Archlinux encrypted (LUKS) install guide
The official installation guide (https://wiki.archlinux.org/index.php/Installation_Guide) contains a more verbose description.
Download the archiso image from https://www.archlinux.org/
dd if=archlinux.img of=/dev/sdX bs=16M && sync # on linux
Or for the GUI install you can use etcher from https://www.balena.io/etcher/
1. iwctl
2. station list
3. station <generally wlan0> connect <wifi network name SSID> -> station wlan0 connect 0xdev
enter your password and exit (type exit -> enter)
cfdisk /dev/nvme0n1
- 1Gb EFI partition -->
/dev/nvme0n1p1 - The rest of the space will be encrypted -->
/dev/nvme0n1p2(action later) - In case of BTRFS you'll need 3 partitions, boot (EFI), swap and root (with home).
mkfs.fat -F32 /dev/nvme0n1p1
mkswap /dev/nvme0n1p2
swaplabel -L swappo /dev/nvme0n1p2
swapon /dev/nvme0n1p2
btrfs filesystem label /dev/nvme0n1p3 root
cryptsetup -c aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 3000 -y --use-random luksFormat /dev/nvme0n1p3
cryptsetup open /dev/nvme0n1p3 luks
6. This creates one partions for root, modify if /home or other partitions should be on separate partitions
pvcreate /dev/mapper/luks
vgcreate vg0 /dev/mapper/luks
lvcreate --size 16G vg0 --name swap (If you are planning to use deep_sleep or hybernate, you should set size to the Ram * 1.5)
lvcreate -l +100%FREE vg0 --name root
mkfs.btrfs /dev/mapper/luks
mount /dev/mapper/luks /mnt
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home
umount /mnt
mount -o subvol=@,ssd,compress=lzo,discard=async,noatime,nodiratime /dev/mapper/luks /mnt
mkdir /mnt/{boot,home}
mount -o subvol=@home,ssd,compress=lzo,discard=async,noatime,nodiratime /dev/mapper/luks /mnt/home
mount /dev/nvme0n1p1 /mnt/boot
mkfs.ext4 /dev/mapper/vg0-root (or mkfs.xfs /dev/mapper/vg0-root, but in case of xfs you also should install xfsprogs) or mkfs.btrfs (btrfs-progs)
mkswap /dev/mapper/vg0-swap
cp root/.backups etc/iwd/main.conf etc/environment etc/makepkg.conf etc/pacman.conf etc/locale.gen etc/locale.conf etc/mkinitcpio.conf etc/crypttab etc/vconsole.conf etc/udev/rules.d/81-wifi-powersave.rules boot/loader/entries/arch.conf /mnt/root
mount /dev/mapper/vg0-root /mnt # /mnt is the installed system
swapon /dev/mapper/vg0-swap # Not needed but a good thing to test
mkdir /mnt/boot
mount /dev/nvme0n1p1 /mnt/boot
9. Install the system also includes stuff needed for starting wifi when first booting into the newly installed system
pacstrap /mnt base base-devel fish vim neovim git sudo efibootmgr systemd-resolvconf mdadm iw iwd ccache linux linux-headers linux-firmware intel-ucode btrfs-progs
genfstab -pU /mnt >> /mnt/etc/fstab
Sample for the BTRFS
tmpfs /tmp tmpfs defaults,size=40G,noatime,mode=1777 0 0
tmpfs /tmp tmpfs defaults,noatime,mode=1777 0 0 you can also specify a size for the /tmp. To do that, just put after defaults size=xG where x is the needed size.
arch-chroot /mnt
ln -s /usr/share/zoneinfo/Europe/Warsaw /etc/localtime
hwclock --systohc --utc
- /etc/vconsole.conf
FONT=ter-i32n
FONT_MAP=8859-2
echo rustatian > /etc/hostname
nvim /etc/locale.gen
locale-gen
localectl set-locale LANG=en_US.UTF-8
echo LANG=en_US.UTF-8 >> /etc/locale.conf
echo LC_TIME=pl_PL.UTF-8 >> /etc/locale.conf
passwd
useradd -mg users -G wheel,storage,power -s /bin/fish valery
passwd valery
visudo -> uncomment the following line --> %wheel ALL=(ALL) ALL
- Additional options:
Defaults timestamp_type=global
Defaults timestamp_timeout=15
vim /etc/mkinitcpio.conf
Add ext4 to MODULES (or xfs, btrfs). Also, if you want to see the password screen when laptop lid is closed add i915 (Intel) to the modules
Add encrypt and lvm2 to HOOKS BEFORE filesystems (only for the LVM)
Add resume AFTER lvm2 (also has to be after udev)
There is my hooks HOOKS=(base udev autodetect modconf block encrypt lvm2 resume filesystems keyboard fsck)
And modules MODULES=() -> in case of nvidia you may add nvidia, nvidia_modeset, nvidia_uvm and nvidia_drm
And modules MODULES=() -> in case of AMD you may add amdgpu radeon
mkinitcpio -P
bootctl --path=/boot install
echo 'default arch' >> /boot/loader/loader.conf
echo 'timeout 5' >> /boot/loader/loader.conf
nvim /boot/loader/entries/arch.conf
UUID is the the one of the raw encrypted device (/dev/nvme0n1p2). It can be found with the blkid command
TIP: Use echo to put UUID into /boot/loader/entries/arch.conf.
title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
options cryptdevice=UUID=<UUID>:vg0 root=/dev/mapper/vg0-root resume=/dev/mapper/vg0-swap rw nvidia-drm.modeset=1
BTRFS:
title ArchLinux [rustatian]
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options root=LABEL=root resume=LABEL=swappo raid0.default_layout=2 mem_sleep_default=deep rootflags=subvol=@ pcie_port_pm=off pcie_aspm.policy=performance rw nvidia-drm.modeset=1
OR for the AMD:
options cryptdevice=UUID=c5936c6f-1db2-43dd-9797-35b75d416ded:luks:allow-discards root=/dev/mapper/luks raid0.default_layout=2 rootflags=subvol=@ rw radeon.si_support=0 radeon.cik_support=0 amdgpu.cik_support=1 amdgpu.si_support=1 amdgpu.dpm=1 amdgpu.ppfeaturemask=<EXECUTE printf "0x%08x\n" $(cat /sys/module/amdgpu/parameters/ppfeaturemask)">
pacman -S gnome gnome-extra bluez bluez-utils pipewire pipewire-pulse networkmanager network-manager-applet gvfs gnome-keyring seahorse docker docker-compose llvm lldb gdb lld cmake perf strace tcpdump lsof iotop xdg-user-dirs xdg-utils ttf-font-awesome qemu libvirt
systemctl enable gdm bluetooth NetworkManager systemd-timesyncd libvirtd docker systemd-boot-update.service
systemctl enable --user pipewire-pulse wireplumber
usermod -aG docker valery
cat >> /etc/modprobe.d/nvidia.conf <<EOF
options nvidia NVreg_PreserveVideoMemoryAllocations=1
options nvidia-drm modeset=1
EOFmkinitcpio -P
systemctl enable nvidia-{hibernate,suspend,resume}
pcie_port_pm=off pcie_aspm.policy=performance
exit
umount -R /mnt
swapoff -a
reboot