Skip to content

Arch UEFI Install Notes

Configuration 1

  • LUKS2 encrypted / and LUKS1 encrypted /boot
  • GRUB
  • Automatically unlock all the disks once you unlock /boot
  • BTRFS (ubuntu style layout for timeshift)
  • Swap (No hibernation)
# auto adjust time
timedatectl set-ntp true

# securely erase the disk, see https://wiki.archlinux.org/title/Dm-crypt/Drive_preparation#Secure_erasure_of_the_hard_disk_drive

# parition disk
sgdisk --clear \
         --new=1:0:+200MiB --typecode=1:ef00 --change-name=1:ESP \
         --new=2:0:+512MiB --typecode=2:8300 --change-name=2:BOOT \
         --new=3:0:0       --typecode=3:8300 --change-name=3:ROOT \
         /dev/sda

# encrypt disk
dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock
cryptsetup --pbkdf argon2id --key-file /crypto_keyfile.bin luksFormat /dev/sda3
cryptsetup --key-file /crypto_keyfile.bin open /dev/sda3 root
cryptsetup --type luks1 luksFormat /dev/sda2
cryptsetup luksAddKey /dev/sda2 /crypto_keyfile.bin
cryptsetup open /dev/sda2 boot
# close using "cryptsetup close boot"

# format disk
mkfs.ext4 /dev/mapper/boot
mkfs.btrfs -f /dev/mapper/root
mkfs.fat -F32 /dev/sda1

# create btrfs subvolumes
mount /dev/mapper/root /mnt
btrfs subvolume create /mnt/@home
btrfs subvolume create /mnt/@swap
btrfs subvolume create /mnt/@
umount /mnt

# mount disks
mount -o subvol=@,ssd,noatime,compress=lzo /dev/mapper/root /mnt
mkdir /mnt/home
mount -o subvol=@home,ssd,noatime,compress=lzo /dev/mapper/root /mnt/home
mkdir /mnt/swap
mount -o subvol=@swap,ssd,noatime /dev/mapper/root /mnt/swap
mkdir /mnt/efi
mount /dev/sda1 /mnt/efi
mkdir /mnt/boot
mount /dev/mapper/boot /mnt/boot

# add swap file
truncate -s 0 /mnt/swap/swapfile
chattr +C /mnt/swap/swapfile
btrfs property set /mnt/swap/swapfile compression none
dd if=/dev/zero of=/mnt/swap/swapfile bs=1M count=2048 status=progress
chmod 600 /mnt/swap/swapfile
mkswap /mnt/swap/swapfile
swapon /mnt/swap/swapfile

# install packages for a command line system
pacstrap /mnt base linux-zen linux-firmware grub micro efibootmgr networkmanager btrfs-progs reflector sudo inetutils util-linux

genfstab -U /mnt >> /mnt/etc/fstab
cp /crypto_keyfile.bin /mnt/
cp /crypto_keyfile.bin /mnt/boot/
chmod 600 /mnt/crypto_keyfile.bin
chmod 600 /mnt/boot/crypto_keyfile.bin
chmod 600 /mnt/boot/initramfs-linux*

arch-chroot /mnt

micro /etc/fstab # change if needed
micro /etc/crypttab # add "boot /dev/sda2 /crypto_keyfile.bin"

# configure locale, time and network
ln -sf /usr/share/zoneinfo/America/Toronto /etc/localtime
hwclock --systohc
echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf
echo vm > /etc/hostname
echo -e "127.0.0.1 localhost\n::1 localhost\n" > /etc/hosts
systemctl enable NetworkManager
reflector --score 20 --age 24 --protocol https --sort rate --save /etc/pacman.d/mirrorlist

# set password
passwd

# add sudo user
useradd -m pegasis
passwd pegasis
usermod --append --groups wheel pegasis
micro /etc/sudoers # remove comment before "%wheel ALL=(ALL) ALL"

# install bootloader
micro /etc/mkinitcpio.conf # add "encrypt" after "block" in HOOKS, add "/crypto_keyfile.bin" in FILES
mkinitcpio -P
micro /etc/default/grub  # uncomment "GRUB_ENABLE_CRYPTODISK=y", add "cryptdevice=/dev/sda3:root root=/dev/mapper/root" to GRUB_CMDLINE_LINUX
mkdir /boot/grub
grub-mkconfig -o /boot/grub/grub.cfg
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id="Arch Linux" /dev/sda

# run archdi to install desktop environment
curl -L archdi.sf.net/archdi > archdi
sh archdi

Configuration 2

  • LUKS2 encrypted / and LUKS1 encrypted /boot
  • LVM Cache
  • GRUB
  • Automatically unlock all the disks once you unlock /boot
  • BTRFS (ubuntu style layout for timeshift)
  • Swap (No hibernation)
# /dev/sda is the slow disk, /dev/sdb is the fast disk

# auto adjust time
timedatectl set-ntp true

# securely erase the disk, see https://wiki.archlinux.org/title/Dm-crypt/Drive_preparation#Secure_erasure_of_the_hard_disk_drive

