Arch Linux - Installation
Personal Arch Linux installation guide; this is part of my Linux installation guide. The instructions here are based on ArchWiki's installation and dm-crypt wikis.
Pre-installation
Boot from the installation media.
Set keyboard layout
$ loadkeys <map>
where <map> is one of the available layouts from
$ ls /usr/share/kbd/keymaps/**/*.map.gz
omitting path and file extension.
Connect to the Internet
Verify that there is a working Internet connection
$ ping archlinux.org
If no connection is available, follow ArchWiki's connect to the internet (or Network configuration).
Update the system clock
$ timedatectl set-ntp true
Partition the disks
The following partition scheme will be used:
| Partition | Type | Mount point |
|---|---|---|
| EFI system partition (ESP) | EFI system | /boot and /esp |
| Root | Linux filesystem | / |
| Home | Linux filesystem | /home |
In the rest of this guide, the device identifier and partition number (e.g., sda1 or
nvme0n1p1) of the partitions above are identified as follows:
- ESP:
<devpart_ESP>; - Root:
<devpart_root>; - Home:
<devpart_home>.
To manage partitions on a disk, execute
$ fdisk /dev/<dev>
where <dev> is the device identifier of the disk (e.g., sda or
nvme0n1).
Create a new partition table
If needed, create a new GUID Partition Table (GPT). Creating a GPT on a disk with data on it will erase all the data
on the disk. To create a new GPT, on fdisk's prompt type g to create it.
Manage partitions
- To create a new partition, on
fdisk's prompt:- Type
n; - Specify the partition number;
- Specify the first sector. It is advisable to use the default value;
- Specify the last sector. It is advisable to specify it by using
+<size>[K|M|G|T].
- Type
- To change the partition type, on
fdisk's prompt:- Type
t; - Specify the partition number;
- Specify the partition type (press
Lto list all possible values).
- Type
- To list the partitions, on
fdisk's prompt typep.
To write the changes to disk, on fdisk's prompt type w.
Device encryption
Setup the root and home partitions as encrypted LUKS partitions
$ cryptsetup -v --type luks -c aes-xts-plain64 -s 512 -h sha512 -y luksFormat /dev/<devpart_root> $ cryptsetup -v --type luks -c aes-xts-plain64 -s 512 -h sha512 -y luksFormat /dev/<devpart_home>
Format the partitions
Unlock the encrypted partitions
$ cryptsetup open /dev/<devpart_root> cryptroot $ cryptsetup open /dev/<devpart_home> home
Unlocking the partitions will map them to a new device name under /dev/mapper using the device mapper.
For example, the commands above will map /dev/<devpart_root> to
/dev/mapper/cryptroot and /dev/<devpart_home> to
/dev/mapper/home.
Format the partitions
$ mkfs.fat -F32 /dev/<devpart_ESP> $ mkfs.ext4 /dev/mapper/cryptroot $ mkfs.ext4 /dev/mapper/home
Mount the file systems
Mount the root partition under /mnt, the ESP under /mnt/esp as well as a bind mount under
/mnt/boot and the home partition under /mnt/home:
$ mount /dev/mapper/cryptroot /mnt $ mkdir /mnt/esp $ mount /dev/<devpart_ESP> /mnt/esp $ mkdir -p /mnt/esp/EFI/archlinux $ mkdir /mnt/boot $ mount --bind /mnt/esp/EFI/archlinux /mnt/boot $ mkdir /mnt/home $ mount /dev/mapper/home /mnt/home
Installation
Select the mirrors
Packages to install are downloaded from mirror servers defined in /etc/pacman.d/mirrorlist. Edit the
file to assign the desired priority (the higher a mirror is placed in the file, the higher its priority when downloading
a package). This file will be copied to the new system.
