- Fully encrypted Btrfs root partition & ext4 boot
- Install Arch Linux
- Configure some basics
Everything works out of the box!
sudo dd if=archlinux-2018.05.01-x86_64.iso of=/dev/sda bs=4M
wifi-menu
- Set a root password
passwd root
- Enable sshd
systemctl start sshd
Now you should be able ssh to this box from another one which has a font which you can see.
- Find out how fast are ciphers on your machine (AES should have hardware acceleration therefore win)
cryptsetup benchmark
# Tests are approximate using memory only (no storage IO).
PBKDF2-sha1 1489454 iterations per second for 256-bit key
PBKDF2-sha256 1664406 iterations per second for 256-bit key
PBKDF2-sha512 1328993 iterations per second for 256-bit key
PBKDF2-ripemd160 1054905 iterations per second for 256-bit key
PBKDF2-whirlpool 787219 iterations per second for 256-bit key
argon2i 5 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
argon2id 5 iterations, 1048576 memory, 4 parallel threads (CPUs) for 256-bit key (requested 2000 ms time)
# Algorithm | Key | Encryption | Decryption
aes-cbc 128b 1063.3 MiB/s 3276.7 MiB/s
serpent-cbc 128b 89.6 MiB/s 677.3 MiB/s
twofish-cbc 128b 194.2 MiB/s 362.2 MiB/s
aes-cbc 256b 810.3 MiB/s 2624.6 MiB/s
serpent-cbc 256b 90.9 MiB/s 677.1 MiB/s
twofish-cbc 256b 195.3 MiB/s 362.3 MiB/s
aes-xts 256b 2022.0 MiB/s 2032.2 MiB/s
serpent-xts 256b 653.0 MiB/s 644.3 MiB/s
twofish-xts 256b 356.6 MiB/s 357.5 MiB/s
aes-xts 512b 1846.6 MiB/s 1847.6 MiB/s
serpent-xts 512b 654.1 MiB/s 644.3 MiB/s
twofish-xts 512b 356.6 MiB/s 357.0 MiB/s
cryptsetup benchmark 26.30s user 25.05s system 145% cpu 35.399 total
aes-xts 512b 1846.6 MiB/s 1847.6 MiB/s
looks good, maginal performance hit for 512b key
- Format disk
Disk /dev/nvme0n1: 477 GiB, 512110190592 bytes, 1000215216 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: ECE601CC-27F0-4CF0-92C8-1D663A4CC362
Device Start End Sectors Size Type
/dev/nvme0n1p1 2048 1050623 1048576 512M EFI System
/dev/nvme0n1p2 1050624 1000215182 999164559 476.4G Linux filesystem
- Make data partition LUKS formatted
cryptsetup --cipher aes-xts-plain64 --key-size 512 --use-random --verify-passphrase luksFormat /dev/nvme0n1p2
- Check if everything looks good
cryptsetup luksDump /dev/nvme0n1p2
- Open encrypted partition
cryptsetup open --type luks /dev/nvme0n1p2 cryptroot
- Create BTRFS on cryptdata volume
mkfs.btrfs -L data /dev/mapper/cryptroot
- Mount BTRFS with flags
mount /dev/mapper/cryptroot /mnt -t btrfs -o defaults,noatime,nodiratime,discard,autodefrag,ssd,compress=lzo,space_cache
- Create subvolumes
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home
btrfs subvolume create /mnt/@snapshots
- Create boot partition
mkfs.vfat -F 32 /dev/nvme0n1p1
- Mount sub-volumes and boot partition
umount /mnt
mount -o defaults,noatime,nodiratime,discard,autodefrag,ssd,compress=lzo,space_cache,subvol=@ /dev/mapper/cryptroot /mnt
mkdir /mnt/home
mount -o defaults,noatime,nodiratime,discard,autodefrag,ssd,compress=lzo,space_cache,subvol=@home /dev/mapper/cryptroot /mnt/home
mkdir /mnt/.snapshots
mount -o compress=lzo,discard,noatime,nodiratime,subvol=@snapshots /dev/mapper/cryptroot /mnt/.snapshots
mkdir /mnt/boot
mount /dev/nvme0n1p1 /mnt/boot
- create nested subvolumes for special folders
mkdir -p /mnt/var/cache/pacman
btrfs subvolume create /mnt/var/cache/pacman/pkg
