You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[This gist](https://gist.github.com/orhun/02102b3af3acfdaf9a5a2164bea7c3d6) was very helpful to me and I wanted to write my own version with a dual-boot setup.
-**Full title:** Windows 11 + Arch Linux dual-boot (systemd-boot) installation guide with encrypted partitions (BitLocker and LUKS respectively) and Secure Boot (UEFI)
-**Version:** 2.1.2 (2024-12-05)
-**Version:** 2.1.3
The previous version (let's call it as v1.1.0 or just v1) was written by me a long time ago. I wanted to follow my own guide to check it's integrity and validity, and rewrite it along the way.
@@ -139,7 +139,7 @@ This setup:
>
> Check your device for any operating system compatibility issues. It could be anything, but usually drivers.
In my case, I'm using a "HUAWEI MateBook D 15 BoM-WFQ9" laptop, and sound from speakers or wired headphones doesn't work under Linux (Windows works fine). It seems that the kernel doesn't support the audio card.
In my case, I'm using a "HUAWEI MateBook D 15 BoM-WFQ9" laptop. At one point, the speakers didn't work under Linux (Windows was fine), and only Bluetooth headphones worked. Everything is fine now.
If possible, it's better to check for these problems beforehand, as this dual-boot setup is not so quick to deploy.
shimeoki
revised
this gist Dec 5, 2024.
1 changed file
with
4 additions
and
4 deletions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[This gist](https://gist.github.com/orhun/02102b3af3acfdaf9a5a2164bea7c3d6) was very helpful to me and I wanted to write my own version with a dual-boot setup.
-**Full title:** Windows 11 + Arch Linux dual-boot (systemd-boot) installation guide with encrypted partitions (BitLocker and LUKS respectively) and Secure Boot (UEFI)
-**Version:**v2.1.1 (2024-10-26)
-**Version:**2.1.2 (2024-12-05)
The previous version (let's call it as v1.1.0 or just v1) was written by me a long time ago. I wanted to follow my own guide to check it's integrity and validity, and rewrite it along the way.
@@ -985,7 +985,7 @@ mount "$MAPPED_ROOT" "$ROOT_MOUNT"
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[This gist](https://gist.github.com/orhun/02102b3af3acfdaf9a5a2164bea7c3d6) was very helpful to me and I wanted to write my own version with a dual-boot setup.
-**Full title:** Windows 11 + Arch Linux dual-boot (systemd-boot) installation guide with encrypted partitions (BitLocker and LUKS respectively) and Secure Boot (UEFI)
-**Version:** v2.1.0 (2024-10-26)
-**Version:** v2.1.1 (2024-10-26)
The previous version (let's call it as v1.1.0 or just v1) was written by me a long time ago. I wanted to follow my own guide to check it's integrity and validity, and rewrite it along the way.
@@ -609,6 +609,8 @@ You can also click "Continue with limited setup" to skip the Microsoft login.
> ```
>
> This will reboot the system, and then you will be able to continue with limited setup.
>
> Credit: https://github.com/kaubu
### Normal installation once again
shimeoki
revised
this gist Oct 26, 2024.
1 changed file
with
13 additions
and
1 deletion.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[This gist](https://gist.github.com/orhun/02102b3af3acfdaf9a5a2164bea7c3d6) was very helpful to me and I wanted to write my own version with a dual-boot setup.
-**Full title:** Windows 11 + Arch Linux dual-boot (systemd-boot) installation guide with encrypted partitions (BitLocker and LUKS respectively) and Secure Boot (UEFI)
-**Version:** v2.0.0 (2024-09-16)
-**Version:** v2.1.0 (2024-10-26)
The previous version (let's call it as v1.1.0 or just v1) was written by me a long time ago. I wanted to follow my own guide to check it's integrity and validity, and rewrite it along the way.
@@ -598,6 +598,18 @@ I recommend clicking on "I don't have internet" after setting up the layouts. Th
You can also click "Continue with limited setup" to skip the Microsoft login.
> [!tip]
>
> Sometimes this won't show, so you have to do this manually.
>
> Press `Shift + F10` to open a command prompt and run:
>
> ```powershell
> OOBE\BYPASSNRO
> ```
>
> This will reboot the system, and then you will be able to continue with limited setup.
### Normal installation once again
Nothing unusual here. User, password, security questions and privacy checks. You can turn these off if you want.
shimeoki
revised
this gist Sep 16, 2024.
1 changed file
with
1396 additions
and
333 deletions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# My Windows 11 + Arch Linux dual-boot installation
[This gist](https://gist.github.com/orhun/02102b3af3acfdaf9a5a2164bea7c3d6#installing-secure-boot) was very helpful to me and I wanted to write my own version with a dual-boot setup.
> ### Warning!
> All actions are at your own risk!
> [!caution]
>
> **All actions are at your own risk!** This has been tested by me, but does not guarantee your success.
>
> Read everything at least once before actually following the guide. If something goes wrong, stop immediately. Consider starting from the beginning.
# About the guide
[This gist](https://gist.github.com/orhun/02102b3af3acfdaf9a5a2164bea7c3d6) was very helpful to me and I wanted to write my own version with a dual-boot setup.
-**Full title:** Windows 11 + Arch Linux dual-boot (systemd-boot) installation guide with encrypted partitions (BitLocker and LUKS respectively) and Secure Boot (UEFI)
-**Version:** v2.0.0 (2024-09-16)
The previous version (let's call it as v1.1.0 or just v1) was written by me a long time ago. I wanted to follow my own guide to check it's integrity and validity, and rewrite it along the way.
> [!note]
>
> It's not recommended to follow v1, but if you want to, you can check this version - the first 3 revisions of the gist.
This guide is more like a list of actions, and does not go into detail about the installation (although it does explain some things in general). If you want to read more, I leave reference links throughout the guide, and there are [resources](#resources) at the end.
If you have any problems or questions, feel free to write a comment.
# Description
This setup:
- Set on a laptop
- Has **Arch Linux** installed
- With the **LUKS** encrypted container
- With the **zen-kernel**
- Has **Windows 11** installed
- With the **BitLocker** encryption
- Uses **systemd-boot**
- Boot partition is *not* encrypted
- Uses **ext4** as Linux file system
- Has *no* swap file
- Does *not* configure the TPM module
> [!tip]
>
> Skip to the parts you need in the [Table of Contents](#table-of-contents), but keep in mind that everything is done with these goals in mind.
# Table of Contents
-[Table of Contents](#Table-of-Contents)
-[Hardware](#Hardware)
-[Pre-installation](#Pre-installation)
-[Disabling Secure Boot](#Disabling-Secure-Boot)
-[Cleaning NVMe drive](#Cleaning-NVMe-drive)
-[Check drives](#Check-drives)
-[Check the available formatting methods](#Check-the-available-formatting-methods)
-[Perform a block erase](#Perform-a-block-erase)
-[Check completion](#Check-completion)
-[Verify cleaning](#Verify-cleaning)
-[Partition the disk](#Partition-the-disk)
-[Check current partitions](#Check-current-partitions)
> Check your device for any operating system compatibility issues. It could be anything, but usually drivers.
In my case, I'm using a "HUAWEI MateBook D 15 BoM-WFQ9" laptop, and sound from speakers or wired headphones doesn't work under Linux (Windows works fine). It seems that the kernel doesn't support the audio card.
If possible, it's better to check for these problems beforehand, as this dual-boot setup is not so quick to deploy.
> [!important]
>
> My laptop has an AMD APU (CPU with integrated graphics), NVMe and everything else hardware specific. I will warn you in the sections where it is important not to just copy and paste.
## Software
*First,* you need to **get the `.iso` files of Arch Linux and Windows 11.**
- The preferred method of downloading Arch `.iso` is using a BitTorrent client. [Arch Linux downloads](https://archlinux.org/download/).
- The Windows image can be created using the Media Creation Tool or downloaded directly. [Windows 11 downloads](https://www.microsoft.com/en-us/software-download/windows11/).
In my case both images together in size are about 6 GB, so an 8+ GB flash drive is recommended.
*Second,* you need to **create a bootable USB flash drive.**
> [!warning]
>
> **Backup your data on the USB before that!**
I use [Ventoy](https://www.ventoy.net/en/index.html). Just download the program, extract, open `Ventoy2Disk` and proceed to install Ventoy on the drive.
> [!note]
>
> Ventoy can create MBR or GPT disks as you wish. It is hidden in the "Option" menu at the top. Documentation has a [dedicated page](https://www.ventoy.net/en/doc_mbr_vs_gpt.html) on this topic.
>
> Previously, I used MBR, and now GPT - everything is fine in both cases.
>
> I also recommend that you *enable* "Secure Boot Support" (should be enabled by default, just in case).
After installation, just copy the images to the root of the flash drive.
# Pre-installation
#### Required:
- PC or laptop with stable power supply
- Ventoy flash drive with Windows 11 and Arch Linux .iso files
- Internet (Wi-Fi)
- Free time
## Disabling Secure Boot
Simply go into your UEFI and disable Secure Boot. Otherwise you won't be able to boot from the flash drive. We'll enable it after installation.
In my case, I have to press F2 after turning on my laptop to get into [InsydeH2O](https://en.wikipedia.org/wiki/Insyde_Software#InsydeH2O_UEFI_BIOS).
1. To autocomplete the name of a directory, a file or a command, press Tab.
2. To enter previous commands, press down arrow key multiple times.
3. Ctrl + L - clear terminal.
4. Ctrl + C - cancel the current command.
5. Ctrl + U (at least in zsh) - cut everything before the cursor.
Boot from your flash drive, select your Arch Linux .iso file and boot it in normal mode.
### Shell environment variables
> If you see the "Perform MOK Management" window, simply select "Enroll key from disk" and select the appropriate key. You can read more [here](https://www.ventoy.net/en/doc_secure.html).
```sh
export VAR=value
# make an environment variable
### Check drives
echo"$VAR"
# print this variable to the console
# you can use "$VAR" anywhere to shorten commands
# you can omit the double quotes, but it's safer to do so
# example:
export PART_LUKS=/dev/nvme0n1p5
cryptsetup -v luksFormat "$PART_LUKS"
```
nvme list
### nano
In `nano` you can move the cursor with the arrow keys and enter text like in Windows Notepad. No "Insert mode" like in Vi or Vim.
There are other keybinds at the bottom. The most important are:
- Ctrl + S - save
- Ctrl + X - exit
- Ctrl + F - search
### less
Very useful terminal pager.
Binds:
- j / arrow down - down
- k / arrow up - up
- q - quit
To view the output of the command in `less`, do the following:
```sh
<command>| less
```
In my case I have `/dev/nvme0`. I'll use this name in future commands.
In my case I have `[1:1] : 0x1 Block Erase Sanitize Operation Supported`. `Crypto Erase Sanitize` or `Overwrite Erase Sanitize` are not available for me.
### Perform a block erase
> ### Warning!
> This operation will erase all information on the drive.
where `$BAT` is the battery directory. Usually it's `BAT0`, but but in my case it was `BAT1`.
## Secure Boot
**Disable it** before installation.
Some UEFIs have a tendency to turn it back on periodically, so I recommend *checking it every time you reboot*.
In my case ([InsydeH20 UEFI](https://en.wikipedia.org/wiki/Insyde_Software#InsydeH2O_UEFI_BIOS)) I have to press F2 on boot to start the "Setup Utility". "Secure Boot" is in the "Security Settings" category, but this varies from UEFI to UEFI.
## Preparing the disk
At this point you need to **boot from the Arch Linux image** to access the shell.
My `systemd-boot` from the previous installation doesn't allow me to use other bootable devices except configured boot entries, so I just disabled my both entries as bootable.
> [!warning]
>
> While I was booting the flash drive, I ran into [this problem](https://github.com/ventoy/Ventoy/issues/2825). It is a Ventoy bug with the Arch image, so be careful.
>
> I tried to use the old version of Ventoy (1.0.94) with the normal boot mode and the screen appeared. On the new version (1.0.99) the iso works in normal mode, but someone in the comments said that it's still broken.
>
> In any case, make sure you have the latest versions of everything, or boot in grub2 mode (I haven't tested this).
### Erasing
> [!warning]
>
> You will have to erase your data on the device to continue. **Backup anything you might need.**
My laptop has an NVMe drive, so I will use [nvme-cli](https://github.com/linux-nvme/nvme-cli).
> [!note]
>
> Documentation: [Solid state drive/Memory cell clearing - ArchWiki](https://wiki.archlinux.org/title/Solid_state_drive/Memory_cell_clearing#NVMe_drive)
#### Check the drive name
```sh
nvme list
```
nvme sanitize /dev/nvme0 -a 0x02
> [!important]
>
> If you are using only one drive, it will most likely be shown as `/dev/nvme0` or `/dev/nvme0xx`. Do *not* use the `/dev/nvme0xx` syntax for the variable, only `/dev/nvme0`.
>
> 1.`/dev/nvme0` - drive (device) name
> 2.`/dev/nvme0xx` - disk name (will be needed later)
In my case it took 5-10 seconds, but [ArchWiki](https://wiki.archlinux.org/title/Solid_state_drive/Memory_cell_clearing#Sanitize_command) says that it can take for 2-3 hours. When you'll see `Sanitize Status ... 0x101` you're ready to proceed.
you are good to go. "Sanitize Status" should be equal to `0x101`.
> [!warning]
>
> As [ArchWiki](https://wiki.archlinux.org/title/Solid_state_drive/Memory_cell_clearing#Sanitize_command) says, it can take a long time (2-3 hours), but in my case it took about 5-10 seconds. Still, be prepared.
#### Verify the erase
```sh
export DISK="$DRIVE"n1
# it is probably n1, but still check
```
```sh
dd if="$DISK" bs=8192 status=progress | hexdump
# this command prints the contents of the drive bytes into the console
```
I recommend waiting for this command to run for about 30 seconds, and if all you see is
```sh
0000000 0000 0000 0000 0000 0000 0000 0000 0000
*
...
```
If you see ***only*** zeros, you can press Ctrl+C and you are done. If not, repeat the steps above.
As we have cleaned the drive, there should be nothing left.
### Proceed with `fdisk`
```
fdisk /dev/nvme0n1
```
```sh
# as a remainder:
# DISK=/dev/nvme0n1
fdisk -l "$DISK"
```
> g # Create new GPT.
> n # Create new partition.
# Then skip until `Last sector,...` and enter:
If the disk is present and is empty, we can proceed:
> +1G # Size 1G for our EFI system partition.
```sh
fdisk "$DISK"
```
You can check the current partitioning with `p`.
### Create MSR partition
Repeat steps above for `16M` partition.
You can type
### Create root partitions
I won't add a swap partition and will split my drive 50%/50%.
```sh
m
```
# Math time.
476.94 * 1024 = 488386.56 (total MB on drive)
488386.56 - 1016 = 487370.56 (remaining MB on drive)
487370.56 / 2 = 243685.28 (splitted partitions in MB)
243685.28 / 1024 = 237.97... (splitted partitions in GB)
to view help.
> [!note]
>
> Any changes you make in this program will not take effect until you save them manually with `w`. You are free to experiment as you wish.
#### The plan
My partitioning scheme:
1.**EFI system partition** (ESP): *1G* (less is not recommended, but possible)
2.**MSR partition**: *16M* (required for Windows)
3.**Windows root partition**: ?G
4.**Linux root partition**: ?G
Important points:
1. I won't use the swap partition.
2. I will only use one partition per system. No separate one for "home".
3. You can split the root partitions however you like. My choice is 50/50.
4. When enabling BitLocker, Windows will automatically create the "Windows Recovery Environment" partition. You can also do this manually, but I haven't tested this.
#### Create new table
```sh
g
# create a new empty GPT partition table
```
So I'm going to divide by `238G`.
Repeat the steps in [Proceed with `fdisk`](#Proceed-with-fdisk), but specify the size of the partitions. One will be Windows root and the other will be Arch Linux root. Create the first partition and for the second partition enter the last sector on the drive instead of the size.
### Change partition types
#### Create the partitions
Primary flow:
```sh
n # create new partition
# skip until "Last sector", defaults are ok
# make sure that you can select one of 128 partitions,
# otherwise you forgot to create the GPT.
# don't ask me how I know that
+<size># use your needed sizes for the partitions
```
> t
> 1 # Select the first partition.
> 1 # Change type to ESP (EFI System Partition).
I will use the sizes in cursive from the plan as `<size>`.
All partitions will be of type "Linux". We will configure them later.
> [!tip]
>
> For the last partition, don't use the `+<size>` syntax, but just use the second number in the "Last sector" line.
You can check the current partitions with
```sh
p
```
#### Change the partition types
```sh
# ESP
t
1 # first partition
1 # type to "EFI System"
```
> t
> 2 # Select the second partition.
> 10 # Change type to MSR partition.
```sh
# MSR
t
2 # second partition
10 # type to "Microsoft reserved"
```
```sh
# Windows root
t
3 # third partition
11 # type to "Windows basic data"
```
> t
> 3 # Select the third partition.
> 11 # Change type to Windows Basic Data.
```sh
# Linux root (optional, default value is also fine)
t
4 # fourth partition
23 # type to "Linux root (x86-64)"
```
Last partition for Linux root can be left untouched.
### Write changes and check
> [!tip]
>
> You can list all types with
>
> ```sh
> L
>```
>
> to view with `less`.