Install initial packages
$ pacstrap /mnt base linux linux-firmware base-devel e2fsprogs dosfstools man-db man-pages vim tmux rsync wget git openssh unzip p7zip bc htop tree networkmanager
Generate /etc/fstab file
$ genfstab -U /mnt >> /mnt/etc/fstab
Change root into the new system
$ arch-chroot /mnt
Time zone
$ ln -sf /usr/share/zoneinfo/<Region>/<City> /etc/localtime
where <Region> is one of the available options from
$ ls /usr/share/zoneinfo
and <City> is one of the available options from
$ ls /usr/share/zoneinfo/<Region>
To generate /etc/adjtime, execute
$ hwclock --systohc
Locale
Update /etc/locale.gen by uncommenting the desired localisations. To generate them, execute
$ locale-gen
Create /etc/locale.conf and set the variables
LANG and
LANGUAGE to
the desired values
/etc/locale.conf
LANG=<localisation> LANGUAGE=<list_languages>
Make the desired
keymap persistent by
setting KEYMAP in /etc/vconsole.conf
/etc/vconsole.conf
KEYMAP=<map>
Network configuration
Create /etc/hostname and set the desired hostname <hostname>
/etc/hostname
<hostname>
Create /etc/hosts and add matching entries
/etc/hosts
127.0.0.1 localhost ::1 localhost 127.0.1.1 <hostname>
If the system has a permanent IP address, it should be used instead of 127.0.1.1.
Configure mkinitcpio
Update /etc/mkinitcpio.conf so that it contains the following hooks
/etc/mkinitcpio.conf
... HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt filesystems fsck) ...
encrypt must be placed after the udev hook and keymap must appear before the
encrypt hook (otherwise the encryption password is entered using the default US keymap instead of that
specified in /etc/vconsole.conf).
Regenerate the initramfs
mkinitcpio -p linux
Set root password
$ passwd
Boot loader
Get the latest version of rEFInd, uncompress the file and copy the rEFInd files into the ESP
$ wget https://downloads.sourceforge.net/project/refind/<version>/refind-bin-<version>.zip $ unzip refind-bin-<version>.zip $ cp -r refind-bin-<version>/refind /esp/EFI/
Remove files not relevant to the x64 architecture
$ cd /esp/EFI/refind $ rm -r refind_ia32.efi refind_aa64.efi drivers_ia32 drivers_aa64 tools_ia32 tools_aa64
Also, it is strongly recommended to remove
unneeded drives in drivers_x64 (see rEFInd's
page on drivers).
Rename the configuration file
$ mv refind.conf-sample refind.conf
The boot option for this installation will be specified with a manual boot stanza. Kernel parameters are set in the boot stanza. Particularly, we need to set those required to boot from an encrypted root partition:
root: specifies the device of the decrypted root file system;cryptdevice: parsed bymkinitcpio'sencrypthook to identify the device containing the encrypted system. This will make the system prompt for the passphrase to unlock the device containing the encrypted installation on boot.
Create a manual boot stanza at the end of /esp/EFI/refind/refind.conf
/esp/EFI/refind/refind.conf
...
menuentry "Arch Linux" {
volume "<PARTUUID_ESP>"
loader /vmlinuz-linux
initrd /initramfs-linux.img
options "cryptdevice=UUID=<UUID_root>:cryptroot root=/dev/mapper/cryptroot"
}
where <PARTUUID_ESP> is the PARTUUID of /dev/<devpart_ESP> and
<UUID_root> is the UUID of /dev/<devpart_root>. The PARTUUID and
UUID can be obtained with
$ blkid
Unlock the home partition at boot
Create or use an existing file for unlocking the home partition and set the correct permissions:
-
If creating a file, execute
$ dd bs=512 count=4 if=/dev/random of=/etc/keyfile-home iflag=fullblock status=progress $ chmod 600 /etc/keyfile-home
-
If copying a file, execute
$ cp <path_to_file> /etc/keyfile-home $ chmod 600 /etc/keyfile-home
Add a keyslot for the keyfile to the LUKS header
$ cryptsetup luksAddKey /dev/<devpart_home> /etc/keyfile-home
Update /etc/crypttab for automatically unlocking the home partition at boot
/etc/crypttab
home UUID=<UUID_home> /etc/keyfile-home
where <UUID_home> is the UUID of /dev/<devpart_home>.
Reboot
Exit the chroot environment by executing exit or pressing Ctrl+D. Optionally,
unmount all partitions
$ umount -R /mnt
Restart the machine by executing reboot.
Post-installation
Configure the system following the post-installation guide. Also, take a look at the post-installation guides for different devices.