------------+ +-----------------------------------------------------------------------+
| Boot partition | | Logical volume 1 | Logical volume 2 | Logical volume 3 |
| | | | | |
| /boot | | [SWAP] | / | /home |
| | | | | |
| | | /dev/VolumeGroup/swap | /dev/VolumeGroup/root | /dev/VolumeGroup/home |
| | |_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _|
| | | |
| | | LUKS2 encrypted partition |
| /dev/sda1 | | /dev/sda2 |
+----------------+ +-----------------------------------------------------------------------+
If the disk is a hard drive, it is a good idea to write random date to the entire drive first. If the disk is an SSD this method is not effective (and in fact, may be detrimential to the drive) and you will have to settle for slightly softer security.
You can read more about this here.
Find the device associated with your disk. You can list all disks with fdisk -l. For this guide, I'll be referring to the physical disk as /dev/sda, though yours may be different. The contents of this disk will be destroyed in this process.
Open the disk in fdisk:
fdisk /dev/sda
Create a boot partition.
nto create a new partitionpfor primary1for partition 1enterto choose default start point (2048for me)+200Mfor a 200MiB boot parition size (feel free to adjust)
Create the main parition. Make a new parition using the rest of the disk. (n, p, 2, enter, enter)
Once done, p will show partition layout and w will write the changes to the disk.
Encrypt the main system partition with LUKS:
cryptsetup luksFormat /dev/sda2
cryptsetup open /dev/sda2 cryptlvm
The name cryptlvm is arbitrary, but you will need it later when setting up LVM and also when configuring grub. The decrypted container is now available at /dev/mapper/cryptlvm.
pvcreate /dev/mapper/cryptlvm
vgcreate VolumeGroup /dev/mapper/cryptlvm
The name VolumeGroup is arbitrary. Going forward, you will use this to refer to your logical volumes.
- Swap should generally be 8-24G depending on how much ram you have (a factor of 1.5 to 2 is usually sufficient).
- For Arch, ~30-35G seem reasonable for root, though feel free to dedicate more to this (50G or so would be very safe). Minimum is probably around 15-20G to be safe.
Don't fret too much about this. One nice thing about using LVM is that you can change the sizes of your logical volumes fairly easily.
lvcreate -L 8G VolumeGroup -n swap
lvcreate -L 32G VolumeGroup -n root
lvcreate -l 100%FREE VolumeGroup -n home
mkswap /dev/VolumeGroup/swap
mkfs.ext4 /dev/VolumeGroup/root
mkfs.ext4 /dev/VolumeGroup/home
mount /dev/VolumeGroup/root /mnt
mkdir /mnt/home
mount /dev/VolumeGroup/home /mnt/home
swapon /dev/VolumeGroup/swap
mkfs.ext4 /dev/sda1
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot
Edit /etc/pacman.d/mirrorlist if you want.
Use the pacstrap script to install the base package group:
pacstrap /mnt base
Make sure everything is mounted correctly in /mnt before doing this. lsblk may be helpful here.
When you are sure run:
genfstab -U /mnt >> /mnt/etc/fstab
Open the file and check for errors. (A common one is 2 swaps, one from the live iso and one from your newly created swap)
If you've done everything correctly up to this point, it should look similar to this:
Change root into the new system:
arch-chroot /mnt
This is completely optional, but only vi is included in the base install and it is kind of a pain to use. I like to install vim here for my sanity editing config files moving forward.
pacman -S vim
Set the time zone:
ln -sf /usr/share/zoneinfo/Region/City /etc/localtime
Run hwclock to generate /etc/adjtime:
hwclock --systohc
This command assumes the hardware clock is set to UTC.
Uncomment en_US.UTF-8 UTF-8 and other needed locales in /etc/locale.gen, and generate them with:
locale-gen
Create the locale.conf(5) file, and set the LANG variable accordingly:
/etc/locale.conf
LANG=en_US.UTF-8
/etc/hostname
myhostname
/etc/hosts
127.0.0.1 localhost
::1 localhost
127.0.0.1 myhostname.localdomain myhostname
If the system has a permanent IP address, it should be used instead of 127.0.0.1.
If you want NetworkManager, install it now. Otherwise, configure your network some other way.
pacman -S networkmanager
systemctl enable NetworkManager
This file tells mkinitcpio how to configure the ramdisk that helps boot the
system. This is the environment you will be in when you type you passwd to
unlock your drive during boot. There are multiple ways to set this up; I have
gone with the systemd (sd-) version here.
In the /etc/mkinitcpio.conf file, find HOOKS= and replace that line with:
HOOKS=(base systemd autodetect keyboard sd-vconsole modconf block sd-encrypt sd-lvm2 filesystems fsck)
Create a vconsole config (this can be blank, but it needs to exist since we're using the sd-vconsole module)
touch /etc/vconsole.conf
Create a new initramfs from above config:
mkinitcpio -p linux
You should not see any errors, but warnings are probably ok.
pacman -S grub
grub-install --target=i386-pc /dev/sda
Get the uuid of your encrypted partition (sda2)
blkid /dev/sda2
Edit /etc/default/grub, replacing the-uuid-from-above with the uuid of your
encrypted partition. Make sure to get this right; this tells grub how to boot
your system.
GRUB_CMDLINE_LINUX_DEFAULT="quiet rd.luks.name=the-uuid-from-above=cryptlvm rd.luks.options=discard root=/dev/VolumeGroup/root resume=/dev/VolumeGroup/swap"
grub-mkconfig -o /boot/grub/grub.cfg
Almost done! Don't forget to set a root password.
passwd
Good luck! I've done this twice now, and both times it has worked the first time. I believe in you!
Login on the tty and run lsblk; you should see something like this:
