Arch UEFI Install Notes¶
Configuration 1¶
- LUKS2 encrypted
/and LUKS1 encrypted/boot - GRUB
- Automatically unlock all the disks once you unlock /boot
- BTRFS (ubuntu style layout for timeshift)
- Swap (No hibernation)
# auto adjust time
timedatectl set-ntp true
# securely erase the disk, see https://wiki.archlinux.org/title/Dm-crypt/Drive_preparation#Secure_erasure_of_the_hard_disk_drive
# parition disk
sgdisk --clear \
--new=1:0:+200MiB --typecode=1:ef00 --change-name=1:ESP \
--new=2:0:+512MiB --typecode=2:8300 --change-name=2:BOOT \
--new=3:0:0 --typecode=3:8300 --change-name=3:ROOT \
/dev/sda
# encrypt disk
dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock
cryptsetup --pbkdf argon2id --key-file /crypto_keyfile.bin luksFormat /dev/sda3
cryptsetup --key-file /crypto_keyfile.bin open /dev/sda3 root
cryptsetup --type luks1 luksFormat /dev/sda2
cryptsetup luksAddKey /dev/sda2 /crypto_keyfile.bin
cryptsetup open /dev/sda2 boot
# close using "cryptsetup close boot"
# format disk
mkfs.ext4 /dev/mapper/boot
mkfs.btrfs -f /dev/mapper/root
mkfs.fat -F32 /dev/sda1
# create btrfs subvolumes
mount /dev/mapper/root /mnt
btrfs subvolume create /mnt/@home
btrfs subvolume create /mnt/@swap
btrfs subvolume create /mnt/@
umount /mnt
# mount disks
mount -o subvol=@,ssd,noatime,compress=lzo /dev/mapper/root /mnt
mkdir /mnt/home
mount -o subvol=@home,ssd,noatime,compress=lzo /dev/mapper/root /mnt/home
mkdir /mnt/swap
mount -o subvol=@swap,ssd,noatime /dev/mapper/root /mnt/swap
mkdir /mnt/efi
mount /dev/sda1 /mnt/efi
mkdir /mnt/boot
mount /dev/mapper/boot /mnt/boot
# add swap file
truncate -s 0 /mnt/swap/swapfile
chattr +C /mnt/swap/swapfile
btrfs property set /mnt/swap/swapfile compression none
dd if=/dev/zero of=/mnt/swap/swapfile bs=1M count=2048 status=progress
chmod 600 /mnt/swap/swapfile
mkswap /mnt/swap/swapfile
swapon /mnt/swap/swapfile
# install packages for a command line system
pacstrap /mnt base linux-zen linux-firmware grub micro efibootmgr networkmanager btrfs-progs reflector sudo inetutils util-linux
genfstab -U /mnt >> /mnt/etc/fstab
cp /crypto_keyfile.bin /mnt/
cp /crypto_keyfile.bin /mnt/boot/
chmod 600 /mnt/crypto_keyfile.bin
chmod 600 /mnt/boot/crypto_keyfile.bin
chmod 600 /mnt/boot/initramfs-linux*
arch-chroot /mnt
micro /etc/fstab # change if needed
micro /etc/crypttab # add "boot /dev/sda2 /crypto_keyfile.bin"
# configure locale, time and network
ln -sf /usr/share/zoneinfo/America/Toronto /etc/localtime
hwclock --systohc
echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf
echo vm > /etc/hostname
echo -e "127.0.0.1 localhost\n::1 localhost\n" > /etc/hosts
systemctl enable NetworkManager
reflector --score 20 --age 24 --protocol https --sort rate --save /etc/pacman.d/mirrorlist
# set password
passwd
# add sudo user
useradd -m pegasis
passwd pegasis
usermod --append --groups wheel pegasis
micro /etc/sudoers # remove comment before "%wheel ALL=(ALL) ALL"
# install bootloader
micro /etc/mkinitcpio.conf # add "encrypt" after "block" in HOOKS, add "/crypto_keyfile.bin" in FILES
mkinitcpio -P
micro /etc/default/grub # uncomment "GRUB_ENABLE_CRYPTODISK=y", add "cryptdevice=/dev/sda3:root root=/dev/mapper/root" to GRUB_CMDLINE_LINUX
mkdir /boot/grub
grub-mkconfig -o /boot/grub/grub.cfg
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id="Arch Linux" /dev/sda
# run archdi to install desktop environment
curl -L archdi.sf.net/archdi > archdi
sh archdi
Configuration 2¶
- LUKS2 encrypted
/and LUKS1 encrypted/boot - LVM Cache
- GRUB
- Automatically unlock all the disks once you unlock /boot
- BTRFS (ubuntu style layout for timeshift)
- Swap (No hibernation)
# /dev/sda is the slow disk, /dev/sdb is the fast disk
# auto adjust time
timedatectl set-ntp true
