Arch: Installation (GRUB)
Install Arch Linux with UEFI + LUKS + LVM + BTRFS + GRUB + Encrypted /boot + Crypt Password Only Once + Secure Boot
DISCLAIMER
THE WIKI IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE WIKI OR THE USE OR OTHER DEALINGS IN THE WIKI.
Installation Steps
Connect to Wifi
Source: iwctl
# iwctl
[iwd]# device list
[iwd]# device deviceName set-property Powered on
[iwd]# station deviceName scan
[iwd]# station deviceName get-networks
[iwd]# station deviceName connect SSID
[iwd]# exit
Check internet
$ ping archlinux.org
Check system time
$ timedatectl
Partition disks
Check disk
# fdisk -l
Create partitions disk
Enter fdisk
# fdisk /dev/sdXCreate GPT label
Command (m for help): g Created a new GPT disklabel (GUID: ...).Create boot partition
Command (m for help): n Partition number: First sector: Last sector, +/-sectors or +/-size{K,M,G,T,P}: +512M Command (m for help): t Partition type or alias (type L to list all): uefiMake remaining partition for LUKS
Command (m for help): n Partition number: First sector: Last sector, +/-sectors or +/-size{K,M,G,T,P}:Print partition info to verify
Command (m for help): pWrite changes (write changes and quit)
Command (m for help): wQuit fdisk (quit without writing changes in case of mistakes)
Command (m for help): q
Format Boot disk
# mkfs.fat -F 32 -n EFI /dev/sdXY
Setup LUKS
Create LUKS partition
# cryptsetup --use-random --type luks1 luksFormat /dev/sdXZ
Are you sure? YES
Enter passphrase:
Verify passphrase:
Open LUKS partition
You can use any other name instead of cryptroot but be sure to replace it everywhere in the following commands
# cryptsetup open /dev/sdXZ cryptroot
Note
Once you created LVM, you only need to open the disk with cryptsetup No additional command needed to access volume group (vg) all the existing LVM partitions are accessible right after unlocking the luks partition. This might come in handy if you wish to had to reboot the system after LVM setup
Setup LVM
Create LVM group
# pvcreate /dev/mapper/cryptroot
# vgcreate vgroot /dev/mapper/cryptroot
Create LVM Partitions
This assumes you don't need separate home partition on LVM
Create swap
# lvcreate --size 8G vgroot --name swap
Create root
# lvcreate -l +100%FREE vgroot --name root
Format LVM partitions
Format swap
# mkswap /dev/vgroot/swap -L swap
Format root
# mkfs.btrfs /dev/vgroot/root -L root
Create Btrfs Subvolumes
Mount btrfs partition to /mnt (install target root)
# mount -t btrfs LABEL=root /mnt
Create partitions one by one
# btrfs subvolume create /mnt/@
# btrfs subvolume create /mnt/@home
# btrfs subvolume create /mnt/@tmp
# btrfs subvolume create /mnt/@varlog
# btrfs subvolume create /mnt/@snapshots
Disable Copy-on-Write for tmp and varlog
# chattr +C /mnt/@tmp
# chattr +C /mnt/@varlog
Unmount /mnt (install target root)
# umount -R /mnt
Mount Btrfs Subvolumes
The followings options can be set for mounting - commit = time interval between data-writes in seconds - x-mount.mkdir = make directory if not existing when mounting - ssd = ssd based btrfs optimisations - noatime = do not store access time for files (makes btrfs faster) - nodiratime = do not store directory access time for files (makes btrfs faster) - discard = set as async, asynchronous queued TRIM for discard freed file blocks, check below
check if discard is supported by checking if the output is greater than 0:
# cat /sys/block/sdX/queue/discard_max_bytes
Mount btrfs subvolumes one by one:
# mount -t btrfs -o defaults,x-mount.mkdir,compress=zstd,ssd,noatime,nodiratime,discard=async,space_cache=v2,commit=120,subvol=@ LABEL=root /mnt
# mount -t btrfs -o defaults,x-mount.mkdir,compress=zstd,ssd,noatime,nodiratime,discard=async,space_cache=v2,commit=120,subvol=@home LABEL=root /mnt/home
# mount -t btrfs -o defaults,x-mount.mkdir,compress=zstd,ssd,noatime,nodiratime,discard=async,space_cache=v2,commit=120,subvol=@tmp LABEL=root /mnt/tmp
# mount -t btrfs -o defaults,x-mount.mkdir,compress=zstd,ssd,noatime,nodiratime,discard=async,space_cache=v2,commit=120,subvol=@varlog LABEL=root /mnt/var/log
# mount -t btrfs -o defaults,x-mount.mkdir,compress=zstd,ssd,noatime,nodiratime,discard=async,space_cache=v2,commit=120,subvol=@snapshots LABEL=root /mnt/.snapshots
Mount EFI dir
