# Arch Linux Installation Guide --- Guide to install Arch Linux on an EFI System. Includes these features: - Full Disk Encryption with LUKS - BTRFS with `@` and `@home` subvolumes - Timeshift Backups - Encrypted Swap Partition - rEFInd bootloader - SDDM display manager - KDE Plasma desktop environment ## Connect to WiFi and Time Sync --- Enable Time Sync ```bash timedatectl set-ntp true ``` ## Disk Partitioning --- List your disks ```bash lsblk ``` Format the disk you want to install arch on by using sgdisk. Typically most disks are labeled as `/dev/sda` , `/dev/vda`, or `/dev/nvme0n1` ```bash sgdisk -Z /dev/sda ``` Once formatted use gdisk to begin to partition the drive ```bash gdisk /dev/sda ``` ### EFI Partiton Type `n` and hit `enter` to create a new partition. Hit `enter` to leave the defaults for the partition start. Type `+512M` and hit `enter` to create a 512MB size partition. Type `ef00` and hit `enter` to choose EFI partition type. ### Encrypted Swap Partition Type `n` and hit `enter` to create a new partition. Hit `enter` to leave the defaults for the partition start. Type `+16G` and hit `enter` to create a 16G size partition. (Swap sizes can be larger or smaller but it is recommended to match your swap to the amount of ram within the system) Type `8200` and hit `enter` to choose Linux Swap partition type. ### Root Partition Type `n` and hit `enter` to create a new partition. Hit `enter` to leave the defaults for the partition start. Hit `enter` to use the remainder of the disk. Hit `enter` to choose the default partition type. Hit `w` to write the changes ## Disk Formatting and LUKS Encryption --- List out all the partitions. They are laid out as `/dev/sda1`, `/dev/sda2` , `/dev/sda3` or `/dev/nvme0n1p1`, `/dev/nvme0n1p2`, `/dev/nvme0n1p3`. ```bash lsblk ``` Format EFI Partition as FAT32 ```bash mkfs.fat -F32 /dev/sda1 ``` Temporary enable swap partition ```bash mkswap /dev/sda2 swapon /dev/sda2 ``` Enable the Encryption Modules ```bash modprobe dm-crypt modprobe dm-mod ``` Encrypt the root partition ```bash cryptsetup luksFormat -v -s 512 -h sha512 /dev/sda3 ``` Type out "YES" in call caps and create a secure passphrase for the partition (Recommended to use 25 - 30 characters). Verify the passphrase. Unlock the newly encrypted drive ```bash cryptsetup luksOpen /dev/sda3 archlinux ``` Enter the passphrase Format the root partition ``` mkfs.btrfs /dev/mapper/archlinux ``` ## Creating and Mounting BTRFS Subvolumes --- Mount the `archlinux` partition ```bash mount /dev/mapper/archlinux /mnt ``` Move into the `/mnt` directory ```bash cd /mnt ``` Create the `@` and `@home` BTRFS Subvolumes ```bash btrfs subvolume create @ btrfs subvolume create @home ``` Unmount `archlinux` partition ```bash cd umount /mnt ``` Mount newly created subvolumes and EFI ```bash mount -o noatime,compress=zstd:1,space_cache=v2,discard=async,subvol=@ /dev/mapper/archlinux /mnt # create a mount point for the home directory mkdir /mnt/home mount -o noatime,compress=zstd:1,space_cache=v2,discard=async,subvol=@home /dev/mapper/archlinux /mnt/home # create a mount point for the EFI partiton mkdir /mnt/boot mount /dev/sda1 /mnt/boot ``` ## Installing Base Packages --- Use `pacstrap` to install the base packages. If you have an INTEL CPU ```bash pacstrap /mnt base linux linux-firmware sudo vim intel-ucode btrfs-progs ``` If you have an AMD CPU ```bash pacstrap /mnt base linux linux-firmware sudo vim amd-ucode btrfs-progs ``` Generate fstab ```bash genfstab -U /mnt >> /mnt/etc/fstab ``` Enter Arch Linux on the `/mnt` directory ```bash arch-chroot /mnt ``` Edit the file system `table` and remove the `subvolid` from the `@` and `@home` entries ```bash vim /etc/fstab ``` ```diff -rw,noatime,compress=zstd:1,ssd,space_cache=v2,subvolid=261,subvol=/@ +rw,noatime,compress=zstd:1,ssd,space_cache=v2,subvol=/@ -rw,noatime,compress=zstd:1,ssd,space_cache=v2,subvolid=261subvol=/@home +rw,noatime,compress=zstd:1,ssd,space_cache=v2,subvol=/@ ``` ## Configuring Locales --- Enable