#### Save and check
```sh
w # save and quit fdisk
```
> w
```sh
fdisk -l "$DISK"
```
The disklabel type should be GPT and all partitions should be of the required types.
### Formatting
I'm doing it just in case for the ESP, it's not necessary.
```sh
mkfs.fat -F 32 /dev/nvme0n1p1
```
fdisk -l /dev/nvme0n1
The other partitions will be formatted later:
1. Windows partitions will be formatted by the Windows installer.
2. Linux partitions will be formatted after the Windows installation because of the LUKS encryption container.
## Reboot
```sh
reboot
# or
poweroff # and boot manually
```
### Format ESP
# Windows 11
> [!tip]
>
> I recommend to **install Windows first** and Linux second.
## Installation
After rebooting, select your Windows 11 `.iso` file and boot it in normal mode.
### Less bloatware
> [!important]
>
> On the first screen select **"English (World)"** under "Time and currency format".
You will get an `OOBEREGION` error later. It skips the region selection and the Microsoft account creation/authorization.
If you get an "infinite" (it just takes a few minutes) loading wheel after rebooting - you got it.
Hopefully it hasn't been patched yet.
### Normal installation
> [!warning]
>
> I don't encourage piracy, so everything in this guide is for educational purposes only.
Next steps:
1. "I don't have a product key".
2. In my case I select "Windows 11 Pro" and click "Next".
3. Read and accept the terms to continue.
> [!tip]
>
> If your mouse or touchpad doesn't work, you can use:
>
> - Alt + underlined key
> - The spacebar
> - The Tab key
> - Shift + Tab
> - The arrow keys
>
### Select the partition
**Most important part:**
1. Select **"Custom: Install Windows only (advanced)"**
2. Select your Windows root partition and click "Next"
You should now see all your defined partitions. The Linux root partition will have 0.0 MB of "Free space" because Windows doesn't work with this type of partition.
In my case I need the third partition. In fact, I can't select any other partitions because their types are incompatible with the installation.
### Proceed with the normal installation
After a few reboots, you'll be greeted by a white screen with the Windows 11 logo.
And if you did the trick from the [Less bloatware](#less-bloatware) chapter, you will be greeted by the spinning wheel. Wait for a bit, it's "intended" behaviour.
After the `OOBEREGION` error, click 'Skip'.
### Don't connect to the network
I recommend clicking on "I don't have internet" after setting up the layouts. The installation will be faster (as I believe) this way.
You can also click "Continue with limited setup" to skip the Microsoft login.
### Normal installation once again
Nothing unusual here. User, password, security questions and privacy checks. You can turn these off if you want.
## Configuration
After a successful installation, we can configure it on the spot to avoid multiple reboots.
### Drivers
Connect to the internet and use Windows Update to install the latest updates. The sound didn't work in my case without them.
> [!important]
>
> I got the `0x80248007` error a couple of times. It's OK, it'll fix itself later. Just don't install failed updates.
### Activation
I will use [Microsoft Activation Scripts](https://github.com/massgravel/Microsoft-Activation-Scripts).
Run PowerShell as an administrator. The easiest way to do this is to find PowerShell in the Start menu (press the Windows/Super key) and run it as an administrator.
```powershell
irm "https://get.activated.win" | iex
```
mkfs.fat -F 32 /dev/nvme0n1p1
Then follow the on-screen instructions. Just typing `1`, any key after activation and `0` to exit is fine.
### winutil
In the same PowerShell instance we can run [winutil](https://github.com/ChrisTitusTech/winutil).
```powershell
irm "https://christitus.com/win" | iex
```
This is not necessary, but I did it anyway.
# Windows 11 installation and configuration
## Install Windows 11 from .iso file
Select your Windows 11 .iso file and boot it in normal mode.
> If you want to get less bloatware, select `Time and currency format: English (World)` on the first screen. If you try to do this, you will get an `OOBEREGION` error later. Just skip it.
> [!tip]
>
> In the "Install" section I usually install Firefox and 7-Zip: click corresponding checkboxes and "Install/Upgrade Selected". Wait until "Installation Done" at the top.
Just do a normal install, choose custom partitioning and select the third partition. Don't do anything else on this screen, because we've done everything we need to do in [Partition the disk](#Partition-the-disk).
Go to "Tweaks".
## Install browser
After installing Windows, don't forget to install your preferred browser. In my case, I'm going to install Firefox. Just go to Microsoft Edge, skip everything, install and continue.
I select all the "Essential Tweaks" except "Set Hibernation as default" and "Run Disk Cleanup". Also select these "Advanced Tweaks":
> Don't remove Microsoft Edge without a new browser!
Then "Run Tweaks" at the bottom.
You can select all the preferences you need after the "Tweaks finished".
> [!tip]
>
> In the "Config" I select the following:
>
> - HyperV Virtualization
> - Disable Search Box Web Suggestions in Registry
>
> It's a very good program itself, so I suggest you check out the features and documentation.
At this point, you are finished with this script. Close the PowerShell instance (not the script window).
### Fast startup and hibernation
> [!note]
>
> Documentation: [Dual boot with Windows - ArchWiki](https://wiki.archlinux.org/title/Dual_boot_with_Windows#Windows_settings).
You need to disable this. From the ArchWiki (sourced from superuser website):
> Data loss can occur if Windows hibernates and you dual boot into another OS and make changes to files on a filesystem (such as NTFS) that can be read and written to by Windows and Linux, and that has been mounted by Windows. Similarly, data loss can occur if Linux hibernates, and you dual boot into another OS etc.
> [!tip]
>
> `winutil` already does this, so you can skip it if you have done the necessary tweaks in the [previous chapter](#winutil).
To do this manually:
1. Go to "Control Panel" (Windows search)
2. Change "View by:" to "Large icons"
3. Go to "Power Options"
4. Click "Choose what the power button does"
5. Click "Change settings that are currently unavailable"
6. Untick "Turn on fast startup" and "Hibernate"
7. Click "Save changes"
In my case I didn't even have these ticks, because the hibernation is disabled with `winutil` in the registry. You can check this with
```powershell
powercfg /availablesleepstates
```
in PowerShell.