# mkdir -p /mnt/boot/efi
# mount LABEL=EFI /mnt/boot/efi
Fix Mirrorlist: Reflector
Install reflector:
# pacman -Syy reflector
Configure mirrorlist using reflector:
# reflector --verbose --sort rate --save /etc/pacman.d/mirrorlist
Install Base Packages: Pacstrap
# pacstrap -K /mnt base linux linux-firmware vim nano
Generate Mount Info Fstab
# genfstab -L -p /mnt >> /mnt/etc/fstab
Chroot into Installed Environment
# arch-chroot /mnt
Set Timezone
# ln -sf /usr/share/zoneinfo/Region/City /etc/localtime
hwclock --systohc
Set Locale
Edit /etc/locale.gen and uncomment the required locales then run:
# locale-gen
Create /etc/locale.conf with content:
LANG=en_US.UTF-8
Configure Hostname
# echo yourhostname >> /etc/hostname
Install additional packages
Install required programs like shell, development packages, sudo, btfs, secure boot, ucode, bluetooth, wifi, desktop environment, etc
# pacman -Syu base-devel btrfs-progs gptfdisk zsh sudo ttf-dejavu noto-fonts noto-fonts-cjk intel-ucode polkit wpa_supplicant mesa lvm2 efibootmgr bash-completion git man pipewire wireplumber pipewire-alsa pipewire-pulse terminus-font gnome
If installing gnome select pipewire-jack, wireplumber, noto-fonts-emoji in the proceeding interactive questions
User Management
Create root password
# passwd
create user USERNAME:
# useradd -m -G wheel,storage,power -g users -s /bin/bash USERNAME
create password for user USERNAME:
# passwd USERNAME
Don't forget to uncomment wheel line with visudo:
# visudo
Search for the following line and remove the # infront of it:
%wheel ALL=(ALL:ALL) ALL
Switch user to USERNAME
$ sudo -u USERNAME -i
Install Aur helper
# pacman -Syy go
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -is
cd ..
rm -rf yay
Grub Setup
(Skip to Unified Kernel Image Setup if you want to use systemd-boot instead)
Install grub
# pacman -Syy grub efibootmgr
Setup Disk Encryption for Grub
Append/uncomment the following line in /etc/default/grub:
GRUB_ENABLE_CRYPTODISK=y
Add Command Line Parameters
In /etc/default/grub edit the following argument:
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash sysrq_always_enabled=1 fbcon=nodefer cryptdevice=UUID=disk-UUID:cryptroot root=LABEL=root rootflags=subvol=@ rw loglevel=3"
Configure mkinitcpio Hooks
Edit /etc/mkinitcpio.conf:
HOOKS=(base udev plymouth modconf kms keyboard keymap block encrypt lvm2 btrfs filesystems fsck)
Install missing firmware
After installing yay
$ yay -Syy mkinitcpio-firmware
Plymouth Setup
Install plymouth
# pacman -Syy plymouth
Install plymouth theme
$ yay -Syy plymouth-theme-bgrt-better-luks
Set Plymouth theme
Show installed plymouth themes:
# plymouth-set-default-theme -l
Set plymouth theme:
# plymouth-set-default-theme -R bgrt-better-luks
Run mkinitcpio
# mkinitcpio -P
Create List of modules for Grub
I have excluded apple filesystem and raid, check the ubuntu grub secure boot script in the reference:
GRUB_MODULES="
all_video
boot
btrfs
cat
chain
configfile
echo
efifwsetup
efinet
ext2
fat
font
gettext
gfxmenu
gfxterm
gfxterm_background
gzio
halt
help
iso9660
jpeg
keystatus
loadenv
loopback
linux
ls
lsefi
lsefimmap
lsefisystab
lssal
memdisk
minicmd
normal
ntfs
part_msdos
part_gpt
password_pbkdf2
png
probe
reboot
regexp
search
search_fs_uuid
search_fs_file
search_label
sleep
smbios
squash4
test
true
video
cpuid
play
tpm
cryptodisk
gcry_rsa
gcry_seed
gcry_sha256
luks
lvm
"
Install grub on ESP
# grub-install --target=x86_64-efi --efi-directory=/boot/efi --modules=${GRUB_MODULES} --disable-shim-lock
Generate Config
# grub-mkconfig -o /boot/grub/grub.cfg
Avoiding having to enter the passphrase twice
Create keyfile and add it:
# dd bs=512 count=4 if=/dev/random of=/root/cryptlvm.keyfile iflag=fullblock
# chmod 000 /root/cryptlvm.keyfile
# cryptsetup -v luksAddKey /dev/sda3 /root/cryptlvm.keyfile
Edit /etc/mkinitcpio.conf:
FILES=(/root/cryptlvm.keyfile)
Generate initramfs:
# mkinitcpio -P
Secure embedded keyfile:
# chmod 600 /boot/initramfs-linux*
Edit /etc/default/grub and add cryptkey=rootfs:/root/cryptlvm.keyfile in kernel params:
GRUB_CMDLINE_LINUX_DEFAULT="...cryptkey=rootfs:/root/cryptlvm.keyfile..."
