Arch Linux Install

Install Arch Linux with encrypted file-system and UEFI. Instructions are for a Dell Precision 5530 (laptop) using a wired/ethernet connection during the installation and initial configuration of the system. WiFi access is not enabled until the Post Install phase.

This is based on:

Create USB installation drive

The Dell laptop comes with Ubuntu pre-installed. Use it to download the installation ISO from Arch Linux. Verify the signature of the downloaded ISO. Copy to a usb-drive with:

dd if=archlinux.img of=/dev/sdb bs=16M && sync

Prepare disk for install

The disk drive needs to be securely wiped before install. The main reason is to prevent disclosure of usage patterns on the encrypted drive. This also has the added benefit of deleting and reclaiming the space of the multiple useless partitions created by Dell.

The steps for preparing the disk are:

Boot from USB
Securely wipe the drive
Reboot from USB

Boot from USB

Insert the USB and reboot the machine.
When the Dell is shown, press F12 (multiple times) to bring up the boot select screen.
Select UEFI BOOT on the boot select screen.
When the Arch menu appears, select Arch Linux archiso x86_64 UEFI CD (first option) and press e.
Press CTRL e and append video=1600x900 then press Enter.

Securely wipe the drive

This is a simple, effective and fast method for securely wiping the existing drive. More details on this method can be found here on the Arch Linux wiki.

root@archiso ~ # cryptsetup open --type plain -d /dev/urandom /dev/nvme0n1 to_be_wiped
root@archiso ~ # dd if=/dev/zero of=/dev/mapper/to_be_wiped status=progress bs=32M
512 GB copied, 396.428 s, 1.3 GB/s
root@archiso ~ # cryptsetup close to_be_wiped

This took about ~7 mins for a 512 GB drive.

Reboot from USB

Run the following then follow the steps from Boot from USB:

root@archiso ~ # reboot now

Update the system clock

root@archiso ~ # timedatectl set-ntp true

To check the service status, use timedatectl status.

Partition the disk

We are going to create 3 partitions using cgdisk.

root@archiso ~ # cgdisk /dev/nvme0n1

Create the partitions using these values:

550 MiB EFI partition - /dev/nvme0n1p1
- start: +1M
- size: +550M
- hex: ef00
- label: EFI
550 MiB Boot partition - /dev/nvme0n1p2
- start: +1M
- size: +550M
- hex: 8300
- label: Boot
100% size Encrypted partition - /dev/nvme0n1p3
- start: +1M
- size: (select default)
- hex: 8e00 (LVM)
- label: Encrypted

Format the non-encrypted partitions

root@archiso ~ # mkfs.vfat -F32 /dev/nvme0n1p1
root@archiso ~ # mkfs.ext4 /dev/nvme0n1p2

Setup the encryption

root@archiso ~ # cryptsetup luksFormat --type luks2 /dev/nvme0n1p3
root@archiso ~ # cryptsetup open /dev/nvme0n1p3 cryptlvm

Create the logical volumes on the encrypted partition

This creates a root volume and a swap volume in the encrypted partition.

root@archiso ~ # pvcreate /dev/mapper/cryptlvm
root@archiso ~ # vgcreate vg0 /dev/mapper/cryptlvm
root@archiso ~ # lvcreate -L 20G vg0 -n swap
root@archiso ~ # lvcreate -l 100%FREE vg0 -n root

Ubuntu recommends the swap size should be equal to the size of RAM plus the square root of the RAM if hibernation is used. This follows that recommendation given the laptop will need to use hibernation.

Format the LVM partitions

root@archiso ~ # mkfs.ext4 /dev/vg0/root
root@archiso ~ # mkswap /dev/vg0/swap

Mount the new filesystems

root@archiso ~ # mount /dev/vg0/root /mnt
root@archiso ~ # swapon /dev/vg0/swap
root@archiso ~ # mkdir /mnt/boot
root@archiso ~ # mount /dev/nvme0n1p2 /mnt/boot
root@archiso ~ # mkdir /mnt/boot/efi
root@archiso ~ # mount /dev/nvme0n1p1 /mnt/boot/efi

Installation

Install the base packages

root@archiso ~ # pacstrap /mnt base base-devel grub-efi-x86_64 efibootmgr zsh vim

Workaround for grub-mkconfig hanging (part 1)

This is the first part of a workaround. See here and here for more details.

root@archiso ~ # mkdir /mnt/hostrun
root@archiso ~ # mount --bind /run /mnt/hostrun

Configure the system

Fstab

root@archiso ~ # genfstab -U /mnt >> /mnt/etc/fstab

(Optional) To make /tmp a ramdisk, add the following line to /mnt/etc/fstab:

tmpfs	/tmp	tmpfs	defaults,noatime,mode=1777	0	0

Enter the new system

root@archiso ~ # arch-chroot /mnt /bin/bash

Workaround for grub-mkconfig hanging (part 2)

[root@archiso /]# mkdir /run/lvm
[root@archiso /]# mount --bind /hostrun/lvm /run/lvm

Set the time zone and adjust the clock

[root@archiso /]# ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime
[root@archiso /]# hwclock --systohc --utc

Configure Localization

Uncomment en_US.UTF-8 UTF-8 and other needed locales in /etc/locale.gen, then do the following:

[root@archiso /]# vim /etc/locale.gen (uncomment en_US.UTF-8 UTF-8)
[root@archiso /]# locale-gen
[root@archiso /]# echo LANG=en_US.UTF-8 > /etc/locale.conf
[root@archiso /]# export LANG=en_US.UTF-8

Configure network

Create the /etc/hostname file:

[root@archiso /]# echo myhostname > /etc/hostname

Add matching entries to /etc/hosts:

127.0.0.1	localhost
::1		localhost
127.0.1.1	myhostname.localdomain	myhostname

Set root password
```
[root@archiso /]# passwd
```

Create User

[root@archiso /]# useradd -m -g users -G wheel -s /bin/zsh mgaffney
[root@archiso /]# passwd mgaffney
[root@archiso /]# visudo  #uncomment %wheel ALL=(ALL) ALL

Configuring mkinitcpio

[root@archiso /]# vim /etc/mkinitcpio.conf

Add 'ext4' to MODULES. Add keyboard, encrypt and lvm2 to HOOKS before filesystems.

MODULES=(ext4)
HOOKS=(base udev autodetect keyboard keymap modconf block encrypt lvm2 filesystems fsck)

Regenerate initrd image:

[root@archiso /]# mkinitcpio -p linux

Setup grub

[root@archiso /]# grub-install
[root@archiso /]# vim /etc/default/grub

Edit the following lines to:

GRUB_CMDLINE_LINUX="cryptdevice=/dev/nvme0n1p3:cryptlvm:allow-discards"
...
GRUB_GFXMODE="1600x900x32"

then run:

[root@archiso /]# grub-mkconfig -o /boot/grub/grub.cfg
[root@archiso /]# umount /run/lvm

Exit new system and unmount all partitions

[root@archiso /]# exit
root@archiso ~ # umount -R /mnt
root@archiso ~ # swapoff -a

Reboot into the new system, don't forget to remove the cd/usb
```
root@archiso ~ # shutdown now
```

Post Install

All of the following steps assume you are logged in as root.

Configure Network

The following steps will configure the laptop to:

start/stop using an ethernet connection when a cable is plugged in/unplugged.
start/stop using a wifi access point when the laptop enters/leaves the range of the access point

Verify the laptop is still connected to the ethernet cable.

Connect to the network to download and install additional packages

[root@hostname ~]# pacman -S dhcpcd
[root@hostname ~]# systemctl enable dhcpcd.service
[root@hostname ~]# systemctl start dhcpcd.service
[root@hostname ~]# pacman -S ifplugd wpa_actiond
[root@hostname ~]# systemctl stop dhcpcd.service
[root@hostname ~]# systemctl disable dhcpcd.service

Configure ethernet connection

See here and here for more details.

[root@hostname ~]# cd /etc/netctl
[root@hostname netctl]# cp examples/ethernet-dhcp .
[root@hostname netctl]# vim ethernet-dhcp

Edit the following lines:

Interface=enp58s0u1
Priority=2

[root@hostname netctl]# systemctl enable [email protected]
[root@hostname netctl]# systemctl start [email protected]

Configure Wifi connection(s)

See here, here and here for more details.

[root@hostname ~]# cd /etc/netctl
[root@hostname netctl]# cp examples/wireless-wpa home-wifi
[root@hostname netctl]# vim home-wifi