Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Arch Linux installation

WARNING: WORK IN PROGRESS, USE THESE STEPS WITH CAUTION. IT WILL CLEAR ALL DISK DATA!!

I recommend first to use a Virtual Box machine with EFI support enabled to test everything before doing it on a real machine.

Arch installation on a HP ENVY 13 inch laptop (ah0006np part number: 16GB Ram, 512GB SSD)

OBJECTIVE: Install Arch Linux with encrypted boot, root and swap filesystems and boot from UEFI, completly dumping Windows on the process. No dual boot. Windows, if necessary will be run on a Virtual Machine and re-use the Windows key that came with the laptop.

The configuration will be LVM on LUKS. Also a major difference from other tutorials is that the boot partition is also encrypted, and not a standard partition.

Results do far:

  • Disk encryption ok. Slow GRUB boot. Otherwise works fine.
  • Wireless works ootb, but errors on dmesg output from time to time
  • Sound and microfone works ok
  • Webcam does not work: Solved. See below at the end.
  • Keyboard special keys work fine (brightness, Sound, Mute), including keyboard background lights, but F6 sound Mute Led does not work.
  • Some screen corruption with the Intel Driver either SNA or UXA. Nouveau crashes, nvidia driver didn't work.

Desired layout:

+---------------+----------------+----------------+----------------+
|ESP partition: |Boot partition: |Volume 1:       |Volume 2:       |
|               |                |                |                |
|/boot/efi      |/boot           |root            |swap            |
|               |                |                |                |
|               |                |/dev/vg0/root   |/dev/vg0/swap   |
|/dev/sda1      |/dev/sda2       +----------------+----------------+
|unencrypted    |LUKS encrypted  |/dev/sda3 encrypted LVM on LUKS  |
+---------------+----------------+---------------------------------+

The final result is to have an Arch Linux Installation with full disk encryption and with a basic set of applications such as the KDE Plasma Desktop.

This GIST has several sources, namely: https://grez911.github.io/cryptoarch.html and this gist.

The installation process on this guide is for the Arch Linux installation onto an HP Envy 13, 16GB RAM with 512MB ssd laptop. This laptop comes with Windows 10 Home installed, and as far as my model goes, it comes with an Intel WiFi board and a WD Sandisk SN520 512GB NVME SSD.

The official Arch installation guide contains more details that you should refer to during this installation process. That guide resides at: https://wiki.archlinux.org/index.php/Installation_Guide

Boot from image

Download the archlinux-*.iso image from https://www.archlinux.org/download/ and its GnuPG signature. Use gpg --verify to ensure your archlinux-*.iso is exactly what the Arch developers intended. For example at the time of installation:

$ gpg --verify archlinux-2017.10.01-x86_64.iso.sig
gpg: Signature made Sun 01 Oct 2017 07:29:43 AM CEST using RSA key ID 9741E8AC
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.de>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE  28B7 7F2D 434B 9741 E8AC

Currently the Arch ISO is archlinux-2018.11.01-x86_64.iso.

Burn the archlinux-*.iso to a 1+ Gb USB stick. You can use the dd command, unetbootin or Etcher.

Connect the USB stick to the usb port and power on/cycle the machine to boot. If your USB stick fails to boot, ensure that Secure Boot is disabled in your UEFI configuration.

Note: To access the BIOS on the Envy Laptop, turn on the laptop and press several times the ESC key or the F10 key to access the BIOS while the screen is black. First I moved the boot order to have the USB boot at the top. Then we need to disable the secure boot option and press F10 to save. Confirm saving it.

Attention now: There is a confirmation screen to really commit the secure boot option change. Enter the requested code and save.

After booting up:

Set your keymap only if not you are not using the default English keyboard.

$ loadkeys pt-latin1

We can now, if required backup the HP recovery partition, that I suppose is the Windows Install Media.

Connect to the Internet.

Execute the wifi-menu command and select a Wifi network. On this HP Envy, the wireless card (Intel) was detected with no issues.

Check with the "ip a" command if there is network connection.

Prepare your hard disk

In the next steps we will create necessary partitions and encrypt the main partition.

Find the correct block device

$ lsblk

In my case the correct block device (the NVME SSD of my laptop) is 'nvme0n1'. (Depends on the machine)

Create and size partitions appropriate to your goals using gdisk.

$ gdisk /dev/nvme0n1

Press p to show the partitions.

