I wanted to install Arch because all the cool kids do it. Really, what I wanted was more control over the system and the decisions I had to make to get it to work. In the past, I have favored speed of installation and stability of the installation because I didn’t want to spend time configuring stuff that didn’t relate to what I wanted to accomplish. That basically means LTS Ubuntu.
So what changed? I think I am more comfortable with the idea of fighting through configuration changes to get my PC the way I want it. After running Ubuntu as a daily driver for 3 years, I’m frustrated with some of the decisions and finding myself wanting to make my own choice. With Ubuntu, there would be a lot of stuff to remove if I wanted to make these kind of decisions.
Also, I have almost nothing important stored locally, so removing the operating system isn’t really a burden anymore. All my configs are in a git repo, and all my pictures are with Big Brother. I got my work laptop up and running in an hour with all my creds. I think that is the main reason I feel brave about doing the installation.
Installation Guide
This is the main article that I will be working from.
AFTER finishing the whole thing by myself, I found this amazing article that basically summarizes the process.
Peter does a great job of highlighting the steps to get where I did.
One difference is that he appears to be using LVM on LUKS
where I opted for LUKS on LVM
.
Motivation Guide
When you install Arch, you’re installing just GNU/Linux. Your goal is this:
That’s it. A login prompt. From here, you make the decisions. This guide is going to cover what I did to get to this point.
Hardware
Lenovo ThinkPad T450s ~2015
⚪ | Incomplete |
⚫ | Unnecessary |
🔴 | Error |
🔵 | Success |
Note: I’m leaving this key. I mostly used it to track my progress during the installation.
Task List
- Installation Guide
- Motivation Guide
- Hardware
- Task List
- Make a Bootable Drive
- Internet Connection
- Disk Encryption
- Installation
- Emergency
- Conclusion
Make a Bootable Drive
Download Image
You need to get the image you want to put on the USB Drive. I used the torrent link on this page.
Write Drive OSX
First, you need to identify the USB device. Open a terminal and list all storage devices with the command:
diskutil list
Your USB device will appear as something like /dev/disk2 (external, physical). Verify that this is the device you want to erase by checking its name and size and then use its identifier for the commands below instead of /dev/diskX.
A USB device is normally auto-mounted in macOS, and you have to unmount (not eject) it before block-writing to it with dd. In Terminal, do:
diskutil unmountDisk /dev/disk2
Now copy the ISO image file to the device. The dd command is similar to its Linux counterpart, but notice the ‘r’ before ‘disk’ for raw mode which makes the transfer much faster:
dd if=/Users/admin/Downloads/archlinux-2018.04.01-x86_64.iso of=/dev/rdisk2 bs=1m
Note diskX here should not include the s1 suffix, or else the USB device will only be bootable in UEFI mode and not legacy. After completion, macOS may complain that “The disk you inserted was not readable by this computer”. Select ‘Ignore’. The USB device will be bootable.
Booting
To boot to this drive I had to turn off Secure Boot in my ThinkPad BIOS. [unconfirmed]
Internet Connection
In the pre-installation section, they recommend being able to connect to the Internet from the installation media.
You’re going to need to be able to get an Internet connection from the command line.
Working set of commands:
systemctl stop dhcpcd@[TAB]
ip link set wlp3s0 up
wpa_supplicant -B -i wlp3s0 -c <(wpa_passphrase drone50 [passphrase])
iw dev wlp3s0 link
dhcpcd wlp3s0
Disk Encryption
We are basically swapping out the “Partition the disks” section of the Installation Guide in favor of the encrypted instructions.
I think I want to use LUKS on LVM.
This would allow me to have only my /home
partition encrypted. The drawback here is that each of the partitions could require a different password.
Drive Wipe
This is IRREVERSIBLE
The source article for wiping the drive securely is here: dm-crypt wipe on an empty disk or partition. You want to do this because it will write the drive with random data that looks like the encrypted data.
cryptsetup open --type plain -d /dev/urandom /dev/sda to_be_wiped
lsblk [verify size]
dd if=/dev/zero of=/dev/mapper/to_be_wiped status=progress bs=1M
cryptsetup close to_be_wiped
Create Partition Table
lsblk
gives a nice tree-style output of the currently available disks.
fdisk -l
can be used as well.
