= Installing btrfs, systemd-boot, and LUKS with suspend to disk on encrypted swap partition.
Ive been using archlinux for several years now.
Of course, my first installs were... blunderous, as i wanted to do full disk encryption from the get-go, and I didnt know what I was doing.
After those first one or two installs, I generally settled on LVM on LUKS with a GRUB bootloader and my swap on an LVM volume,
mostly because it makes it much easier to setup hibernation/suspend to disk vs, say, a swap file.
(with a swap file, you have to deal with file offsets, and I have never gotten a satisfactory awnser as to whether its possible for the filesystem to just *move* a file to a different disk sector in the process of, say, defragging with a very full hard drive.)
Anyway, with my newest laptop,
(I tend through them more than normal, as I buy them used off windows users once they become slow, but they are plenty fast for X11 less use or even light X11 use)
I decided to try out btrfs, in large part due to its snapshot system and ability to transfer those snapshots over a network.
(Im hoping to make a lightweight filesystem backup using this, on top of the data-level backups I currently use.)
However, suspend-to-disk is also quite important to me, and the archwiki is really only clear on how to do that with unencrypted partitions, LVM on LUKS, and on swapfiles.
The archwiki has some info on how to do it for the encrypt hook with a custom mkinitcpio hook, or with sd-encrytp hooks by just specifying multiple devices, but I didnt want to be writing a ton of custom config for the encrypt hook, and the section on sd-encrypt left some important quesions unawnsered.
////
I awnsered some of these questions:
//TODO: prettify this list.
- Does it matter if you use the kernel command line aurguments or /etc/crypttab.initramfs for suspend-to-disk support? no, but only use one or the other, not both.
- Does using /etc/crypttab.initramfs work when resuming from hibernate? yes.
- sd-encrypt caches your pw so that if multiple volumes can be unlocked with the same password, does that work with cryptab? yes.
- Is it safe to use the filesystem label when using /etc/cryptab.initramfs? yes. The filesystem label is persistent between boots and is stored in the FS header, along with the FS UUID you normaly use. It is exactly as persistent as the FS UUID.
////
== A note on security and risk profiles
TODO
== Things you should do first
Because some things are quite dependent on your system and network, as well as the type of system you end up with,
I will not be detailing some of the early setup steps, such as creating and booting from the arch ISO, or the final steps,
such as setting up a graphical environment.
Also, some of the middle steps require some modification depending on what sort of final setup you want, and your hardware.
I will call out those modifications in the relevant steps.
All this said, I would discorage you from blindly following this guide if its your first time installing arch (or a similarly diy distro like gentoo).
You should clearly understand what most of these commands do before typing them in.
On a normal, already installed machine, *NEVER* use just a password for SSH. *ESPECIALLY* if it is internet-facing or connected to a public network.
We are only doing this because we are (hopefully) on a personal network, and the password-based SSH session only exists on the Arch ISO, so as soon as you boot into your fresh system, the SSH session will be gone.
====
On the installee, make a password for the root account