2023-06-22 09:43:19 +02:00
---
title: "ArchInstall"
date: 2023-06-22T00:19:51-05:00
draft: false
---
== Installing btrfs, systemd-boot, and LUKS with suspend to disk on encrypted swap partition.
2021-04-11 07:33:49 +02:00
Ive been using archlinux for several years now.
Of course, my first installs were... blunderous, as i wanted to do full disk encryption from the get-go, and I didnt know what I was doing.
After those first one or two installs, I generally settled on LVM on LUKS with a GRUB bootloader and my swap on an LVM volume,
mostly because it makes it much easier to setup hibernation/suspend to disk vs, say, a swap file.
2021-05-23 19:54:36 +02:00
(with a swap file, you have to deal with file offsets, and I have never gotten a satisfactory answer as to whether its possible for the filesystem to just *move* a file to a different disk sector in the process of, say, defragging with a very full hard drive.)
2021-04-11 07:33:49 +02:00
2021-05-23 19:54:36 +02:00
With my newest laptop, I decided to try out btrfs, in large part due to its snapshot system and ability to transfer those snapshots over a network.
2021-04-11 07:33:49 +02:00
(Im hoping to make a lightweight filesystem backup using this, on top of the data-level backups I currently use.)
However, suspend-to-disk is also quite important to me, and the archwiki is really only clear on how to do that with unencrypted partitions, LVM on LUKS, and on swapfiles.
2021-05-23 19:54:36 +02:00
The archwiki has some info on how to do it for the encrypt hook with a custom mkinitcpio hook, or with sd-encrypt hooks by just specifying multiple devices, but I didnt want to be writing a ton of custom config for the encrypt hook, and the section on sd-encrypt was not very clear at all, so I decided to do some experimentation and write up what worked for me.
2021-04-11 07:33:49 +02:00
2023-06-22 09:43:19 +02:00
=== A note on security and risk profiles
2021-04-11 07:33:49 +02:00
2021-05-23 19:54:36 +02:00
The encryption schema I am setting up in this guide is only meant to protect your data from theft of your physical device when it is turned off or suspended to the disk.
Full disk encryption will not protect you from anything while you laptop is powered on. After boot, the encryption is completely transparent to userspace.
2021-04-11 07:33:49 +02:00
2021-05-23 19:54:36 +02:00
Also, I did am not encrypting the boot partition, and Im not setting up any sort of secure boot.
This means that an attacker could hypothetically replace your boot partition or firmware and keylog your password, so if you suspect your computer has been tampered with, *DONT* boot it up.
2021-04-11 07:33:49 +02:00
2021-05-23 19:54:36 +02:00
To reiterate, this setup by itself only protect your data if your powered down machine is stolen. It does not protect you data from being stolen in any scenario where your laptop is powered on.
2021-04-11 07:33:49 +02:00
2023-06-22 09:43:19 +02:00
=== Things you should do first
2021-04-11 07:33:49 +02:00
Because some things are quite dependent on your system and network, as well as the type of system you end up with,
I will not be detailing some of the early setup steps, such as creating and booting from the arch ISO, or the final steps,
such as setting up a graphical environment.
Also, some of the middle steps require some modification depending on what sort of final setup you want, and your hardware.
I will call out those modifications in the relevant steps.
2021-05-23 19:54:36 +02:00
All this said, I would discourage you from blindly following this guide if its your first time installing arch (or a similarly diy distro like gentoo).
2021-04-11 07:33:49 +02:00
You should clearly understand what most of these commands do before typing them in.
Anyway, start by booting up the arch ISO...
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
=== Installing via ssh
2021-04-05 09:17:04 +02:00
2021-05-23 19:54:36 +02:00
Sometimes, you dont want to be switching from the computer you are installing linux on and the computer with the documentation and a search engine on it,
2021-04-11 07:33:49 +02:00
and Ive found the best way to avoid that is to set up a simple ssh session from the arch ISO to the computer with the documentation on it.
2021-04-05 09:17:04 +02:00
[IMPORTANT]
====
On a normal, already installed machine, *NEVER* use just a password for SSH. *ESPECIALLY* if it is internet-facing or connected to a public network.
We are only doing this because we are (hopefully) on a personal network, and the password-based SSH session only exists on the Arch ISO, so as soon as you boot into your fresh system, the SSH session will be gone.
====
On the installee, make a password for the root account
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ passwd
{{</highlight>}}
2021-04-05 09:17:04 +02:00
Enable SSH using
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ systemctl start sshd.service
{{</highlight>}}
2021-04-05 09:17:04 +02:00
Find the ip adress with
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ ip addr show
{{</highlight>}}
2021-04-05 09:17:04 +02:00
you are looking for a line like
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
2021-04-11 07:33:49 +02:00
inet 192.168.1.162/24 brd 192.168.1.255 scope global dynamic enp0s25
2023-06-22 09:43:19 +02:00
{{</highlight>}}
2021-04-05 09:17:04 +02:00
in this case, my LAN IP is 192.168.1.162
now, on the pc you are going to be SSHing from,
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ ssh root@[ip we just found on installee]
{{</highlight>}}
2021-04-05 09:17:04 +02:00
and type in the password you set on the installee
now lets continue with the installation.
2023-06-22 09:43:19 +02:00
=== inital setup
2021-04-05 09:17:04 +02:00
verify you are connected to the internet
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ ping 1.1.1.1
{{</highlight>}}
2021-04-05 09:17:04 +02:00
turn on ntp
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ timedatectl set-ntp true
{{</highlight>}}
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
=== Partitioning
2021-04-05 09:17:04 +02:00
2021-05-23 19:54:36 +02:00
create partitions using the tools of your choice. I will be using the following partition map.
2021-04-05 09:17:04 +02:00
an EFI partition of 512M
a swap partition with a size equal to your RAM.
a btrfs partition containing the rest of the space.
2023-06-22 09:43:19 +02:00
=== Encryption
2021-04-05 09:17:04 +02:00
Encrypt the btrfs parition with
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ cryptsetup luksFormat /dev/sda3
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
$ cryptsetup config --label="btrfs" /dev/sda3
{{</highlight>}}
2021-04-05 09:17:04 +02:00
2021-05-23 19:54:36 +02:00
and enter the encryption passkey. I recommend making it a full sentence for security.
2021-04-05 09:17:04 +02:00
Encrypt the swap partition. Use the same password as last time.
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ cryptsetup luksFormat /dev/sda2
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
$ cryptsetup config --label="swap" /dev/sda2
{{</highlight>}}
2021-04-05 09:17:04 +02:00
now open the newly encrypted partitions
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ cryptsetup open /dev/sda2 swap
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
$ cryptsetup open /dev/sda3 btrfs
{{</highlight>}}
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
=== Filesystem creation
2021-04-05 09:17:04 +02:00
2021-05-23 19:54:36 +02:00
format the EFI partition with FAT32 and give it the label EFI (label can be something else.)
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ mkfs.vfat -F32 -n EFI /dev/sda1
{{</highlight>}}
2021-04-05 09:17:04 +02:00
2021-05-23 19:54:36 +02:00
format the swap partition as swap
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ mkswap /dev/mapper/swap
{{</highlight>}}
2021-04-05 09:17:04 +02:00
format the root partition with btrfs and give the label root (label can be something else.)
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ mkfs.btrfs -L btrfs /dev/mapper/btrfs
{{</highlight>}}
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
=== Creating and mounting subvolumes
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ mount /dev/mapper/btrfs /mnt
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
$ btrfs subvolume create /mnt/root
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
$ btrfs subvolume create /mnt/home
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
$ umount /mnt
{{</highlight>}}
2021-04-05 09:17:04 +02:00
mount subvols and EFI partition
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ mount -o noatime,nodiratime,compress=zstd,ssd,discard,subvol=root /dev/mapper/btrfs /mnt
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
$ mkdir /mnt/home
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
$ mount -o noatime,nodiratime,compress=zstd,ssd,discard,subvol=home /dev/mapper/btrfs /mnt/home
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
$ mkdir /mnt/boot
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
$ mount /dev/sda1 /mnt/boot
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
$ swapon /dev/mapper/swap
{{</highlight>}}
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
=== installing base system, generating *stab
2021-04-05 09:17:04 +02:00
2021-05-23 19:54:36 +02:00
install the base packages. ajust the package list to suit your needs. change intel-ucode to amd-ucode if using an AMD processor.
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ pacstrap /mnt linux linux-firmware base base-devel btrfs-progs zsh neovim git stow tmux connman wpa_supplicant openvpn fzf htop rsync tig tree xdg-user-dirs units python tree openssh w3m curl intel-ucode
{{</highlight>}}
2021-04-05 09:17:04 +02:00
generate an fstab
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ genfstab -U /mnt > /mnt/etc/fstab
{{</highlight>}}
2021-04-05 09:17:04 +02:00
make /mnt/etc/crypttab.initramfs containing:
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$our swap device
2021-04-05 09:17:04 +02:00
swap LABEL=swap
2023-06-22 09:43:19 +02:00
$our main device
2021-04-05 09:17:04 +02:00
btrfs LABEL=btrfs
2023-06-22 09:43:19 +02:00
{{</highlight>}}
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
=== system config
2021-04-05 09:17:04 +02:00
chroot into the new system
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ arch-chroot /mnt/
{{</highlight>}}
2021-04-05 09:17:04 +02:00
set time zone.