In my case I have a 260Mb EFI partition, a 16MB Reserved Microsoft Partition, a 460GB partition and a 980MB and another 15GB partition.

From this point on, everything that is to be done, will destroy the disk data.

Delete all partitions on disk

Use the d command to delete all partitions. Use d, then partition number. Repeat for all partitions

Press o to create the GPT.

Create three partitions: One for the EFI, one for boot and the other will be used to have the Arch Linux installation. To create a partition, press n:

  1. Partition 1 = 512 MB EFI partition (Hex code EF00). Initial Sector: ; End: 512M; Type: EF00
  2. Partition 2 = 1GB Boot partition (Hex code 8300)
  3. Partition 3 = Size it to the last sector of your drive. (default) (Hex code 8E00 - Linux LVM Partition)

Review your partitions with the 'p' command. Write your gdisk changes with 'w'.

Check again the names with the blkid command to know the partitions name:

  1. EFI: /dev/nvme0n1p1
  2. BOOT: /dev/nvme0n1p2
  3. Arch: /dev/nvme0n1p3

Create filesystems

The EFI filesystem must be FAT32:

$ mkfs.vfat -F 32 /dev/nvme0n1p1

The other filesystems are to be encrypted.

(optional) Before creating the partitions we can use the command

cryptsetup benchmark 

to see how fast the different encryption algoritms are.

Encrypted /boot partition

$ cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/nvme0n1p2
$ cryptsetup open /dev/nvme0n1p2 cryptboot
$ mkfs.ext4 /dev/mapper/cryptboot

The first command will ask for the disk passphrase. Do not forget it!. ATTENTION: The first crypsetup command will set the LUKS with default iter-time parameters, which may or may not make grub to boot slow (around 20s). If this is not fine add the following parameter: --iter-time=5000 (This will affect security, so use a large key phrase)

The last command will create a /dev/mapper/cryptboot device. We can check that it was created with the command ls /dev/mapper

Create encrypted LUKS device for the LVM

cryptsetup -c aes-xts-plain64 -h sha512 -s 512 --use-random luksFormat /dev/nvme0n1p3
cryptsetup open /dev/nvme0n1p3 cryptlvm

Create encrypted LVM partitions

These steps will create the required root partition and an optional partition for swap. Modify this structure only if you need additional, separate partitions. The sizes used below are only suggestions. The VG and LV labels 'ArchVG, root and swap' can be changed to anything memorable to you. Use your labels consistently, below!

$ pvcreate /dev/mapper/cryptlvm
$ vgcreate ArchVG /dev/mapper/cryptlvm
$ lvcreate -L +16G ArchVG -n swap
$ lvcreate -l +100%FREE ArchVG -n root

Again, we can see on /dev/mapper if the logical volumes where created.

Create filesystems on your encrypted partitions

$ mkswap /dev/mapper/ArchVG-swap
$ mkfs.ext4 /dev/mapper/cryptboot
$ mkfs.ext4 /dev/mapper/ArchVG-root

Mount the new system

mount /dev/mapper/ArchVG-root /mnt
swapon /dev/mapper/ArchVG-swap
mkdir /mnt/boot
mount /dev/mapper/cryptboot /mnt/boot
mkdir /mnt/boot/efi
mount /dev/nvme0n1p1 /mnt/boot/efi

Install the Arch system

This installation command provides a decent set of basic system programs which will also support WiFi when initally booting into your Arch system.

At this point we need to have a network connection. Since the HP only has Wifi connection, we need to setup the WiFi connection. Other alternative is to use an Ethernet USB dongle that is recognized by the Arch boot iso. Also, if you are behind a proxy, you can set the http_proxy and https_proxy variables to access the internet.

(Optional) Use reflector to speedup download (credit goes to u/momasf) https://www.reddit.com/r/archlinux/comments/9g6fmq/arch_linux_installation_with_a_fulldisk/e621ete Change COUNTRY to (surprise) your country name.

pacman -Sy reflector
reflector --country 'COUNTRY' --age 12 --protocol https --sort rate --save /etc/pacman.d/mirrorlist

I won't install base-dev here to save time at the installation.

$ pacstrap /mnt base grub-efi-x86_64 efibootmgr dialog wpa_supplicant vim

Create and review FSTAB

The -U option pulls in all the correct UUIDs for your mounted filesystems.

$ genfstab -U /mnt >> /mnt/etc/fstab
$ nano /mnt/etc/fstab  # Check your fstab carefully, and modify it, if required.