# securely erase the disk, see https://wiki.archlinux.org/title/Dm-crypt/Drive_preparation#Secure_erasure_of_the_hard_disk_drive
# parition disk
sgdisk --clear \
--new=1:0:+200MiB --typecode=1:ef00 --change-name=1:ESP \
--new=2:0:+512MiB --typecode=2:8300 --change-name=2:BOOT \
--new=3:0:0 --typecode=3:8e00 --change-name=3:ROOT \
/dev/sda
sgdisk --clear \
--new=1:0:+2GiB --typecode=1:8200 --change-name=1:SWAP \
--new=2:0:0 --typecode=2:8e00 --change-name=2:CACHE \
/dev/sdb
# create a cached LV (see my LVM Notes)
pvcreate /dev/sda3
pvcreate /dev/sdb2
vgcreate RootVG /dev/sda3
lvcreate -l +100%FREE RootVG -n RootLV
vgextend RootVG /dev/sdb2
lvcreate --type cache --cachemode writeback -l 100%FREE -n RootCache RootVG/RootLV /dev/sdb2
# encrypt disk
dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock
cryptsetup --pbkdf argon2id --key-file /crypto_keyfile.bin luksFormat /dev/RootVG/RootLV
cryptsetup --key-file /crypto_keyfile.bin open /dev/RootVG/RootLV root
cryptsetup --type luks1 luksFormat /dev/sda2
cryptsetup luksAddKey /dev/sda2 /crypto_keyfile.bin
cryptsetup open /dev/sda2 boot
# close using "cryptsetup close boot"
# format disk
mkfs.ext4 /dev/mapper/boot
mkfs.btrfs -f /dev/mapper/root
mkfs.fat -F32 /dev/sda1
# create btrfs subvolumes
mount /dev/mapper/root /mnt
btrfs subvolume create /mnt/@home
btrfs subvolume create /mnt/@
umount /mnt
# mount disks
mount -o subvol=@,ssd_spread,noatime,compress=lzo /dev/mapper/root /mnt
mkdir /mnt/home
mount -o subvol=@home,ssd_spread,noatime,compress=lzo /dev/mapper/root /mnt/home
mkdir /mnt/efi
mount /dev/sda1 /mnt/efi
mkdir /mnt/boot
mount /dev/mapper/boot /mnt/boot
# install packages for a command line system
pacstrap /mnt base linux-zen linux-firmware grub micro efibootmgr networkmanager btrfs-progs reflector sudo inetutils util-linux lvm2
genfstab -U /mnt >> /mnt/etc/fstab
cp /crypto_keyfile.bin /mnt/
cp /crypto_keyfile.bin /mnt/boot/
chmod 600 /mnt/crypto_keyfile.bin
chmod 600 /mnt/boot/crypto_keyfile.bin
chmod 600 /mnt/boot/initramfs-linux*
arch-chroot /mnt
micro /etc/crypttab # add "boot /dev/sda2 /crypto_keyfile.bin" and "swap /dev/sdb1 /dev/urandom swap,cipher=aes-xts-plain64,size=256"
micro /etc/fstab # add "/dev/mapper/swap none swap defaults 0 0"
# configure locale, time and network
ln -sf /usr/share/zoneinfo/America/Toronto /etc/localtime
hwclock --systohc
echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf
echo vm > /etc/hostname
echo -e "127.0.0.1 localhost\n::1 localhost\n" > /etc/hosts
systemctl enable NetworkManager
reflector --score 20 --age 24 --protocol https --sort rate --save /etc/pacman.d/mirrorlist
# set password
passwd
# add sudo user
useradd -m pegasis
passwd pegasis
usermod --append --groups wheel pegasis
micro /etc/sudoers # remove comment before "%wheel ALL=(ALL) ALL"
# install bootloader
micro /etc/mkinitcpio.conf # add "lvm2 encrypt" after "block" in HOOKS, add "/crypto_keyfile.bin" in FILES
mkinitcpio -P
micro /etc/default/grub # uncomment "GRUB_ENABLE_CRYPTODISK=y", add "cryptdevice=/dev/RootVG/RootLV:root root=/dev/mapper/root" to GRUB_CMDLINE_LINUX
mkdir /boot/grub
grub-mkconfig -o /boot/grub/grub.cfg
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id="Arch Linux" /dev/sda
# run archdi to install desktop environment
curl -L archdi.sf.net/archdi > archdi
sh archdi
Post Installation Configurations¶
Change EFI Entries¶
# list efi entries
efibootmgr -v
# delete one entry
efibootmgr -b xxxx -B
Disable Package Compression for AUR¶
micro /etc/makepkg.conf
# replace PKGEXT='.pkg.tar.zst'
# SRCEXT='.src.tar.gz'
# to PKGEXT='.pkg.tar'
# SRCEXT='.src.tar'
Zram¶
yay -Sy zram-swap-git
# change zram configuration, use lzo-rle for compression method
/etc/default/zram-swap
systemctl daemon-reload
systemctl enable --now zram-swap.service
// todo zswap
Last update:
October 12, 2021
Created: July 13, 2021
Created: July 13, 2021