Installation Steps #
1. Connect to Wifi #
Source: iwctl
# iwctl
[iwd]# device list
[iwd]# device deviceName set-property Powered on
[iwd]# station deviceName scan
[iwd]# station deviceName get-networks
[iwd]# station deviceName connect SSID
# exit
(i) Check internet #
$ ping archlinux.org
2. Check system time #
$ timedatectl
3. Partition disks #
(i) Check disk #
# fdisk -l
(ii) Create partitions disk #
- Enter fdisk
# fdisk /dev/sdX
- Create GPT label
Command (m for help): g
Created a new GPT disklabel (GUID: ...).- Create boot partition
Command (m for help): n
Partition number:
First sector:
Last sector, +/-sectors or +/-size{K,M,G,T,P}: +512M
Command (m for help): t
Partition type or alias (type L to list all): uefi- Make remaining partition for LUKS
Command (m for help): n
Partition number:
First sector:
Last sector, +/-sectors or +/-size{K,M,G,T,P}:- Print partition info to verify
Command (m for help): p- Write changes (write changes and quit)
Command (m for help): w- Quit fdisk (quit without writing changes in case of mistakes)
Command (m for help): q(iii) Format Boot disk #
# mkfs.fat -F 32 -n EFI /dev/sdXY
3. Setup LUKS #
(i) Create LUKS partition #
# cryptsetup --use-random luksFormat /dev/sdXZ
Are you sure? YES
Enter passphrase:
Verify passphrase:
(ii) Open LUKS partition #
You can use any other name instead of cryptroot but be sure to replace it everywhere in the following commands
# cryptsetup open /dev/sdXZ cryptroot
Note #
Once you created LVM, you only need to open the disk with cryptsetup No additional command needed to access volume group (vg) all the existing LVM partitions are accessible right after unlocking the luks partition. This might come in handy if you wish to had to reboot the system after LVM setup
4. Setup LVM #
(i) Create LVM group #
# pvcreate /dev/mapper/cryptroot
# vgcreate vgroot /dev/mapper/cryptroot
(ii) Create LVM Partitions #
This assumes you don’t need separate home partition on LVM
Create swap
# lvcreate --size 8G vgroot --name swap
Create root
# lvcreate -l +100%FREE vgroot --name root
(iii) Format LVM partitions #
Format swap
# mkswap /dev/vgroot/swap -L swap
Format root
# mkfs.btrfs /dev/vgroot/root -L root
5. Create Btrfs Subvolumes #
Mount btrfs partition to /mnt (install target root)
# mount -t btrfs LABEL=root /mnt
Create partitions one by one
# btrfs subvolume create /mnt/@
# btrfs subvolume create /mnt/@home
# btrfs subvolume create /mnt/@tmp
# btrfs subvolume create /mnt/@varlog
# btrfs subvolume create /mnt/@snapshots
Disable Copy-on-Write for tmp and varlog
# chattr +C /mnt/@tmp
# chattr +C /mnt/@varlog
Unmount /mnt (install target root)
# umount -R /mnt
6. Mount Partitions #
(i) Btrfs Subvolumes #
The followings options can be set for mounting
- commit = time interval between data-writes in seconds
- x-mount.mkdir = make directory if not existing when mounting
- ssd = ssd based btrfs optimisations
- noatime = do not store access time for files (makes btrfs faster)
- nodiratime = do not store directory access time for files (makes btrfs faster)
- discard = set as async, asynchronous queued TRIM for discard freed file blocks, check below
check if discard is supported by checking if the output is greater than 0:
# cat /sys/block/sdX/queue/discard_max_bytes
Mount btrfs subvolumes one by one:
# mount -t btrfs -o defaults,x-mount.mkdir,compress=zstd,ssd,noatime,nodiratime,discard=async,space_cache=v2,commit=120,subvol=@ LABEL=root /mnt
# mount -t btrfs -o defaults,x-mount.mkdir,compress=zstd,ssd,noatime,nodiratime,discard=async,space_cache=v2,commit=120,subvol=@home LABEL=root /mnt/home
# mount -t btrfs -o defaults,x-mount.mkdir,compress=zstd,ssd,noatime,nodiratime,discard=async,space_cache=v2,commit=120,subvol=@tmp LABEL=root /mnt/tmp
# mount -t btrfs -o defaults,x-mount.mkdir,compress=zstd,ssd,noatime,nodiratime,discard=async,space_cache=v2,commit=120,subvol=@varlog LABEL=root /mnt/var/log
# mount -t btrfs -o defaults,x-mount.mkdir,compress=zstd,ssd,noatime,nodiratime,discard=async,space_cache=v2,commit=120,subvol=@snapshots LABEL=root /mnt/.snapshots
(ii) Mount EFI dir #
# mkdir -p /mnt/boot/efi
# mount LABEL=EFI /mnt/boot/efi
7. Setup Mirrorlist using Reflector #
Install reflector:
# pacman -Syy reflector
Configure mirrorlist using reflector:
# reflector --verbose --sort rate --save /etc/pacman.d/mirrorlist
8. Pacstrap Base Packages #
# pacstrap -K /mnt base linux linux-firmware vim nano
9. Generate Mount Info Fstab #
# genfstab -L -p /mnt >> /mnt/etc/fstab
10. Chroot into Installed Environment #
# arch-chroot /mnt
11. Set Timezone #
# ln -sf /usr/share/zoneinfo/Region/City /etc/localtime
# hwclock --systohc
12. Set Locale #
Edit /etc/locale.gen and uncomment the required locales then run:
# locale-gen
Create /etc/locale.conf with content:
LANG=en_US.UTF-813. Configure Hostname #
# echo yourhostname >> /etc/hostname
14. Install additional packages #
Install required programs like shell, development packages, sudo, btfs, secure boot, ucode, bluetooth, wifi, desktop environment, etc:
# pacman -Syu base-devel btrfs-progs gptfdisk zsh sudo ttf-dejavu noto-fonts noto-fonts-cjk intel-ucode polkit wpa_supplicant mesa lvm2 efibootmgr bash-completion git man pipewire wireplumber pipewire-alsa pipewire-pulse gnome
If installing gnome select pipewire-jack, wireplumber, noto-fonts-emoji in the proceeding interactive questions
15. Unified Kernel Image Setup #
This step is useful for encrypted boot device. You can skip this step if you’re using grub as grub comes with decrypting disk before the boot menu is shown. Most other bootloaders do not work with this setup.
(i) Configure mkinitcpio Hooks #
Edit /etc/mkinitcpio.conf and add systemd after base; sd-encrypt and lvm2 before filesystems:
HOOKS=(base systemd plymouth modconf keyboard keymap block lvm2 btrfs filesystems sd-encrypt fsck)(ii) Kernel Parameters #
Create /etc/kernel/cmdline with contents:
fbcon=nodefer rw rd.luks.allow-discards quiet root=LABEL=root rootflags=subvol=@ rw splash vt.global_cursor_default=0(iii) Crypttab setup #
Create file /etc/crypttab.initramfs with contents:
root /dev/mapper/cryptroot none timeout=180,tpm2-device=auto16. Secure boot setup #
(i) Install Secure Boot #
# pacman -Syyu sbctl
(ii) Create Secure boot keys #
# sbctl create-keys
(iii) Enroll keys #
Change attributes of keys in btrfs:
# chattr -i /sys/firmware/efi/efivars/{PK,KEK,db}*
In the above command, if either of PK,KEK or db causes command to fail remove that from the list and run with the rest.