I’m going to try to use parted to create /dev/sda1
and /dev/sda2
.
This will be the boot drive (unencrypted) and the rest of the drive (LVM).
Device | Partition | Size |
---|---|---|
/dev/sda1 | /boot | 200MiB |
/dev/sda2 | LVM | 100% of Free |
# parted
(parted) mkpart ESP fat32 1MiB 551MiB
(parted) set 1 esp on
(parted) set 1 boot on
(parted) mkpart primary ext4 551MiB 100%
(parted) quit
# lsblk
Preparing the logical volumes
On top of the physical partition /dev/sda2
, we will create four logical partitions for /
, swap
, /tmp
, and /home
.
The motivation here is that LVM is good at managing these logical partitions and they could be theoretically resized in the future.
This created the logical volumes.
pvcreate /dev/sda2
vgcreate MyVol /dev/sda2
lvcreate -L 32G -n cryptroot MyVol
lvcreate -L 500M -n cryptswap MyVol
lvcreate -L 500M -n crypttmp MyVol
lvcreate -l 100%FREE -n crypthome MyVol
This created my root partition and set it’s password.
cryptsetup luksFormat --type luks2 /dev/mapper/MyVol-cryptroot
cryptsetup open /dev/mapper/MyVol-cryptroot root
mkfs.ext4 /dev/mapper/root
mount /dev/mapper/root /mnt
Preparing the boot partition
Note that the instructions in the linked article mention using mkfs.ext4
, this won’t work with UEFI.
I had to use fat
.
mkfs.fat /dev/sda1
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot
Installation
Now that you have the drives configured properly, you’ll want to do the installation as normal. You have the drive mounted, and now you basically have to copy stuff from the Internet on to them.
Normal Procedure
Edit /etc/pacman.d/mirrorlist
and put the US mirrors at the top of the list.
pacstrap /mnt base
to install a bunch of stuff.
Follow the rest of the instructions, they worked just fine. At the end, you come to the Bootloader installation, and that’s where things are different.
Bootloader
I picked grub.
You have to install it after you arch-chroot
to the new system.
pacman -S grub efibootmgr
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=arch_grub
[edit /etc/default/grub]
grub-mkconfig -o /boot/grub/grub.cfg
In /etc/default/grub
:
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/mapper/MyVol-cryptroot:root root=/dev/mapper/root"
To make sure that grub knows that this is your root partition.
Then regenerate your grub.cfg
:
grub-mkconfig -o /boot/grub/grub.cfg
Encrypted Drive Config Files
/etc/fstab
/dev/mapper/root / ext4 defaults 0 1
/dev/sda1 /boot ext4 defaults 0 2
/dev/mapper/tmp /tmp tmpfs defaults 0 0
/dev/mapper/swap none swap sw 0 0
/dev/mapper/home /home ext4 defaults 0 2
/etc/crypttab
swap /dev/mapper/MyVol-cryptswap /dev/urandom swap,cipher=aes-xts-plain64,size=256
tmp /dev/mapper/MyVol-crypttmp /dev/urandom tmp,cipher=aes-xts-plain64,size=256
home /dev/mapper/MyVol-crypthome /etc/luks-keys/home
Encrypting Home Directory
Make a luks keyfile.
mkdir -m 700 /etc/luks-keys
dd if=/dev/random of=/etc/luks-keys/home bs=1 count=256 status=progress
Encrypt the drive:
cryptsetup luksFormat --type luks2 -v /dev/mapper/MyVol-crypthome /etc/luks-keys/home
cryptsetup -d /etc/luks-keys/home open /dev/mapper/MyVol-crypthome home
mkfs.ext4 /dev/mapper/home
mount /dev/mapper/home /home
Emergency
During installation, your new system might not boot.
You usually have to change some stuff in the config files to get it to work.
You can boot from the Arch USB drive, and then chroot
over to your stuff.
cryptsetup open /dev/mapper/MyVol-cryptroot root
mount /dev/mapper/root /mnt
mount /dev/sda1 /mnt/boot
arch-chroot /mnt
Conclusion
I think that was about it. It is hard to recall all the steps on a different computer. I think that between this and Peter’s article, I should be able to replicate the process. For now, it is working and I’m going to get to installing all the fun stuff.