> [!tip]
>
> In the "Choose what the power button does" screen you can also change the behaviour of "When I press the power button", which is useful.
### Time to UTC
> [!note]
>
> Documentation: [System time - ArchWiki](https://wiki.archlinux.org/title/System_time#UTC_in_Microsoft_Windows)
ArchWiki:
> If multiple operating systems are installed on a machine, they will all derive the current time from the same hardware clock: it is recommended to set it to UTC to avoid conflicts across systems.
> To pair devices on dual boot setups you need to change the pairing keys on your Linux install so that they are consistent with what Windows or macOS is using.
In total, you will need to boot the system two or three times:
1. Pair in Windows, reboot, pair in Arch and change Arch keys to the Windows keys.
2. Pair in Windows, reboot, pair in Arch, reboot and change Windows keys to the Arch keys.
The second method is used if the device only supports one pairing at a time. For example, my GK61XS wireless keyboard: it maps one key (as a pairing slot) to one device.
Anyway, here is the way to manually extract the keys from Windows.
Download [PsExec](https://learn.microsoft.com/en-us/sysinternals/downloads/psexec) and extract it to a folder of your choice.
Copy the path of the folder in the explorer and `cd` into it:
```powershell
cd C:\Users\d\Downloads\PSTools
```
## Clean your system with [winutil](https://github.com/ChrisTitusTech/winutil)
Run Powershell as administrator:
Run PSExec:
```powershell
.\PsExec64.exe -s -i regedit.exe
# read and agree to the terms
```
irm https://christitus.com/win | iex
> [!note]
>
> No, you can't just run `regedit` without PsExec. "The registry key containing the link keys may only be accessed by the [SYSTEM account](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts#system), which cannot be logged into." , and PsExec does this with the `-s` flag.
Powershell will ask you to install Chocolatey. Accept and continue. Select 'Tweaks', select the profile you want and tick 'Remove Microsoft Edge' and click 'Run Tweaks'. You can now close everything.
## Set up BitLocker
In Search, find "Manage BitLocker" and follow the steps to encrypt used disk space.
You'll need a flash drive to store the recovery key file. Wait for the system to encrypt the entire system partition.
> The system will prompt you for your BitLocker recovery key when you restart, so don't lose it!
Select the required Bluetooth adapter. It will probably be the only one.
All paired devices will be placed in the adapter folder.
Pair the required device and export the key:
1. RMB on the adapter key (folder).
2. Export to a folder of your choice.
> [!tip]
>
> I prefer to name it appropriately and move it to the flash drive. I have created a `bluetooth` folder for this purpose.
>
> You can pair the next device (if necessary) and do the same. Just make sure you update the registry: open the "Keys" entry and the adapter folder again.
>
> It's not as convenient (if you sync more than 2 devices), but it's possible to distinguish multiple devices if you save the registry file on each iteration.
>
> Or you can just export the hex of the keys with the MAC addresses one at a time, that works as well.
Go to "Control panel" => Change "View by:" to "Large icons" => "Power options" => "Choose what the power button does" => "Change settings that are currently unavailable" => Remove ticks on "Turn on fast startup" and "Hibernate" => "Save changes".
In Search, find "Manage BitLocker" and follow the steps to encrypt used disk space:
You have two ways:
1. Execute `regedit` and find `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\RealTimeIsUniversal`. Add `DWORD` value with hexadecimal value `1`.
2. Simply type `reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation" /v RealTimeIsUniversal /d 1 /t REG_DWORD /f` in Command Prompt as administrator.
> After restarting, change the time zone and region to yours in Settings.
1. "Turn on BitLocker"
2. Skip until the recovery key back up
3. Save the key to the flash drive (e.g. make the `bitlocker` folder)
4. "Encrypt used disk space only ..."
5. "New encryption mode ..."
6. You can decide to not select "Run BitLocker system check". Otherwise you will have to reboot.
7. Wait until the "BitLocker Encrypting" changes to "BitLocker on"
## Connect Bluetooth devices
If you plan to use a Bluetooth headphones (as in my case), pair it now and check the sound. We'll need it later.
# Arch Linux installation and configuration
## Set up LUKS on a partition
> [!warning]
>
> Store the key in a place where you can read it externally. Flash drive, another computer, etc..
>
> Every time you update `systemd-boot` (whether it's the first time, a manual update, or a `pacman` hook - it doesn't matter), BitLocker will ask you for the encryption key.
>
> For this reason, I decided to only update the boot loader manually from time to time, and keep the BitLocker key on my flash drive. Less safe, but it is what it is.
>
> Thanks to https://github.com/Delta18-Git for heads up.
### Turn off
After that, you are basically done with Windows. Reboot the device or turn it off and take a break.
# Arch Linux
## Boot from the flash drive
> [!important]
>
> By this point, Windows should have re-enabled the drive on the device as bootable, so manually disable it to boot from the flash drive.
## LUKS on a partition
> [!note]
>
> Documentation: [LUKS on a partition - ArchWiki](https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#LUKS_on_a_partition).
By this time, Windows should have created the Windows Recovery Environment partition. You can check this with:
```
fdisk -l /dev/nvme0n1
```
In my case `/dev/nvme0n1p5` is `Linux Filesystem` because 4th partition is now `Windows Recovery Environment`.
Once the Arch Linux installation media is booted again, we are ready to proceed with the installation of the second operating system. This time we need to setup the encrypted root.
Basically, you are changing the type of the Linux root partition to the crypto container, and then only this container will have the Linux root partition, which you will see as `/`.
To create the container you have to format the partition with `cryptsetup`. After that, the system knows nothing about the internals of the container.
To get access to the container, you need to `open` it. As it should be, each `open` is followed by a `close`, so you'll have to do that too if you don't want access anymore.