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ ln -sf /usr/share/zoneinfo/Region/City /etc/localtime
{{</highlight>}}
2021-04-05 09:17:04 +02:00
run hwclock
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ hwclock --systohc
{{</highlight>}}
2021-04-05 09:17:04 +02:00
uncomment needed locales in /etc/locale.gen (you always need to at least uncomment en_US.UTF-8 UTF-8.)
gen locales
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ locale-gen
{{</highlight>}}
2021-04-05 09:17:04 +02:00
set LANG variable
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ echo 'LANG=en_US.UTF-8' > /etc/locale.conf
{{</highlight>}}
2021-04-05 09:17:04 +02:00
create the hostname file
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ echo '[myhostname]' > /etc/hostname
{{</highlight>}}
2021-04-05 09:17:04 +02:00
2021-05-23 19:54:36 +02:00
and add matching entries to /etc/hosts, like so (if static ip, use that. if dynamic, use 127)
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
2021-04-05 09:17:04 +02:00
127.0.0.1 localhost
::1 localhost
127.0.1.1 myhostname.localdomain myhostname
2023-06-22 09:43:19 +02:00
{{</highlight>}}
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
=== installing the boot loader
2021-04-05 09:17:04 +02:00
edit /etc/mkinitcpio.conf so the HOOKS line looks like this:
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
2021-04-05 09:17:04 +02:00
HOOKS=(base systemd udev autodetect modconf block sd-encrypt btrfs resume filesystems keyboard fsck)
2023-06-22 09:43:19 +02:00
{{</highlight>}}
2021-04-05 09:17:04 +02:00
and regen the initramfs
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ mkinitcpio -p linux
{{</highlight>}}
2021-04-05 09:17:04 +02:00
install systemd-boot
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ bootctl install
{{</highlight>}}
2021-04-05 09:17:04 +02:00
create /boot/loader/entries/arch.conf containing:
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
2021-04-05 09:17:04 +02:00
title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options root=/dev/mapper/btrfs rootflags=subvol=/root resume=/dev/mapper/swap
2023-06-22 09:43:19 +02:00
{{</highlight>}}
2021-04-05 09:17:04 +02:00
edit /boot/loader/loader.conf and add:
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
2021-04-05 09:17:04 +02:00
default arch.conf
timeout 2
console-mode max
editor no
2023-06-22 09:43:19 +02:00
{{</highlight>}}
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
=== system config
2021-04-05 09:17:04 +02:00
set root password
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ passwd
{{</highlight>}}
2021-04-05 09:17:04 +02:00
exit and shutdown the system
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ exit
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
$ shutdown now
{{</highlight>}}
2021-04-05 09:17:04 +02:00
remove the install media, and boot back up. make sure everythign boots. from now on, configure the system as normal.
2023-06-22 09:43:19 +02:00
=== configuring userspace
2021-04-05 09:17:04 +02:00
add a non-root user
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ useradd -m -G wheel -s /bin/sh your_username
$ passwd your_username
{{</highlight>}}
2021-04-05 09:17:04 +02:00
2021-04-11 07:33:49 +02:00
symlink neovim to vi (assuming you installed neovim but not vi. modify as your installed packages call for.)
2021-04-05 09:17:04 +02:00
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ ln -s /usr/bin/nvim /usr/bin/vi
{{</highlight>}}
2021-04-05 09:17:04 +02:00
configure sudo
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
$ visudo
{{</highlight>}}
2021-04-05 09:17:04 +02:00
uncomment the line that reads
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
2021-04-11 07:33:49 +02:00
%wheel ALL=(ALL) ALL
2023-06-22 09:43:19 +02:00
{{</highlight>}}
2021-04-05 09:17:04 +02:00
enable multilib: uncomment the following lines in /ec/pacman.conf
2023-06-22 09:43:19 +02:00
{{<highlight console "linenos=false">}}
2021-04-05 09:17:04 +02:00
[multilib]
Include = /etc/pacman.d/mirrorlist
2023-06-22 09:43:19 +02:00
{{</highlight>}}
2021-04-05 09:17:04 +02:00
Congrats! you now have a barebones, but functional, encrypted arch install!
2023-06-22 09:43:19 +02:00