Enter the newly installed system

$ arch-chroot /mnt /bin/bash

Set the system clock, you can replace UTC with your actual timezone

$ ln -fs /usr/share/zoneinfo/Europe/Lisbon /etc/localtime
$ hwclock --systohc --utc

Assign your hostname

$ echo mylaptop > /etc/hostname

My requirements for the locale are:

  • Metric system
  • 24h time format
  • dd/mm/yyyy date format
  • Portuguese language
  • A4 paper size
  • But all help, error messages are in English

The pt_PT.UTF-8 plus en_US.UTF-8 locale meets those requirements. To set up this locale:

  • In /etc/locale.gen
en_US.UTF-8 UTF-8
pt_PT.UTF-8 UTF-8
  • In /etc/locale.conf, you should only have this line:
LANG=en_US.UTF-8

We will change other settings on Bash profile.

Now run:

$ locale-gen

Create a new file vconsole.conf so that the console keymap is correctly set at boot. Create the file and add the following line:

KEYMAP=pt-latin1

Set your root password

$ passwd

Create a User, assign appropriate Group membership, and set a User password.

$ useradd -m -G audio,games,log,lp,optical,power,scanner,storage,video,wheel -s /bin/bash memyselfandi
$ passwd memyselfandi

Configure mkinitcpio with the correct HOOKS required for your initrd image

$ nano /etc/mkinitcpio.conf

Use this HOOKS statement: (I've moved keyboard before keymap, encrypt and so on...)

HOOKS="base udev autodetect modconf block keyboard keymap encrypt lvm2 resume filesystems fsck"

Generate your initrd image

mkinitcpio -p linux

Install and configure Grub-EFI

Since we have the boot partition INSIDE the encrypted disk, we need to add the following option to the Grub options:

Edit the file /etc/default/grub and uncomment the following line:

GRUB_ENABLE_CRYPTODISK=y

And then we can install Grub, which will create an EFI entry named ArchLinux

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=ArchLinux

Edit /etc/default/grub so it includes a statement like this:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p3:cryptlvm resume=/dev/mapper/ArchVG-swap"

Other way of doing it is to use UUID:

blkid /dev/nvme0n1p3 -s UUID -o value

And use the UUID outputed on this command line:

GRUB_CMDLINE_LINUX="cryptdevice=UUID=55994-XXXX-xXXXX-XXXXX:cryptlvm resume=/dev/mapper/ArchVG-swap"

Generate Your Final Grub Configuration:

$ grub-mkconfig -o /boot/grub/grub.cfg

At this point there are some errors regarding failing to connect to lvmetad, which are normal and can be ignored.

Mounting /boot without password request

Grub will ask for passwords to access the encrypted volumes. We can do this automatically:

dd bs=512 count=8 if=/dev/urandom of=/etc/key
chmod 400 /etc/key
cryptsetup luksAddKey /dev/nvme0n1p2 /etc/key
echo "cryptboot /dev/nvme0n1p2 /etc/key luks" >> /etc/crypttab

Mounting root LVM without password prompt

dd bs=512 count=8 if=/dev/urandom of=/crypto_keyfile.bin
chmod 000 /crypto_keyfile.bin
cryptsetup luksAddKey /dev/nvme0n1p3 /crypto_keyfile.bin
sed -i 's\^FILES=.*\FILES="/crypto_keyfile.bin"\g' /etc/mkinitcpio.conf
mkinitcpio -p linux
chmod 600 /boot/initramfs-linux*

The mkinitcpio.conf FILES line will look like:

FILES="/crypto_keyfile.bin"

Enable Intel microcode CPU updates (if you use Intel processor, of course)

pacman -S intel-ucode
grub-mkconfig -o /boot/grub/grub.cfg

Check EFI Boot Manager

Check that the EFI Boot manager has the ArchLinux entry:

$ efibootmgr

For example if ArchLinux entry is Boot0003, check if on the boot order, 0003 is on the head of the list. If not change the order with:

$ efibootmg -o 0003,0002,0001,0000

Exit Your New Arch System

$ exit

Unmount all partitions

$ umount -R /mnt
$ swapoff -a

Reboot and Enjoy Your Encrypted Arch Linux System!

reboot

Setup system

We need again to connect to the internet, so run again the wifi-menu.

