Arch Linux - Installation

Personal Arch Linux installation guide; this is part of my Linux installation guide. The instructions here are based on ArchWiki's installation and dm-crypt wikis.

1. Pre-installation
2. Installation
3. Post-installation

Pre-installation

Boot from the installation media.

Set keyboard layout

$ loadkeys <map>

where <map> is one of the available layouts from

$ ls /usr/share/kbd/keymaps/**/*.map.gz

omitting path and file extension.

Connect to the Internet

Verify that there is a working Internet connection

$ ping archlinux.org

If no connection is available, follow ArchWiki's connect to the internet (or Network configuration).

Update the system clock

$ timedatectl set-ntp true

Partition the disks

If required, manage the partitions on the disks. Execute

$ fdisk /dev/<dev>

where <dev> is the device identifier of the disk to partition (e.g., sda, nvme0n1).

Create a new partition table

If needed, create a new GUID Partition Table (GPT). Creating a GPT on a disk with data on it will erase all the data on the disk. To create a new GPT, on fdisk's prompt type g to create it.

Manage partitions

• To create a new partition, on fdisk's prompt:
  • Type n;
  • Specify the partition number;
  • Specify the first sector. It is advisable to use the default value;
  • Specify the last sector. It is advisable to specify it by using +<size>[K|M|G|T].
• To change the partition type, on fdisk's prompt:
  • Type t;
  • Specify the partition number;
  • Specify the partition type (press L to list all possible values).
• To list the partitions, on fdisk's prompt type p.

To write the changes to disk, on fdisk's prompt type w.

Device encryption

Setup the root and home partitions as encrypted LUKS partitions

$ cryptsetup -v --type luks -c aes-xts-plain64 -s 512 -h sha512 -y luksFormat /dev/<devpart_root>
$ cryptsetup -v --type luks -c aes-xts-plain64 -s 512 -h sha512 -y luksFormat /dev/<devpart_home>

where <devpart_root> and <devpart_home> refer to the device identifier and partition number of the root and home partitions, respectively (e.g., /dev/sda2 or /dev/nvme0n1p2).

Format the partitions

Unlock the partitions

$ cryptsetup open /dev/<devpart_root> cryptroot
$ cryptsetup open /dev/<devpart_home> home

where <devpart_root> and <devpart_home> are as explained above. Unlocking the partitions will map them to a new device name under /dev/mapper using the device mapper. For example, the commands above will map /dev/<devpart_root> and /dev/<devpart_home> to /dev/mapper/cryptroot and /dev/mapper/home, respectively.

Format the partitions by executing

$ mkfs.fat -F32 /dev/<devpart_ESP>
$ mkfs.ext4 /dev/mapper/cryptroot
$ mkfs.ext4 /dev/mapper/home

where <devpart_ESP> refers to the device identifier and partition number of the EFI system partition or ESP (e.g., /dev/sda1 or /dev/nvme0n1p1).

Mount the file systems

Mount the root partition under /mnt and the ESP and home partitions under the corresponding mounting points

$ mount /dev/mapper/cryptroot /mnt
$ mkdir /mnt/boot
$ mkdir /mnt/home
$ mount /dev/<devpart_ESP> /mnt/boot
$ mount /dev/mapper/home /mnt/home

where <devpart_ESP> is as explained above.

Installation

Select the mirrors

Packages to be installed must be downloaded from mirror servers, which are defined in /etc/pacman.d/mirrorlist. Edit the file to assign the desired priority (the higher a mirror is placed in the file, the more priority it is given when downloading a package). This file will be copied to the new system.

Install initial packages

$ pacstrap /mnt base linux linux-firmware base-devel e2fsprogs dosfstools man-db man-pages vim tmux rsync wget git openssh unzip p7zip bc htop tree networkmanager

Generate /etc/fstab file

$ genfstab -U /mnt >> /mnt/etc/fstab

Change root into the new system

$ arch-chroot /mnt

Time zone

$ ln -sf /usr/share/zoneinfo/<Region>/<City> /etc/localtime

where <Region> is one of the available options from

$ ls /usr/share/zoneinfo

and <City> is one of the available options from

$ ls /usr/share/zoneinfo/<Region>

To generate /etc/adjtime, execute

$ hwclock --systohc

Locale

Update /etc/locale.gen by uncommenting the desired localisations. To generate them, execute