After opening and mapping (assigning the root in the container), you can continue with the installation as normal.
### Create the LUKS container
At this point, Windows should have created the Windows Recovery Environment partition. You can check this with:
```sh
export DISK=/dev/nvme0n1
fdisk -l "$DISK"
```
cryptsetup -y -v luksFormat /dev/nvme0n1p5
> YES
Windows should have allocated some space for the "Windows Recovery Environment" by shrinking it's own root partition.
In my case `/dev/nvme0n1p5` is now `Linux root (x86-64)` because the4th partition is now `Windows Recovery Environment`.
```sh
export PART_LUKS="$DISK"p5
```
Then enter your passphrase twice.
### Open LUKS partition
Then you need to create a new LUKS container. The defaults are OK and you can just enable the verbose output.
```sh
cryptsetup -v luksFormat "$PART_LUKS"
```
cryptsetup luksOpen /dev/nvme0n1p5 root
mount /dev/mapper/root /mnt
> [!note]
>
> You can find default options and other options [right here](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Encryption_options_for_LUKS_mode).
Then type
```
You can check encryption with:
YES
```
cryptsetup luksDump /dev/nvme0n1p5
and enter your passphrase twice.
You can change the passphrase (or create multiple passphrases) later, but it's a good idea to choose a strong password from the start.
Also, don't forget or lose the passphrase!
> [!important]
>
> Immediately after formatting, you can save the headers. You'll need this to be able to decrypt the drive in case of corruption or simple loss of the passphrase.
>
> In the guide I did this [near the end](#mount-the-usb), when I remembered how to manually mount a USB drive.
>
> The actions are as follows:
>
> ```sh
> cryptsetup luksDump "$PART_LUKS"
># check header presence
>
> mount --mkdir /dev/sda1 /usb
># check if /dev/sda1 is your usb device. not ventoy partition
station wlan0 get-networks # find the ssid of your network
station wlan0 connect <ssid>
> ... # Enter passphrase.
> ... # enter the passphrase for the network
exit
```
Check connection:
```
ping archlinux.org # Ctrl+C to cancel.
Check the connection:
```sh
ping archlinux.org # ctrl + c to cancel
```
### Install essential packages
> [!warning]
>
> 1. I am installing an AMD microcode package. If you have an Intel CPU, install the `intel-ucode` package instead!
> 2. Also, I am installing `linux-zen` kernel. If you want to use the default kernel, consider installing `linux`. Next time I will refer to the kernel as `<kernel>`.
> Documentation: [ArchWiki](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot), [comment on Reddit](https://www.reddit.com/r/archlinux/comments/ug9pu0/comment/i72v541) and [sbctl wiki](https://github.com/Foxboron/sbctl/wiki/Linux-Windows-Dual-Boot-with-Windows-Bitlocker).
> Do it as `root`, otherwise you'll have to use `sudo`.
```
pacman -S sbctl
```
```
```sh
sbctl status
# Installed: sbctl is not installed
# Setup Mode: Enabled
# Secure Boot: Disabled
# Vendor Keys: none
```
```sh
# expected output 1
Installed: sbctl is not installed
Setup Mode: Enabled
Secure Boot: Disabled
Vendor Keys: none
```
> [!caution]
>
> Before continuing, read carefully the ArchWiki page. It's a dangerous operation for some vendors, and can "brick" your device.
Create and enroll the keys:
```sh
sbctl create-keys
sbctl enroll-keys -m
```
```
```sh
sbctl status
# Installed: sbctl is installed
# Owner GUID: ...
# Setup Mode: Disabled
# Secure Boot: Disabled
# Vendor Keys: microsoft
```
```sh
# expected output 2
Installed: sbctl is installed
Owner GUID: ...
Setup Mode: Disabled
Secure Boot: Disabled
Vendor Keys: microsoft
```
```sh
sbctl verify
# A lot of lines, but we only need to sign 6 files.
> You can verify all the files (manually or with a script/command), but we don't need them all. In my scenario, only the 6 files below are needed.
```sh
export SIGN="sbctl sign -s"
export MS_EFI=/boot/EFI/Microsoft/Boot/
"$SIGN" /boot/vmlinuz-"$KERNEL"
# kernel
# example:
# sbctl sign -s /boot/vmlinuz-linux
# other files:
"$SIGN" /boot/EFI/Boot/bootx64.efi
"$SIGN" /boot/EFI/systemd/systemd-bootx64.efi
# systemd-boot
"$SIGN" "$MS_EFI"bootmgfw.efi
"$SIGN" "$MS_EFI"bootmgr.efi
"$SIGN" "$MS_EFI"memtest.efi
# windows
```
Verify:
```
```sh
sbctl list-files
# They should be listed.
# signed files should be here
```
```
pacman -S linux
# Ensure that the string "Signing EFI binaries..." appears.
```
Reboot, and before booting into Windows or Arch Linux, enable Secure Boot in UEFI. Make sure that Windows and Arch Linux boot correctly. In the Arch Linux console you can check `sbctl status`. You should see `Secure Boot: Enabled`.
## Bluetooth dual-boot configuration
### Configure audio
> I recommend doing all commands as `root`.
```
pacman -S pipewire
pacman -S pipewire-pulse
# Replace conflicting packages
```
```sh
pacman -S "$KERNEL"
# force package manager to update the kernel
# "pacman -Syu" doesn't necessarily work
# ensure that the strings
# "Running post hook: [sbctl]"
# and
# "Signing EFI binaries..."
# appear
```
pacman -S bluez
Reboot, and before booting into Windows or Arch Linux, enable Secure Boot in UEFI. It enabled itself automatically in my case.
Make sure that Windows and Arch Linux boot correctly.
In the Arch Linux console you can type`sbctl status` once again. You should see `Secure Boot: Enabled`.
### Bluetooth on Arch
> [!important]
>
> Check the [Windows chapter on this topic](#bluetooth-on-windows) before proceeding.
