Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Install Arch
# This guide is based on https://wiki.archlinux.org/index.php/User:Altercation/Bullet_Proof_Arch_Install
# compare for more details on each step. It's a great guide and seems to get frequent updates.
# This guide has a few changes that helped me to get thew bootloader running
# Start up the Live USB/CD and enable SSH:
# set a password for root to enable ssh login
# *
passwd
systemctl start sshd.service
# then login to your machine from another device with ssh
# if you're reinstalling a machine and you have a static ip
# you may want to ignore the hosts file:
ssh -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null root@LIVE_USB
# then go on with these instructions via SSH
# create an ENV variable for your drive. For example, mine was: /dev/sda
# You need to edit this line!!!
DRIVE=/dev/DRIVEID
# clean drive. This deletes everything for good. Be careful
sgdisk --zap-all $DRIVE
# partition with partition labels
sgdisk --clear \
--new=1:0:+550MiB --typecode=1:ef00 --change-name=1:EFI \
--new=2:0:+8GiB --typecode=2:8200 --change-name=2:cryptswap \
--new=3:0:0 --typecode=2:8200 --change-name=3:cryptsystem \
$DRIVE
# format the EFI partition with fat-32
mkfs.fat -F32 -n EFI /dev/disk/by-partlabel/EFI
# create the encrypted system partition
cryptsetup luksFormat --align-payload=8192 -s 256 -c aes-xts-plain64 /dev/disk/by-partlabel/cryptsystem
# open the encrypted partition with label system
# If something fails and you need to restart your system this is the line you need to open your partition again later on.
# I'l mark those commands with an asterisk should you need to reboot and start over with eg. the boot option.
# *
cryptsetup open /dev/disk/by-partlabel/cryptsystem system
# open the swap partition with a random key
cryptsetup open --type plain --key-file /dev/urandom /dev/disk/by-partlabel/cryptswap swap
# create the swap partition
mkswap -L swap /dev/mapper/swap
swapon -L swap
# format the system partition with btrfs. Inside we will use subvolumes
mkfs.btrfs --force --label system /dev/mapper/system
# create some useful ENV vars
o=defaults,x-mount.mkdir
o_btrfs=$o,compress=lzo,ssd,noatime
# mount the newly created partition
mount -t btrfs LABEL=system /mnt
# and create the neccessary subvolumes
btrfs subvolume create /mnt/root
btrfs subvolume create /mnt/home
btrfs subvolume create /mnt/snapshots
# then unmount to mount again with subvolumes
umount -R /mnt
# *
mount -t btrfs -o subvol=root,$o_btrfs LABEL=system /mnt
mount -t btrfs -o subvol=home,$o_btrfs LABEL=system /mnt/home
mount -t btrfs -o subvol=snapshots,$o_btrfs LABEL=system /mnt/.snapshots
# create a boot partition and mount as well
mkdir /mnt/boot
# *
mount LABEL=EFI /mnt/boot;
# then install the base system
pacstrap /mnt base
# You will notice some errors related to fsck.btrfs. We will fix that in a minute
genfstab -L -p /mnt >> /mnt/etc/fstab
# fix fstab so swap partition can be found again
sed -i "s+LABEL=swap+/dev/mapper/swap+" /mnt/etc/fstab
# tell crypttab which partition to mount
echo "swap /dev/disk/by-partlabel/cryptswap /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256" >> /mnt/etc/crypttab
# boot into new system to continue with install
# *
systemd-nspawn -bD /mnt
# basic settings
echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
localectl set-locale LANG=en_US.UTF-8
timedatectl set-ntp 1
timedatectl set-timezone Europe/Berlin
# You need to edit this line
hostnamectl set-hostname A_HOSTNAME
echo "KEYMAP=de-latin1" > /etc/vconsole.conf
# install some more basic stuff otherwise you can't boot into new system
pacman -Syu base-devel btrfs-progs
# you need to change hooks to decrypt your drive
# I also changed MODULES so that I can have early KMS start with my Intel graphics card: MODULES="i915"
sed -i "s+HOOKS=\"base udev autodetect modconf block filesystems keyboard fsck\"+HOOKS=\"base udev autodetect modconf block keyboard keymap encrypt filesystems btrfs\"+" /etc/mkinitcpio.conf
# This line didn't quite work on my second PC. I had to use this here instead in my mkinitio.conf file:
# MODULES=(atkbd)
# HOOKS=(base udev autodetect modconf block keyboard keymap encrypt filesystems btrfs)
# The atkbd module was necessary because I couldn't use the keyboard from systemd 241 on. Some bug maybe?
# then rerun to get a new initramfs image
mkinitcpio -p linux
# change password
passwd
# get back to the LIVE USB/CD to finish up
poweroff
# I used efibootmgr to boot. You may need GRUB or whatever
efibootmgr -d /dev/sda -p 1 -c -L "Arch Linux" -l /vmlinuz-linux -u "cryptdevice=/dev/sdXY:cryptsystem root=/dev/mapper/cryptsystem rw rootflags=subvol=root initrd=/initramfs-linux.img"
# this method didn't work on my DELL optiplex 7050. Apparently its UEFI doesn't support boot options so I can't decrypt.
# Instead I used refind:
pacman -S refind-efi
refind-install
# Then edit the /boot/refind_linux.conf file:
"Boot with standard options" "cryptdevice=/dev/sda3:cryptsystem root=/dev/mapper/cryptsystem rw rootflags=subvol=root initrd=/initramfs-linux.img"
# Make sure you're using your partition here. Mine was sda3
# then reboot and see if it works. Good luck
reboot
# if it doesn't work boot from your pen drive again and run the commands with the asterisk again to get into your newly installed system.
# note that your system is not the same as the one on your pendrive. You will have to reinstall everything that you need.
@burningTyger

This comment has been minimized.

Copy link
Owner Author

commented Jul 21, 2018

So I messed up my mkinitcpio.conf file wit a pacnew merge and was left with an unbootable device. Anyway, here's how to fix that:

Download and dd an arch iso on a pen drive and start it up.

open the encrypted device with above command, mount it with the next command and also the mount the boot dir but not into /mnt/boot but /boot
arch-chroot /mnt/root the whole thing and
then edit the mkinitcpio.conf file to fix it, and run mkinitcpio -p linux to create the initramfs again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.