Installing Arch

I wanted to install Arch because all the cool kids do it. Really, what I wanted was more control over the system and the decisions I had to make to get it to work. In the past, I have favored speed of installation and stability of the installation because I didn’t want to spend time configuring stuff that didn’t relate to what I wanted to accomplish. That basically means LTS Ubuntu.

So what changed? I think I am more comfortable with the idea of fighting through configuration changes to get my PC the way I want it. After running Ubuntu as a daily driver for 3 years, I’m frustrated with some of the decisions and finding myself wanting to make my own choice. With Ubuntu, there would be a lot of stuff to remove if I wanted to make these kind of decisions.

Also, I have almost nothing important stored locally, so removing the operating system isn’t really a burden anymore. All my configs are in a git repo, and all my pictures are with Big Brother. I got my work laptop up and running in an hour with all my creds. I think that is the main reason I feel brave about doing the installation.

Installation Guide

This is the main article that I will be working from.

AFTER finishing the whole thing by myself, I found this amazing article that basically summarizes the process. Peter does a great job of highlighting the steps to get where I did. One difference is that he appears to be using LVM on LUKS where I opted for LUKS on LVM.

Motivation Guide

When you install Arch, you’re installing just GNU/Linux. Your goal is this:

That’s it. A login prompt. From here, you make the decisions. This guide is going to cover what I did to get to this point.

Hardware

Lenovo ThinkPad T450s ~2015

Incomplete
Unnecessary
🔴 Error
🔵 Success

Note: I’m leaving this key. I mostly used it to track my progress during the installation.

Task List

Make a Bootable Drive

Download Image

You need to get the image you want to put on the USB Drive. I used the torrent link on this page.

Write Drive OSX

Source Article.

First, you need to identify the USB device. Open a terminal and list all storage devices with the command:

diskutil list

Your USB device will appear as something like /dev/disk2 (external, physical). Verify that this is the device you want to erase by checking its name and size and then use its identifier for the commands below instead of /dev/diskX.

A USB device is normally auto-mounted in macOS, and you have to unmount (not eject) it before block-writing to it with dd. In Terminal, do:

diskutil unmountDisk /dev/disk2

Now copy the ISO image file to the device. The dd command is similar to its Linux counterpart, but notice the ‘r’ before ‘disk’ for raw mode which makes the transfer much faster:

dd if=/Users/admin/Downloads/archlinux-2018.04.01-x86_64.iso of=/dev/rdisk2 bs=1m

Note diskX here should not include the s1 suffix, or else the USB device will only be bootable in UEFI mode and not legacy. After completion, macOS may complain that “The disk you inserted was not readable by this computer”. Select ‘Ignore’. The USB device will be bootable.

Booting

To boot to this drive I had to turn off Secure Boot in my ThinkPad BIOS. [unconfirmed]

Internet Connection

In the pre-installation section, they recommend being able to connect to the Internet from the installation media.

You’re going to need to be able to get an Internet connection from the command line.

Working set of commands:

systemctl stop dhcpcd@[TAB]
ip link set wlp3s0 up
wpa_supplicant -B -i wlp3s0 -c <(wpa_passphrase drone50 [passphrase])
iw dev wlp3s0 link
dhcpcd wlp3s0

Disk Encryption

Source Article.

We are basically swapping out the “Partition the disks” section of the Installation Guide in favor of the encrypted instructions.

I think I want to use LUKS on LVM. This would allow me to have only my /home partition encrypted. The drawback here is that each of the partitions could require a different password.

Drive Wipe

This is IRREVERSIBLE

The source article for wiping the drive securely is here: dm-crypt wipe on an empty disk or partition. You want to do this because it will write the drive with random data that looks like the encrypted data.

cryptsetup open --type plain -d /dev/urandom /dev/sda to_be_wiped
lsblk [verify size]
dd if=/dev/zero of=/dev/mapper/to_be_wiped status=progress bs=1M
cryptsetup close to_be_wiped

Create Partition Table

lsblk gives a nice tree-style output of the currently available disks. fdisk -l can be used as well.

I’m going to try to use parted to create /dev/sda1 and /dev/sda2. This will be the boot drive (unencrypted) and the rest of the drive (LVM).