Install `bluez` and enable the service:
```sh
pacman -S bluez bluez-utils
systemctl enable bluetooth.service
systemctl start bluetooth.service
```
### Sync keys
I only connect one Bluetooth 5.0 device. Actions may be different.
> [!warning]
>
> If you haven't installed the package and enabled the service, you won't have a `/var/lib/bluetooth` folder!
Since we have paired the Bluetooth device with Windows, we should get the pairing key from Windows and replace the current key in Arch Linux with it.
Download [PsExec](https://learn.microsoft.com/en-us/sysinternals/downloads/psexec) and extract it to a folder of your choice. Run Powershell or Command Prompt as an administrator and run `regedit`:
```
.\PsExec64.exe -s -i regedit.exe
```sh
bluetoothctl
scan on
pair <device-mac-address>
# for every needed device
devices Paired
# to check
```
In the `regedit` window, search for `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys` and select the required Bluetooth adapter. RMB on the key and export it as a .reg file in to a location of your choice. Then go to that file, open it with Notepad and take a picture of the hex key.
Boot into Arch Linux and follow the steps below:
1. As `root` run:
#### Mount the USB
I stored the Bluetooth keys on my USB flash drive, so I have mounted the flash drive to access them:
```sh
mount --mkdir /dev/sda1 /usb
# after all operations do
# umount /usb
# rm -rf /usb
```
#### Sync keys
```sh
cd /var/lib/bluetooth
```
2. Get your `<bt-adapter-mac-address>` with `dir` and run `cd <bt-adapter-mac-address>` (you can enter first symbol and press Tab).
3. Check desired device with `dir` and run `cd <device-mac-address`.
4. Edit `info` file:
```
Then, `cd` into the needed controller. Probably, it's the only one.
For every device you need to do the following:
Go into the device folder and edit `info` file:
```sh
nano info
```
5. Swap `Key=...` with your key from Windows. For example: `hex:69,27,6d,20,67,6f,6e,6e,61,20,6b,6d,73` is `69276D20676F6E6E61206B6D73`.
6. Save, exit and restart Bluetooth and audio services:
Swap
```sh
[LinkKey]
Key=...
```
with your key from Windows.
For example:
```sh
hex:69,27,6d,20,67,6f,6e,6e,61,20,6b,6d,73
# becomes
Key=69276D20676F6E6E61206B6D73
```
Save the file and do the same for the rest of the devices.
Thank you for reading this far! I'm fairly new to Linux, so I've probably made a mistake somewhere. I'd be grateful if you could report any errors in this text.
> [!note]
>
> You are probably doing this to connect audio devices. If so, install the audio packages:
>
> ```sh
> # i use pipewire
> pacman -S wireplumber pipewire pipewire-pulse
> ```
>
> And restart these services after restarting the bluetooth service:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# My Windows 11 + Arch Linux dual-boot installation
[This gist](https://gist.github.com/orhun/02102b3af3acfdaf9a5a2164bea7c3d6#installing-secure-boot) was very helpful to me and I wanted to write my own version with a dual-boot setup.
> ### Warning!
> All actions are at your own risk!
# Table of Contents
-[Table of Contents](#Table-of-Contents)
-[Hardware](#Hardware)
-[Pre-installation](#Pre-installation)
-[Disabling Secure Boot](#Disabling-Secure-Boot)
-[Cleaning NVMe drive](#Cleaning-NVMe-drive)
-[Check drives](#Check-drives)
-[Check the available formatting methods](#Check-the-available-formatting-methods)
-[Perform a block erase](#Perform-a-block-erase)
-[Check completion](#Check-completion)
-[Verify cleaning](#Verify-cleaning)
-[Partition the disk](#Partition-the-disk)
-[Check current partitions](#Check-current-partitions)
Boot from your flash drive, select your Arch Linux .iso file and boot it in normal mode.
> If you see the "Perform MOK Management" window, simply select "Enroll key from disk" and select the appropriate key. You can read more [here](https://www.ventoy.net/en/doc_secure.html).
### Check drives
```
nvme list
```
In my case I have `/dev/nvme0`. I'll use this name in future commands.
In my case I have `[1:1] : 0x1 Block Erase Sanitize Operation Supported`. `Crypto Erase Sanitize` or `Overwrite Erase Sanitize` are not available for me.
### Perform a block erase
> ### Warning!
> This operation will erase all information on the drive.
```
nvme sanitize /dev/nvme0 -a 0x02
```
### Check completion
```
nvme sanitize-log /dev/nvme0
```
```
Sanitize Progress (SPROG) : 65535
Sanitize Status (SSTAT) : 0x101
```
In my case it took 5-10 seconds, but [ArchWiki](https://wiki.archlinux.org/title/Solid_state_drive/Memory_cell_clearing#Sanitize_command) says that it can take for 2-3 hours. When you'll see `Sanitize Status ... 0x101` you're ready to proceed.
As we have cleaned the drive, there should be nothing left.
### Proceed with `fdisk`
```
fdisk /dev/nvme0n1
```
```
> g # Create new GPT.
> n # Create new partition.
# Then skip until `Last sector,...` and enter:
> +1G # Size 1G for our EFI system partition.
```
You can check the current partitioning with `p`.
### Create MSR partition
Repeat steps above for `16M` partition.
### Create root partitions
I won't add a swap partition and will split my drive 50%/50%.
```
# Math time.
476.94 * 1024 = 488386.56 (total MB on drive)
488386.56 - 1016 = 487370.56 (remaining MB on drive)
487370.56 / 2 = 243685.28 (splitted partitions in MB)
243685.28 / 1024 = 237.97... (splitted partitions in GB)
```
So I'm going to divide by `238G`.
Repeat the steps in [Proceed with `fdisk`](#Proceed-with-fdisk), but specify the size of the partitions. One will be Windows root and the other will be Arch Linux root. Create the first partition and for the second partition enter the last sector on the drive instead of the size.
