Arch Linux on a personal computer
Arch Linux has an excellent installation guide. Unfortunately, all the options available during installation can make the guide overwhelming for someone not very familiar with the Linux ecosystem. This article is a log of the steps I followed for a recent installation, with a focus on simplicity and conciseness.
Main features of the resulting installation:
- Full-disk encryption with passphrase
- Hibernation to encrypted swap
Note that while I will suggest some alternatives to my own choices, this article is largely opinionated. It is not meant to be a guide but rather a showcase, so use it at your own risk.
UEFI
In the UEFI, disable the following features:
- Secure Boot: it is nontrivial to enable on Arch Linux and doesn't seem to provide many benefits.
- Intel AMT: This is an enterprise feature.
- Absolute Persistence: This is an enterprise feature.
If you plan never to use the remote tracking features, you can choose to disable them forever (at least on ThinkPads).
Prepare the storage drive
From this point on, I assume that you have booted on the Arch Linux ISO from some medium (e.g. a USB drive).
Before using the main drive with full-disk encryption, it is apparently recommended to erase it with random bytes (e.g. so that the entire disk is indistinguishable from random bytes):
shred --verbose --iterations 1 /dev/<device_name>
Typically, the primary SSD on a laptop is called /dev/nvme0n1
. This will be used in the
rest of this document.
Partitioning
Create a GPT table (g
in fdisk
) with the following partitions:
- 1 GiB: EFI
- Remaining space: Linux
Here's a possible result:
> fdisk -l
Device Start End Sectors Size Type
/dev/nvme0n1p1 2048 2099199 2097152 1G EFI System
/dev/nvme0n1p2 2099200 2000408575 1998309376 952.9G Linux filesystem
Set up full-disk encryption
In this section, we set up LVM on LUKS, which is what I think is the most convenient configuration for an encrypted drive.
See LVM on LUKS on the Arch Wiki.
Create encrypted space
Set up encryption on the second partition with the following commands:
cryptsetup luksFormat /dev/nvme0n1p2 cryptsetup open /dev/nvme0n1p2 lvm
The first partition will is used as boot partition and left unencrypted.
Create the LVM partitions
pvcreate /dev/mapper/lvm vgcreate vol0 /dev/mapper/lvm lvcreate -L 16G vol0 -n swap lvcreate -l 100%FREE vol0 -n root
Note that swap space doesn't need to be greater than (or equal to) the memory space of the computer, especially if you have a lot of memory. In my case, I have 32 GiB of memory and use 16 GiB for swap, which works fine even for hibernation.
For more information, see the note about swap size in the Arch Linux wiki.
Format the partitions
mkfs.fat -F 32 /dev/nvme0n1p1 mkswap /dev/vol0/swap mkfs.ext4 /dev/vol0/root
Mount the partitions
swapon /dev/vol0/swap mount /dev/vol0/root /mnt mount --mkdir /dev/nvme0n1p1 /mnt/boot
I used the conventional /mnt
directory as root for the new system, but another unused
directory would also work.
Install the system
Bootstrap the system
pacstrap -K /mnt base linux linux-firmware lvm2 iwd neovim intel-ucode genfstab -U /mnt >> /mnt/etc/fstab
iwd
will be used for connecting to a wifi network.neovim
will be used for editing files. A popular option isnano
.intel-ucode
will update the microcode (useamd-ucode
for AMD CPUs).
Configuration
Use the following command to open a shell inside that system:
arch-chroot /mnt
From this point on, commands and paths will be shown as used in the new system, which we
mounted at /mnt
.
Time
In the following snippet, change Europe/Paris
to your preferred timezone.
ln -fs /usr/share/zoneinfo/Europe/Paris /etc/localtime hwclock --systohc
Locale
In the lines below, we configure the system to only use US English.
nvim /etc/locale.gen # Select en_US.UTF-8. locale-gen nvim /etc/locale.conf # Write `LANG=en_US.UTF-8`.
Host name
nvim /etc/hostname # Write your chosen host name.
Boot
In /etc/mkinitcpio.conf
, list the appropriate modules for this installation. In my case:
HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt filesystems lvm2 resume fsck)
Then, run the following to generate the Linux images
mkinitcpio -P
I chose to ignore all the remaining "Possibly missing firmware" warnings. Make sure nothing critical is missing. Otherwise, install the missing firmware and try generating the images again.
You can find more information about the extra modules needed in the Arch wiki:
Set the root password
passwd
Configure the boot loader
Using systemd-boot:
bootctl install nvim /boot/loader/entries/arch.conf
If you want a different bootloader, you can find some other options in the Arch wiki.
Edit /boot/loader/entries/arch.conf
to make a new entry for Linux:
title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
initrd /intel-ucode.img
options cryptdevice=UUID=<uuid>:lvm resume=/dev/vol0/swap root=/dev/vol0/root rw quiet
You need to replace <uuid>
with the UUID of your root partition (my root partition is
nvme0n1p2
). You can find this UUID with lsblk --fs
: look for the row with
crypto_LUKS
as FSTYPE
.
If all went well, your system should now be bootable. Proceed with:
reboot
If that didn't work, you may need to boot with the installation medium again and mount the partitions to investigate them.
If it did work, enjoy Arch Linux! :)