$ locale-gen

Create /etc/locale.conf and add lines setting the variables LANG and LANGUAGE to the desired values

/etc/locale.conf

LANG=<localisation>
LANGUAGE=<list_languages>

Make the desired keymap persistent by setting KEYMAP in /etc/vconsole.conf

/etc/vconsole.conf

KEYMAP=<map>

Network configuration

Create /etc/hostname and add a line with the desired hostname <hostname>

/etc/hostname

<hostname>

Create /etc/hosts and add matching entries

/etc/hosts

127.0.0.1    localhost
::1          localhost
127.0.1.1    <hostname>

If the system has a permanent IP address, it should be used instead of 127.0.1.1.

Configure mkinitcpio

Update /etc/mkinitcpio.conf so that it contains the following hooks

/etc/mkinitcpio.conf

...
HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt filesystems fsck)
...

encrypt must be placed after the udev hook and keymap must appear before the encrypt hook (otherwise the encryption password is entered using the default US keymap instead of that specified in /etc/vconsole.conf).

Regenerate the initramfs

mkinitcpio -p linux

Set root password

$ passwd

Boot loader

Get the latest version of rEFInd, uncompress the file and copy the rEFInd files into the ESP

$ wget https://downloads.sourceforge.net/project/refind/<version>/refind-bin-<version>.zip
$ unzip refind-bin-<version>.zip
$ mkdir /boot/EFI
$ cp -r refind-bin-<version>/refind /boot/EFI/

Remove files not relevant to the x64 architecture

$ cd /boot/EFI/refind
$ rm -r refind_ia32.efi refind_aa64.efi drivers_ia32 drivers_aa64 tools_ia32 tools_aa64

Also, it is strongly recommended to remove unneeded drives in drivers_x64 (see rEFInd's page on drivers). Rename the configuration file

$ mv refind.conf-sample refind.conf

The boot option for this installation will be specified with a manual boot stanza. Kernel parameters are set in the boot stanza. Particularly, we need to set those required to boot from an encrypted root partition:

• root: specifies the device of the decrypted root file system.
• cryptdevice: parsed by mkinitcpio's encrypt hook to identify the device containing the encrypted system. This will make the system prompt for the passphrase to unlock the device containing the encrypted installation on boot.

Create a manual boot stanza at the end of /boot/EFI/refind/refind.conf

/boot/EFI/refind/refind.conf

...
menuentry "Arch Linux" {
    volume    "<PARTUUID_ESP>"
    loader    /vmlinuz-linux
    initrd    /initramfs-linux.img
    options   "cryptdevice=UUID=<UUID_root>:cryptroot root=/dev/mapper/cryptroot"
}

where <PARTUUID_ESP> is the PARTUUID of /dev/<devpart_ESP>, <UUID_root> is the UUID of /dev/<devpart_root> and <devpart_ESP> and <devpart_root> are as explained above. The PARTUUID and UUID can be obtained with

$ blkid

Unlock the home partition at boot

Create or copy a keyfile for unlocking the home partition and set the correct file permissions:

• If creating a file, execute

  $ dd bs=512 count=4 if=/dev/random of=/etc/keyfile-home iflag=fullblock status=progress
  $ chmod 600 /etc/keyfile-home

• If copying a file, execute

  $ cp <path_to_keyfile> /etc/keyfile-home
  $ chmod 600 /etc/keyfile-home

Add a keyslot for the keyfile to the LUKS header

$ cryptsetup luksAddKey /dev/<devpart_home> /etc/keyfile-home

where <devpart_home> is as explained above.

Update /etc/crypttab for automatically unlocking the home partition at boot

/etc/crypttab

home    UUID=<UUID_home>    /etc/keyfile-home

where <UUID_home> is the UUID of /dev/<devpart_home>.

Reboot

Exit the chroot environment by executing exit or pressing Ctrl+D. Optionally, unmount all partitions

$ umount -R /mnt

Restart the machine by executing reboot.

Post-installation

Configure the system following the post-installation guide. Also, take a look at the post-installation guides for different devices.