Install bash completion for reduced typing effort and other packages if necessary:

$ pacman -S sudo bash-completion base-devel git

To be able to use sudo from your normal user add wheel to sudoers.

$ EDITOR=nano visudo

Uncomment the line

%wheel      ALL=(ALL) ALL

I choose KDE as my graphical user interface. Install the following packages and on your next boot you should be greeted by a login screen.

$ pacman -S xorg-server xorg-xinit
$ pacman -S xf86-video-intel
$ pacman -S plasma sddm sddm-kcm
$ systemctl enable sddm

The settings for the keyboard layout are different for the GUI and the terminal... Set keyboard layout in x11:

$ localectl set-x11-keymap pt-latin1

Some basic packages, I choose not to install konquerer but Firefox

$ pacman -S kdebase #This is a group of packages install "1-6 8 9" for no  konquerer
$ pacman -S firefox breeze-gtk kde-gtk-config

Addons for Firefox: uBlock Origin, Privacy Badger, HTTPS Everywhere

Install Network Manager, with OpenVPN support and plasma GUI. This will enable you to manage your WiFi from the status bar.

$ pacman -S networkmanager networkmanager-openvpn plasma-nm
$ systemctl enable NetworkManager.service
$ systemctl start NetworkManager.service

Install some nice looking fonts. The second line are the fonts needed for Matlab.

$ pacman -S ttf-dejavu
$ pacman -S xorg-fonts-100dpi xorg-fonts-75dpi xorg-fonts-type1
$ pacman -S noto-fonts-cjk noto-fonts-emoji noto-fonts

Configure touchpad with natural scrolling.

pacman -S xf86-input-libinput
pacman -S xorg-xinput
xinput -list

Create file: /etc/X11/xorg.conf.d/30-touchpad.conf with the following content.

Section "InputClass"
        Identifier "touchpad scrolling"
        MatchIsTouchpad "on"
        Driver "libinput"
        Option "NaturalScrolling" "true"
EndSection

Making the webcam to work.

The webcam id appears at the lsusb output:

Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 8087:0a2a Intel Corp. 
Bus 001 Device 002: ID 04ca:7090 Lite-On Technology Corp. 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

The webcam is the Bus 001:002 device: ID 04ca:7090. Add the following rule at /etc/udev/rules.d

KERNEL=="video[0-9]*", SUBSYSTEM=="video4linux", SUBSYSTEMS=="usb", ATTRS{idVendor}=="04ca", ATTRS{idProduct}=="7090", SYMLINK+="video-cam"

Load the module to activate the webcam:

modprobe uvcvideo

The /dev/video0 and 1 devices should appear.

Applications

These are the application I install on my laptop.

  • SSH
$ pacman -S openssh
$ ssh-keygen -t rsa -b 4096

TODO: Install keychain to manage?

  • Nextcloud client
yaourt -S nextcloud-client
  • Mail, calendar etc. from group kdepim select 1-4 6-18 (no blogilo)
$ pacman -S kdepim

After using it a while kdepim was not really for me. Switching to Thunderbird and uninstall kdepim

$ pacman -Rns kdepim
$ pacman -S thunderbird

Use this theme

  • Python IDE
$ yaourt -S pycharm-professional
$ yaourt anaconda
# Use anaconda
$ source /opt/anaconda/bin/activate root
$ source /opt/anaconda/bin/deactivate root
# or
$ echo "export PATH="$PATH:/opt/anaconda/bin"" >> ~/.bash_profile
# Configure anaconda, the sudo is important here
$ sudo conda config --set auto_update_conda False
# If you want add conda-forge
$ sudo conda config --append channels conda-forge

It is important to to append and NOT prepend the path if you want to use the systems binaries in everyday life. (For me prepending the path meant pandoc's version was stuck at the anacondo version)

  • Python packages
$ conda install pymc3
$ conda install gpy
  • Matlab

    1. Download installer from MathWorks
    2. Start installer (without root, install in your home folder) Now you can start matlab from this folder OR install package from AUR
    3. TODO
  • Personal finance manager with online banking

$ pacman -S kmymoney
  • Utility to format USB sticks, SD cards etc.
pacman -S partitionmanager

TODOs

  • Check which one of this to install.
$ pacman -S acpid ntp dbus avahi cups cronie
$ systemctl enable acpid
$ systemctl enable ntpd
$ systemctl enable avahi-daemon
$ systemctl enable org.cups.cupsd.service
$ systemctl enable cronie
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.