# parition disk
sgdisk --clear \
         --new=1:0:+200MiB --typecode=1:ef00 --change-name=1:ESP \
         --new=2:0:+512MiB --typecode=2:8300 --change-name=2:BOOT \
         --new=3:0:0       --typecode=3:8e00 --change-name=3:ROOT \
         /dev/sda
sgdisk --clear \
         --new=1:0:+2GiB --typecode=1:8200 --change-name=1:SWAP \
         --new=2:0:0     --typecode=2:8e00 --change-name=2:CACHE \
         /dev/sdb

# create a cached LV (see my LVM Notes)
pvcreate /dev/sda3
pvcreate /dev/sdb2
vgcreate RootVG /dev/sda3
lvcreate -l +100%FREE RootVG -n RootLV
vgextend RootVG /dev/sdb2
lvcreate --type cache --cachemode writeback -l 100%FREE -n RootCache RootVG/RootLV /dev/sdb2

# encrypt disk
dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock
cryptsetup --pbkdf argon2id --key-file /crypto_keyfile.bin luksFormat /dev/RootVG/RootLV
cryptsetup --key-file /crypto_keyfile.bin open /dev/RootVG/RootLV root
cryptsetup --type luks1 luksFormat /dev/sda2
cryptsetup luksAddKey /dev/sda2 /crypto_keyfile.bin
cryptsetup open /dev/sda2 boot
# close using "cryptsetup close boot"

# format disk
mkfs.ext4 /dev/mapper/boot
mkfs.btrfs -f /dev/mapper/root
mkfs.fat -F32 /dev/sda1

# create btrfs subvolumes
mount /dev/mapper/root /mnt
btrfs subvolume create /mnt/@home
btrfs subvolume create /mnt/@
umount /mnt

# mount disks
mount -o subvol=@,ssd_spread,noatime,compress=lzo /dev/mapper/root /mnt
mkdir /mnt/home
mount -o subvol=@home,ssd_spread,noatime,compress=lzo /dev/mapper/root /mnt/home
mkdir /mnt/efi
mount /dev/sda1 /mnt/efi
mkdir /mnt/boot
mount /dev/mapper/boot /mnt/boot

# install packages for a command line system
pacstrap /mnt base linux-zen linux-firmware grub micro efibootmgr networkmanager btrfs-progs reflector sudo inetutils util-linux lvm2

genfstab -U /mnt >> /mnt/etc/fstab
cp /crypto_keyfile.bin /mnt/
cp /crypto_keyfile.bin /mnt/boot/
chmod 600 /mnt/crypto_keyfile.bin
chmod 600 /mnt/boot/crypto_keyfile.bin
chmod 600 /mnt/boot/initramfs-linux*

arch-chroot /mnt

micro /etc/crypttab # add "boot /dev/sda2 /crypto_keyfile.bin" and "swap /dev/sdb1 /dev/urandom swap,cipher=aes-xts-plain64,size=256"
micro /etc/fstab # add "/dev/mapper/swap none swap defaults 0 0"

# configure locale, time and network
ln -sf /usr/share/zoneinfo/America/Toronto /etc/localtime
hwclock --systohc
echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf
echo vm > /etc/hostname
echo -e "127.0.0.1 localhost\n::1 localhost\n" > /etc/hosts
systemctl enable NetworkManager
reflector --score 20 --age 24 --protocol https --sort rate --save /etc/pacman.d/mirrorlist

# set password
passwd

# add sudo user
useradd -m pegasis
passwd pegasis
usermod --append --groups wheel pegasis
micro /etc/sudoers # remove comment before "%wheel ALL=(ALL) ALL"

# install bootloader
micro /etc/mkinitcpio.conf # add "lvm2 encrypt" after "block" in HOOKS, add "/crypto_keyfile.bin" in FILES
mkinitcpio -P
micro /etc/default/grub  # uncomment "GRUB_ENABLE_CRYPTODISK=y", add "cryptdevice=/dev/RootVG/RootLV:root root=/dev/mapper/root" to GRUB_CMDLINE_LINUX
mkdir /boot/grub
grub-mkconfig -o /boot/grub/grub.cfg
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id="Arch Linux" /dev/sda

# run archdi to install desktop environment
curl -L archdi.sf.net/archdi > archdi
sh archdi

Post Installation Configurations

Change EFI Entries

# list efi entries
efibootmgr -v

# delete one entry
efibootmgr -b xxxx -B

Disable Package Compression for AUR

micro /etc/makepkg.conf
# replace PKGEXT='.pkg.tar.zst'
#         SRCEXT='.src.tar.gz'
# to      PKGEXT='.pkg.tar'
#         SRCEXT='.src.tar'

Zram

yay -Sy zram-swap-git

# change zram configuration, use lzo-rle for compression method
/etc/default/zram-swap

systemctl daemon-reload
systemctl enable --now zram-swap.service

// todo zswap


Last update: October 12, 2021
Created: July 13, 2021