Regenerate grub config:
# grub-mkconfig -o /boot/grub/grub.cfg
Secure boot setup
Install Secure Boot Util:
# pacman -Syyu sbctl
Create Secure boot keys:
# sbctl create-keys
Enroll keys
Change attributes of keys in btrfs:
# chattr -i /sys/firmware/efi/efivars/{PK,KEK,db}*
In the above command, if either of PK,KEK or db causes command to fail remove that from the list and run with the rest.
Now, Enroll keys along with Microsoft keys (-m):
# sbctl enroll-keys -m
Sign Bootloader and Kernel for Secureboot
# sbctl sign -s -o /boot/efi/EFI/arch/grubx64.efi /boot/efi/EFI/arch/grubx64.efi
# sbctl sign -s -o /boot/vmlinuz-linux /boot/vmlinuz-linux
Enable services
Enable Gnome Display Manager
# systemctl enable gdm
Enable Network Manager
# systemctl enable NetworkManager
Enable Network Manager
# systemctl enable bluetooth
Finish Install
logout of user USERNAME, exit arch-chroot, unmount and reboot:
$ exit
# exit
# umount -a
# reboot
Turn on secure boot in BIOS after this. Nothing else needed for Secure Boot.
Reference
https://wiki.archlinux.org/title/User:ZachHilman/Installation_-Btrfs%2B_LUKS2_%2B_Secure_Boot
https://wiki.archlinux.org/title/Installation_guide
https://gist.github.com/mjnaderi/28264ce68f87f52f2cabb823a503e673
https://gist.github.com/martijnvermaat/76f2e24d0239470dd71050358b4d5134
https://nerdstuff.org/posts/2020/2020-004_arch_linux_luks_btrfs_systemd-boot/
https://github.com/Szwendacz99/Arch-install-encrypted-btrfs
https://www.reddit.com/r/archlinux/comments/127fp6g/plymouthencrypt_hook_no_longer_found_after_update/
https://bbs.archlinux.org/viewtopic.php?id=284741
https://www.youtube.com/watch?v=QQoZwP6-Y2k
https://github.com/AravindIM/nixos-dotfiles/blob/main/hosts/thinkpad/hardware-configuration.nix
https://github.com/AravindIM/arch-install/blob/main/install-gnome.sh
https://github.com/0xadeeb/dotFiles
https://github.com/0xadeeb/NixOs-config/blob/master/hosts/hp-pavilion/hardware-configuration.nix
https://bbs.archlinux.org/viewtopic.php?id=243019
https://wiki.archlinux.org/title/Talk:Mkinitcpio#Improvements_for_the_Common_hooks_table_and_section_about_systemd_hook
https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate
https://askubuntu.com/questions/1304519/fstab-automatically-creates-mount-points
https://wiki.archlinux.org/title/User:Bai-Chiang/Installation_notes
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
https://wiki.archlinux.org/title/Unified_kernel_image
https://wiki.archlinux.org/title/AUR_helpers
https://linuxhint.com/btrfs-filesystem-mount-options/
https://linuxconfig.org/how-to-manage-efi-boot-manager-entries-on-linux
https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB)
https://git.launchpad.net/~ubuntu-core-dev/grub/+git/ubuntu/tree/debian/build-efi-images?h=debian/2.06-2ubuntu12
https://binary-manu.github.io/binary-is-better/linux/archlinux-secure-boot
https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#Avoiding_having_to_enter_the_passphrase_twice
https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB/)