Time Sync ```bash timedatectl set-ntp true ``` Set your timezone. For this example the timezone is The United States East Coast ```bash timedatectl set-timezone America/New_York ``` Sync the hardware clock ```bash hwclock --systohc ``` Edit the locale gen to enable United States English UTF-8 ```bash vim /etc/locale.gen ``` ```diff -#en_US.UTF-8 UTF-8 +en_US.UTF-8 UTF-8 ``` Regenerate locale file ```bash locale-gen ``` Set the locale language, time, and keyboard ```bash localectl set-locale LANG="en_US.UTF-8" localectl set-locale LC_TIME="en_US.UTF-8" localectl set-keymap us ``` Set the hostname ```bash vim /etc/hostname ``` ```diff +arch ``` Set the host. Change `arch` to whatever the hostname is ```bash vim /etc/hosts ``` ```diff + 127.0.0.1 localhost + ::1 localhost + 127.0.1.1 arch.localdomain arch ``` ## Installing Arch --- ### Install Packages Edit the pacman configuration to enable parallel downloads and color ```bash vim /etc/pacman.conf ``` ```diff - #ParallelDownloads = 5 - #Color + ParallelDownloads = 5 + Color ``` Sync to the Arch servers and update packages ```bash pacman -Syu ``` Install Arch Packages Intel ```bash pacman -S refind base base-devel linux linux-headers bash-completion efibootmgr sddm plasma iwd man intel-ucode kde-applications firewalld ``` AMD ```bash pacman -S refind base base-devel linux linux-headers bash-completion efibootmgr sddm plasma iwd man amd-ucode kde-applications firewalld ``` Install Video Drivers Intel ```bash pacman -S xf86-video-intel mesa vulkan-intel ``` AMD ```bash pacman -S xf86-video-amdgpu mesa vulkan-radeon ``` Nvidia ```bash pacman -S nvidia nvidia-utils ``` ### Enable Services Enable the services on system startup ```bash systemctl enable NetworkManager systemctl enable avahi-daemon systemctl enable sddm ``` ### Setting Up mkinitcpio Edit `mkinitcpio.conf` and enable BTRFS ```bash vim /etc/mkinitcpio.conf ``` ```diff - MODULES=() + MODULES=(btrfs) ``` Add the encryption hook ```diff - HOOKS=(base udev autodetect modconf block filesystems keyboard fsck) + HOOKS=(base udev autodetect modconf block encrypt filesystems keyboard fsck) ``` Regenerate the ramdisk init environment ```bash mkinitcpio -p linux ``` ## Installing rEFInd --- Enter the command to install rEFInd ```bash refind-install ``` List out all devices on the device and note down the UUID of the encrypted partiton ```bash blkid # /dev/sda3: UUID="83da0c42-4b61-498d-bebc-68b65dc1704f" TYPE="crypto_LUKS" PARTLABEL="Linux filesystem" PARTUUID="923b9107-492d-447f-9e86-18e496a9a0f7" #Note the UUID (UUID="83da0c42-4b61-498d-bebc-68b65dc1704f") ``` Edit the rEFInd configuration file ```bash vim /boot/refind_linux.conf ``` Add the cryptdevice flag to “Boot with Standard Options” ```diff - "Boot with standard options" "loglevel=3 quiet" + "Boot with standard options" "loglevel=3 quiet cryptdevice=UUID=83da0c42-4b61-498d-bebc-68b65dc1704f:archlinux root=/dev/mapper/archlinux rootflags=subvol=@ rw" ``` Reinstall rEFInd ``` refind-install ``` ## Creating User --- Create and user account and password. Replace `user` with the username ```bash useradd -mG wheel user passwd user ``` Edit the sudoers to enable sudo access for the user ```bash EDITOR=vim visudo ``` ```diff - #%wheel ALL=(ALL) ALL + %wheel ALL=(ALL) ALL ``` Sync the system and reboot ``` sync exit umount -a reboot -n ``` ## [Encrypted Swap](https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption) --- Create a Swap Offset ```bash su swapoff /dev/sda2 mkfs.ext2 -L cryptswap /dev/sda2 1M #Press y when prompted ``` Open Cryptab ```bash vim /etc/crypttab ``` Uncomment the swap ```diff - #swap /dev/sd_X#_ /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256 + swap LABEL=cryptswap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=512 ``` Edit swap entry in fstab ```diff - UUID=ad1cdf6d-010f-43ae-8b64-7b9d54367dda none swap defaults 0 0 + /dev/mapper/swap none swap defaults 0 0 ``` Reboot the system and enjoy your completed system :) ```bash exit sudo reboot -n ```