I wanted to install Arch because all the cool kids do it. Really, what I wanted was more control over the system and the decisions I had to make to get it to work. In the past, I have favored speed of installation and stability of the installation because I didn’t want to spend time configuring stuff that didn’t relate to what I wanted to accomplish. That basically means LTS Ubuntu.
So what changed? I think I am more comfortable with the idea of fighting through configuration changes to get my PC the way I want it. After running Ubuntu as a daily driver for 3 years, I’m frustrated with some of the decisions and finding myself wanting to make my own choice. With Ubuntu, there would be a lot of stuff to remove if I wanted to make these kind of decisions.
Also, I have almost nothing important stored locally, so removing the operating system isn’t really a burden anymore. All my configs are in a git repo, and all my pictures are with Big Brother. I got my work laptop up and running in an hour with all my creds. I think that is the main reason I feel brave about doing the installation.
This is the main article that I will be working from.
AFTER finishing the whole thing by myself, I found this amazing article that basically summarizes the process. Peter does a great job of highlighting the steps to get where I did. One difference is that he appears to be using
LVM on LUKS where I opted for
LUKS on LVM.
When you install Arch, you’re installing just GNU/Linux. Your goal is this:
That’s it. A login prompt. From here, you make the decisions. This guide is going to cover what I did to get to this point.
Lenovo ThinkPad T450s ~2015
Note: I’m leaving this key. I mostly used it to track my progress during the installation.
- Installation Guide
- Motivation Guide
- Task List
- Make a Bootable Drive
- Internet Connection
- Disk Encryption
Make a Bootable Drive
You need to get the image you want to put on the USB Drive. I used the torrent link on this page.
Write Drive OSX
First, you need to identify the USB device. Open a terminal and list all storage devices with the command:
Your USB device will appear as something like /dev/disk2 (external, physical). Verify that this is the device you want to erase by checking its name and size and then use its identifier for the commands below instead of /dev/diskX.
A USB device is normally auto-mounted in macOS, and you have to unmount (not eject) it before block-writing to it with dd. In Terminal, do:
diskutil unmountDisk /dev/disk2
Now copy the ISO image file to the device. The dd command is similar to its Linux counterpart, but notice the ‘r’ before ‘disk’ for raw mode which makes the transfer much faster:
dd if=/Users/admin/Downloads/archlinux-2018.04.01-x86_64.iso of=/dev/rdisk2 bs=1m
Note diskX here should not include the s1 suffix, or else the USB device will only be bootable in UEFI mode and not legacy. After completion, macOS may complain that “The disk you inserted was not readable by this computer”. Select ‘Ignore’. The USB device will be bootable.
To boot to this drive I had to turn off Secure Boot in my ThinkPad BIOS. [unconfirmed]
In the pre-installation section, they recommend being able to connect to the Internet from the installation media.
You’re going to need to be able to get an Internet connection from the command line.
Working set of commands:
systemctl stop [email protected][TAB] ip link set wlp3s0 up wpa_supplicant -B -i wlp3s0 -c <(wpa_passphrase drone50 [passphrase]) iw dev wlp3s0 link dhcpcd wlp3s0
We are basically swapping out the “Partition the disks” section of the Installation Guide in favor of the encrypted instructions.
I think I want to use LUKS on LVM. This would allow me to have only my
/home partition encrypted. The drawback here is that each of the partitions could require a different password.
This is IRREVERSIBLE
The source article for wiping the drive securely is here: dm-crypt wipe on an empty disk or partition. You want to do this because it will write the drive with random data that looks like the encrypted data.
cryptsetup open --type plain -d /dev/urandom /dev/sda to_be_wiped lsblk [verify size] dd if=/dev/zero of=/dev/mapper/to_be_wiped status=progress bs=1M cryptsetup close to_be_wiped
Create Partition Table
lsblk gives a nice tree-style output of the currently available disks.
fdisk -l can be used as well.
I’m going to try to use parted to create
/dev/sda2. This will be the boot drive (unencrypted) and the rest of the drive (LVM).
|/dev/sda2||LVM||100% of Free|
# parted (parted) mkpart ESP fat32 1MiB 551MiB (parted) set 1 esp on (parted) set 1 boot on (parted) mkpart primary ext4 551MiB 100% (parted) quit # lsblk
Preparing the logical volumes
On top of the physical partition
/dev/sda2, we will create four logical partitions for
/home. The motivation here is that LVM is good at managing these logical partitions and they could be theoretically resized in the future.
This created the logical volumes.
pvcreate /dev/sda2 vgcreate MyVol /dev/sda2 lvcreate -L 32G -n cryptroot MyVol lvcreate -L 500M -n cryptswap MyVol lvcreate -L 500M -n crypttmp MyVol lvcreate -l 100%FREE -n crypthome MyVol
This created my root partition and set it’s password.
cryptsetup luksFormat --type luks2 /dev/mapper/MyVol-cryptroot cryptsetup open /dev/mapper/MyVol-cryptroot root mkfs.ext4 /dev/mapper/root mount /dev/mapper/root /mnt
Preparing the boot partition
Note that the instructions in the linked article mention using
mkfs.ext4, this won’t work with UEFI. I had to use
mkfs.fat /dev/sda1 mkdir /mnt/boot mount /dev/sda1 /mnt/boot
Now that you have the drives configured properly, you’ll want to do the installation as normal. You have the drive mounted, and now you basically have to copy stuff from the Internet on to them.
/etc/pacman.d/mirrorlist and put the US mirrors at the top of the list.
pacstrap /mnt base to install a bunch of stuff.
Follow the rest of the instructions, they worked just fine. At the end, you come to the Bootloader installation, and that’s where things are different.
I picked grub.
You have to install it after you
arch-chroot to the new system.
pacman -S grub efibootmgr grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=arch_grub [edit /etc/default/grub] grub-mkconfig -o /boot/grub/grub.cfg
To make sure that grub knows that this is your root partition. Then regenerate your
grub-mkconfig -o /boot/grub/grub.cfg
Encrypted Drive Config Files
/dev/mapper/root / ext4 defaults 0 1 /dev/sda1 /boot ext4 defaults 0 2 /dev/mapper/tmp /tmp tmpfs defaults 0 0 /dev/mapper/swap none swap sw 0 0 /dev/mapper/home /home ext4 defaults 0 2
swap /dev/mapper/MyVol-cryptswap /dev/urandom swap,cipher=aes-xts-plain64,size=256 tmp /dev/mapper/MyVol-crypttmp /dev/urandom tmp,cipher=aes-xts-plain64,size=256 home /dev/mapper/MyVol-crypthome /etc/luks-keys/home
Encrypting Home Directory
Make a luks keyfile.
mkdir -m 700 /etc/luks-keys dd if=/dev/random of=/etc/luks-keys/home bs=1 count=256 status=progress
Encrypt the drive:
cryptsetup luksFormat --type luks2 -v /dev/mapper/MyVol-crypthome /etc/luks-keys/home cryptsetup -d /etc/luks-keys/home open /dev/mapper/MyVol-crypthome home mkfs.ext4 /dev/mapper/home mount /dev/mapper/home /home
During installation, your new system might not boot. You usually have to change some stuff in the config files to get it to work. You can boot from the Arch USB drive, and then
chroot over to your stuff.
cryptsetup open /dev/mapper/MyVol-cryptroot root mount /dev/mapper/root /mnt mount /dev/sda1 /mnt/boot arch-chroot /mnt
I think that was about it. It is hard to recall all the steps on a different computer. I think that between this and Peter’s article, I should be able to replicate the process. For now, it is working and I’m going to get to installing all the fun stuff.