Device Partition Size
/dev/sda1 /boot 200MiB
/dev/sda2 LVM 100% of Free
# parted
(parted) mkpart ESP fat32 1MiB 551MiB
(parted) set 1 esp on
(parted) set 1 boot on
(parted) mkpart primary ext4 551MiB 100%
(parted) quit
# lsblk

Preparing the logical volumes

Article

On top of the physical partition /dev/sda2, we will create four logical partitions for /, swap, /tmp, and /home. The motivation here is that LVM is good at managing these logical partitions and they could be theoretically resized in the future.

This created the logical volumes.

pvcreate /dev/sda2
vgcreate MyVol /dev/sda2
lvcreate -L 32G -n cryptroot MyVol
lvcreate -L 500M -n cryptswap MyVol
lvcreate -L 500M -n crypttmp MyVol
lvcreate -l 100%FREE -n crypthome MyVol

This created my root partition and set it’s password.

cryptsetup luksFormat --type luks2 /dev/mapper/MyVol-cryptroot
cryptsetup open /dev/mapper/MyVol-cryptroot root
mkfs.ext4 /dev/mapper/root
mount /dev/mapper/root /mnt

Preparing the boot partition

Note that the instructions in the linked article mention using mkfs.ext4, this won’t work with UEFI. I had to use fat.

mkfs.fat /dev/sda1
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot

Installation

Now that you have the drives configured properly, you’ll want to do the installation as normal. You have the drive mounted, and now you basically have to copy stuff from the Internet on to them.

Normal Procedure

Edit /etc/pacman.d/mirrorlist and put the US mirrors at the top of the list.

pacstrap /mnt base to install a bunch of stuff.

Follow the rest of the instructions, they worked just fine. At the end, you come to the Bootloader installation, and that’s where things are different.

Bootloader

I picked grub.

You have to install it after you arch-chroot to the new system.

pacman -S grub efibootmgr
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=arch_grub
[edit /etc/default/grub]
grub-mkconfig -o /boot/grub/grub.cfg

In /etc/default/grub:

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/mapper/MyVol-cryptroot:root root=/dev/mapper/root"

To make sure that grub knows that this is your root partition. Then regenerate your grub.cfg:

grub-mkconfig -o /boot/grub/grub.cfg

Encrypted Drive Config Files

/etc/fstab

/dev/mapper/root        /       ext4            defaults        0       1
/dev/sda1               /boot   ext4            defaults        0       2
/dev/mapper/tmp         /tmp    tmpfs           defaults        0       0
/dev/mapper/swap        none    swap            sw              0       0
/dev/mapper/home        /home   ext4            defaults        0       2

/etc/crypttab

swap   /dev/mapper/MyVol-cryptswap   /dev/urandom    swap,cipher=aes-xts-plain64,size=256
tmp    /dev/mapper/MyVol-crypttmp    /dev/urandom    tmp,cipher=aes-xts-plain64,size=256
home   /dev/mapper/MyVol-crypthome   /etc/luks-keys/home

Encrypting Home Directory

Make a luks keyfile.

mkdir -m 700 /etc/luks-keys
dd if=/dev/random of=/etc/luks-keys/home bs=1 count=256 status=progress

Encrypt the drive:

cryptsetup luksFormat --type luks2 -v /dev/mapper/MyVol-crypthome /etc/luks-keys/home
cryptsetup -d /etc/luks-keys/home open /dev/mapper/MyVol-crypthome home
mkfs.ext4 /dev/mapper/home
mount /dev/mapper/home /home

Emergency

During installation, your new system might not boot. You usually have to change some stuff in the config files to get it to work. You can boot from the Arch USB drive, and then chroot over to your stuff.

cryptsetup open /dev/mapper/MyVol-cryptroot root
mount /dev/mapper/root /mnt
mount /dev/sda1 /mnt/boot
arch-chroot /mnt

Conclusion

I think that was about it. It is hard to recall all the steps on a different computer. I think that between this and Peter’s article, I should be able to replicate the process. For now, it is working and I’m going to get to installing all the fun stuff.