btrfs subvolume create /mnt/var/log
btrfs subvolume create /mnt/var/tmp
- use reflector to speed up install (optional)
pacman -Syy reflector
reflector --sort rate --save /etc/pacman.d/mirrorlist -f 5 -n 10 -p https
- synchronize clock
timedatectl set-ntp true
- install base packages
pacstrap /mnt base base-devel git btrfs-progs openssh linux-zen
- generate fstab
genfstab -Up /mnt >> /mnt/etc/fstab
- optional: add ramdisk tmp
echo "tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0" >> /mnt/etc/fstab
- change into installation root
arch-chroot /mnt
- There is only SSD, so we want to reduce swapping as much as possible
echo "vm.swappiness=10" > /etc/sysctl.d/99-sysctl.conf
- add modules, binaries, files, and hooks to mkinitcpio.conf
vi /etc/mkinitcpio.conf
Replace the variables with these values
MODULES=(btrfs loop i915)
BINARIES=(/usr/bin/btrfs)
HOOKS=(base udev autodetect modconf keyboard encrypt block filesystems btrfs fsck)
- Generate initial ramdisk image
mkinitcpio -p linux
rEFInd is a simplistic boot manager for UEFI based systems, with a clean and minimal black theme for it.
pacman -S intel-ucode refind-efi
efind-install
- edit /boot/EFI/refind/refind.conf
UUID from nvmen1p2
timeout 10
menuentry "Arch Linux" {
icon /EFI/refind/rEFInd-minimal/icons/os_arch.png
volume "Arch Linux"
loader /vmlinuz-linux-zen
initrd /initramfs-linux-zen.img
options "cryptdevice=UUID=6e74c74b-ba92-4100-9077-29e604e24ffe:cryptroot root=/dev/mapper/cryptroot rootflags=subvol=@ add_efi_memmap initrd=boot/intel-ucode.img quiet splash rw"
submenuentry "Boot using non-zen kernel" {
loader /vmlinuz-linux
initrd /initramfs-linux.img
}
submenuentry "Boot using fallback initramfs" {
loader /vmlinuz-linux
initrd /initramfs-linux-fallback.img
}
submenuentry "Boot to terminal" {
add_options "systemd.unit=multi-user.target"
}
}
include rEFInd-minimal-black/theme.conf
git clone https://github.com/andersfischernielsen/rEFInd-minimal-black /boot/EFI/refind/rEFInd-minimal-black
- Set locale
cat >/etc/locale.gen <<END
en_US.UTF-8 UTF-8
END
locale-gen
echo LANG=en_US.UTF-8 > /etc/locale.conf
- Set timezone
ln -sf /usr/share/zoneinfo/Europe/London /etc/localtime
hwclock --systohc --utc
- set hostname
echo carbon > /etc/hostname
- Add some more useful packages and setup reflector
pacman -Suy base-devel git iw wpa_supplicant dialog zsh sudo reflector vim
reflector --sort rate --save /etc/pacman.d/mirrorlist -f 5 -n 10 -p https
- add a new user account
useradd -m -g users -G wheel,storage,power -s /bin/zsh damon
passwd damon
- enable sudo for your user account
uncomment the following line
%wheel ALL=(ALL) ALL
- disable root account
passwd -l root
exit
umount -R /mnt
swapoff -a
reboot
sudo pacman -S snapper
sudo umount /.snapshots
sudo rm -r /.snapshots
sudo snapper -c root create-config /
sudo mount -o compression=lzo,discard,noatime,nodiratime,subvol=@snapshots /dev/mapper/cryptroot /.snapshots
sudo systemctl start snapper-timeline.timer
sudo pacman -S tlp x86_energy_perf_policy tlp-rdw
sudo systemctl enable tlp.service
sudo systemctl enable tlp-sleep.service
sudo systemctl enable NetworkManager-dispatcher.service
sudo systemctl mask systemd-rfkill.service
sudo systemctl mask systemd-rfkill.socket
pacman -S bluez bluez-firmware bluez-utils blueman
sudo systemctl enable --now bluetooth.service