### Change partition types
```
> t
> 1 # Select the first partition.
> 1 # Change type to ESP (EFI System Partition).
```
```
> t
> 2 # Select the second partition.
> 10 # Change type to MSR partition.
```
```
> t
> 3 # Select the third partition.
> 11 # Change type to Windows Basic Data.
```
Last partition for Linux root can be left untouched.
### Write changes and check
```
> w
```
```
fdisk -l /dev/nvme0n1
```
### Format ESP
```
mkfs.fat -F 32 /dev/nvme0n1p1
```
This is not necessary, but I did it anyway.
# Windows 11 installation and configuration
## Install Windows 11 from .iso file
Select your Windows 11 .iso file and boot it in normal mode.
> If you want to get less bloatware, select `Time and currency format: English (World)` on the first screen. If you try to do this, you will get an `OOBEREGION` error later. Just skip it.
Just do a normal install, choose custom partitioning and select the third partition. Don't do anything else on this screen, because we've done everything we need to do in [Partition the disk](#Partition-the-disk).
## Install browser
After installing Windows, don't forget to install your preferred browser. In my case, I'm going to install Firefox. Just go to Microsoft Edge, skip everything, install and continue.
## Clean your system with [winutil](https://github.com/ChrisTitusTech/winutil)
Run Powershell as administrator:
```
irm https://christitus.com/win | iex
```
Powershell will ask you to install Chocolatey. Accept and continue. Select 'Tweaks', select the profile you want and tick 'Remove Microsoft Edge' and click 'Run Tweaks'. You can now close everything.
## Set up BitLocker
In Search, find "Manage BitLocker" and follow the steps to encrypt used disk space.
You'll need a flash drive to store the recovery key file. Wait for the system to encrypt the entire system partition.
> The system will prompt you for your BitLocker recovery key when you restart, so don't lose it!
Go to "Control panel" => Change "View by:" to "Large icons" => "Power options" => "Choose what the power button does" => "Change settings that are currently unavailable" => Remove ticks on "Turn on fast startup" and "Hibernate" => "Save changes".
1. Execute `regedit` and find `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\RealTimeIsUniversal`. Add `DWORD` value with hexadecimal value `1`.
2. Simply type `reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation" /v RealTimeIsUniversal /d 1 /t REG_DWORD /f` in Command Prompt as administrator.
> After restarting, change the time zone and region to yours in Settings.
## Connect Bluetooth devices
If you plan to use a Bluetooth headphones (as in my case), pair it now and check the sound. We'll need it later.
# Arch Linux installation and configuration
## Set up LUKS on a partition
> Documentation: [LUKS on a partition - ArchWiki](https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#LUKS_on_a_partition).
By this time, Windows should have created the Windows Recovery Environment partition. You can check this with:
```
fdisk -l /dev/nvme0n1
```
In my case `/dev/nvme0n1p5` is `Linux Filesystem` because 4th partition is now `Windows Recovery Environment`.
> Documentation: [ArchWiki](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot), [comment on Reddit](https://www.reddit.com/r/archlinux/comments/ug9pu0/comment/i72v541) and [sbctl wiki](https://github.com/Foxboron/sbctl/wiki/Linux-Windows-Dual-Boot-with-Windows-Bitlocker).
> Do it as `root`, otherwise you'll have to use `sudo`.
```
sudo pacman -S sbctl
```
```
sbctl status
# Installed: sbctl is not installed
# Setup Mode: Enabled
# Secure Boot: Disabled
# Vendor Keys: none
```
```
sbctl create-keys
sbctl enroll-keys -m
```
```
sbctl status
# Installed: sbctl is installed
# Owner GUID: ...
# Setup Mode: Disabled
# Secure Boot: Disabled
# Vendor Keys: microsoft
```
```
sbctl verify
# A lot of lines, but we only need to sign 6 files.
# Ensure that the string "Signing EFI binaries..." appears.
```
Reboot, and before booting into Windows or Arch Linux, enable Secure Boot in UEFI. Make sure that Windows and Arch Linux boot correctly. In the Arch Linux console you can check `sbctl status`. You should see `Secure Boot: Enabled`.
## Bluetooth dual-boot configuration
### Configure audio
> I recommend doing all commands as `root`.
```
pacman -S pipewire
pacman -S pipewire-pulse
# Replace conflicting packages
```
```
sudo pacman -S bluez
systemctl enable bluetooth.service
systemctl start bluetooth.service
```
### Sync keys
I only connect one Bluetooth 5.0 device. Actions may be different.
Since we have paired the Bluetooth device with Windows, we should get the pairing key from Windows and replace the current key in Arch Linux with it.
Download [PsExec](https://learn.microsoft.com/en-us/sysinternals/downloads/psexec) and extract it to a folder of your choice. Run Powershell or Command Prompt as an administrator and run `regedit`:
```
.\PsExec64.exe -s -i regedit.exe
```
In the `regedit` window, search for `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys` and select the required Bluetooth adapter. RMB on the key and export it as a .reg file in to a location of your choice. Then go to that file, open it with Notepad and take a picture of the hex key.
Boot into Arch Linux and follow the steps below:
1. As `root` run:
```
cd /var/lib/bluetooth
```
2. Get your `<bt-adapter-mac-address>` with `dir` and run `cd <bt-adapter-mac-address>` (you can enter first symbol and press Tab).
3. Check desired device with `dir` and run `cd <device-mac-address`.
4. Edit `info` file:
```
nano info
```
5. Swap `Key=...` with your key from Windows. For example: `hex:69,27,6d,20,67,6f,6e,6e,61,20,6b,6d,73` is `69276D20676F6E6E61206B6D73`.
6. Save, exit and restart Bluetooth and audio services:
Thank you for reading this far! I'm fairly new to Linux, so I've probably made a mistake somewhere. I'd be grateful if you could report any errors in this text.
shimeoki revised this gist