Now, Enroll keys along with Microsoft keys (-m):
# sbctl enroll-keys -m
Generate signed unified image:
# sbctl bundle -s /boot/efi/EFI/Linux/arch-linux.efi
(iv) Sign Bootloader for Secureboot #
# sbctl sign -s -o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi
17. Bootloader: SystemD Boot #
Install Bootloader
# bootctl install
18. User Management #
Create root password
# passwd
create user USERNAME:
# useradd -m -G wheel,storage,power -g users -s /bin/bash USERNAME
create password for user USERNAME:
# passwd USERNAME
Don’t forget to uncomment wheel line with visudo:
# visudo
Search for the following line and remove the # infront of it:
%wheel ALL=(ALL:ALL) ALLSwitch user to USERNAME
# sudo -u USERNAME -i
19. Enable services #
Enable Gnome Display Manager:
# systemctl enable gdm
Enable Network Manager:
# systemctl enable NetworkManager
Enable Bluetooth:
# systemctl enable bluetooth
20. Install Aur helper #
# pacman -Syy go
$ git clone https://aur.archlinux.org/yay.git
$ cd yay
$ makepkg -is
$ cd ..
$ rm -rf yay
21. Plymouth Setup #
(i) Install plymouth #
$ yay -Syy plymouth-git
(ii) Install plymouth theme #
$ yay -Syy plymouth-theme-bgrt-better-luks
(iii) Set Plymouth theme #
Show installed plymouth themes:
# plymouth-set-default-theme -l
Set plymouth theme:
# plymouth-set-default-theme -R bgrt-better-luks
(iv) Rerun mkinitcpio #
# mkinitcpio -p linux
(v) Regenerate Unified Kernel Image #
# sbctl generate-bundles -s
22. Finish Install #
logout of user USERNAME, exit arch-chroot, unmount and reboot:
$ exit
# exit
# umount -a
# reboot
Turn on secure boot in BIOS after this. Nothing else needed for Secure Boot.
23. References #
- https://wiki.archlinux.org/title/User:ZachHilman/Installation_-_Btrfs_%2B_LUKS2_%2B_Secure_Boot
- https://wiki.archlinux.org/title/Installation_guide
- https://gist.github.com/mjnaderi/28264ce68f87f52f2cabb823a503e673
- https://gist.github.com/martijnvermaat/76f2e24d0239470dd71050358b4d5134
- https://nerdstuff.org/posts/2020/2020-004_arch_linux_luks_btrfs_systemd-boot/
- https://github.com/Szwendacz99/Arch-install-encrypted-btrfs
- https://www.reddit.com/r/archlinux/comments/127fp6g/plymouthencrypt_hook_no_longer_found_after_update/
- https://bbs.archlinux.org/viewtopic.php?id=284741
- https://www.youtube.com/watch?v=QQoZwP6-Y2k
- https://github.com/AravindIM/nixos-dotfiles/blob/main/hosts/thinkpad/hardware-configuration.nix
- https://github.com/AravindIM/arch-install/blob/main/install-gnome.sh
- https://github.com/0xadeeb/dotFiles
- https://github.com/0xadeeb/NixOs-config/blob/master/hosts/hp-pavilion/hardware-configuration.nix
- https://bbs.archlinux.org/viewtopic.php?id=243019
- https://wiki.archlinux.org/title/Talk:Mkinitcpio#Improvements_for_the_Common_hooks_table_and_section_about_systemd_hook
- https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate
- https://askubuntu.com/questions/1304519/fstab-automatically-creates-mount-points
- https://wiki.archlinux.org/title/User:Bai-Chiang/Installation_notes
- https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
- https://wiki.archlinux.org/title/Unified_kernel_image
- https://wiki.archlinux.org/title/AUR_helpers
- https://linuxhint.com/btrfs-filesystem-mount-options/
- https://linuxconfig.org/how-to-manage-efi-boot-manager-entries-on-linux
- https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_(GRUB)
- https://git.launchpad.net/~ubuntu-core-dev/grub/+git/ubuntu/tree/debian/build-efi-images?h=debian/2.06-2ubuntu12