Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Install Arch
# This guide is based on https://wiki.archlinux.org/index.php/User:Altercation/Bullet_Proof_Arch_Install
# compare for more details on each step. It's a great guide and seems to get frequent updates.
# This guide has a few changes that helped me to get thew bootloader running
# Start up the Live USB/CD and enable SSH:
# set a password for root to enable ssh login
# *
passwd
systemctl start sshd.service
# then login to your machine from another device with ssh
# if you're reinstalling a machine and you have a static ip
# you may want to ignore the hosts file:
ssh -o GlobalKnownHostsFile=/dev/null -o UserKnownHostsFile=/dev/null root@LIVE_USB
# then go on with these instructions via SSH
# create an ENV variable for your drive. For example, mine was: /dev/sda
# You need to edit this line!!!
DRIVE=/dev/DRIVEID
# clean drive. This deletes everything for good. Be careful
sgdisk --zap-all $DRIVE
# partition with partition labels
sgdisk --clear \
--new=1:0:+550MiB --typecode=1:ef00 --change-name=1:EFI \
--new=2:0:+8GiB --typecode=2:8200 --change-name=2:cryptswap \
--new=3:0:0 --typecode=2:8200 --change-name=3:cryptsystem \
$DRIVE
# format the EFI partition with fat-32
mkfs.fat -F32 -n EFI /dev/disk/by-partlabel/EFI
# create the encrypted system partition
cryptsetup luksFormat --align-payload=8192 -s 256 -c aes-xts-plain64 /dev/disk/by-partlabel/cryptsystem
# open the encrypted partition with label system
# If something fails and you need to restart your system this is the line you need to open your partition again later on.
# I'l mark those commands with an asterisk should you need to reboot and start over with eg. the boot option.
# *
cryptsetup open /dev/disk/by-partlabel/cryptsystem system
# open the swap partition with a random key
cryptsetup open --type plain --key-file /dev/urandom /dev/disk/by-partlabel/cryptswap swap
# create the swap partition
mkswap -L swap /dev/mapper/swap
swapon -L swap
# format the system partition with btrfs. Inside we will use subvolumes
mkfs.btrfs --force --label system /dev/mapper/system
# create some useful ENV vars
# *
o=defaults,x-mount.mkdir
#*
o_btrfs=$o,compress=lzo,ssd,noatime
# mount the newly created partition
mount -t btrfs LABEL=system /mnt
# and create the neccessary subvolumes
btrfs subvolume create /mnt/root
btrfs subvolume create /mnt/home
btrfs subvolume create /mnt/snapshots
# then unmount to mount again with subvolumes
umount -R /mnt
# *
mount -t btrfs -o subvol=root,$o_btrfs LABEL=system /mnt
mount -t btrfs -o subvol=home,$o_btrfs LABEL=system /mnt/home
mount -t btrfs -o subvol=snapshots,$o_btrfs LABEL=system /mnt/.snapshots
# create a boot partition and mount as well
mkdir /mnt/boot
# *
mount LABEL=EFI /mnt/boot;
# then install the base system
pacstrap /mnt base
# You will notice some errors related to fsck.btrfs. We will fix that in a minute
genfstab -L -p /mnt >> /mnt/etc/fstab
# fix fstab so swap partition can be found again
sed -i "s+LABEL=swap+/dev/mapper/swap+" /mnt/etc/fstab
# tell crypttab which partition to mount
echo "swap /dev/disk/by-partlabel/cryptswap /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256" >> /mnt/etc/crypttab
# boot into new system to continue with install
# *
systemd-nspawn -bD /mnt
# basic settings
echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
localectl set-locale LANG=en_US.UTF-8
timedatectl set-ntp 1
timedatectl set-timezone Europe/Berlin
# You need to edit this line
hostnamectl set-hostname A_HOSTNAME
echo "KEYMAP=de-latin1" > /etc/vconsole.conf
# install some more basic stuff otherwise you can't boot into new system
pacman -Syu base-devel btrfs-progs
# you need to change hooks to decrypt your drive
# I also changed MODULES so that I can have early KMS start with my Intel graphics card: MODULES="i915"
sed -i "s+HOOKS=\"base udev autodetect modconf block filesystems keyboard fsck\"+HOOKS=\"base udev autodetect modconf block keyboard keymap encrypt filesystems btrfs\"+" /etc/mkinitcpio.conf
# This line didn't quite work on my second PC. I had to use this here instead in my mkinitio.conf file:
# MODULES=(atkbd)
# HOOKS=(base udev autodetect modconf block keyboard keymap encrypt filesystems btrfs)
# The atkbd module was necessary because I couldn't use the keyboard from systemd 241 on. Some bug maybe?
# then rerun to get a new initramfs image
mkinitcpio -p linux
# * or if you're repairing you can pacman -Syu
# change password
passwd
# get back to the LIVE USB/CD to finish up
poweroff
# I used efibootmgr to boot. You may need GRUB or whatever here I had to use sda3 as device
# usually this line is a point of failure if Arch doesn't boot again
efibootmgr -d /dev/sda -p 1 -c -L "Arch Linux" -l \vmlinuz-linux -u "cryptdevice=/dev/sda3:cryptsystem root=/dev/mapper/cryptsystem rw rootflags=subvol=root initrd=\initramfs-linux.img"
# to list all boot options in case of trouble: efibootmgr
# to remove an entry, e.g. Boot0000 you have to efibootmgr -b 0 -B and then run above line again to make it the new first boot entry.
# this method didn't work on my DELL optiplex 7050. Apparently its UEFI doesn't support boot options so I can't decrypt.
# Instead I used refind:
pacman -S refind-efi
refind-install
# Then edit the /boot/refind_linux.conf file:
"Boot with standard options" "cryptdevice=/dev/sda3:cryptsystem root=/dev/mapper/cryptsystem rw rootflags=subvol=root initrd=/initramfs-linux.img"
# Make sure you're using your partition here. Mine was sda3
# then reboot and see if it works. Good luck
reboot
# if it doesn't work boot from your pen drive again and run the commands with the asterisk again to get into your newly installed system.
# note that your system is not the same as the one on your pendrive. You will have to reinstall everything that you need.
@burningTyger

This comment has been minimized.

Copy link
Owner Author

@burningTyger burningTyger commented Jul 21, 2018

So I messed up my mkinitcpio.conf file wit a pacnew merge and was left with an unbootable device. Anyway, here's how to fix that:

Download and dd an arch iso on a pen drive and start it up.

open the encrypted device with above command, mount it with the next command and also the mount the boot dir but not into /mnt/boot but /boot
arch-chroot /mnt/root the whole thing and
then edit the mkinitcpio.conf file to fix it, and run mkinitcpio -p linux to create the initramfs again.

@burningTyger

This comment has been minimized.

Copy link
Owner Author

@burningTyger burningTyger commented Aug 9, 2020

Recently, probably with some kernel 5.x version booting failed and it seems that the initrd boot option requires backslashes. I have corrected that for efibootbgr but not for refind since I don't use it anymore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.