Installing Arch Linux with Btrfs and Encryption

Tim Assavarat — Wed, 20 Jul 2022 01:01:04 +0000

For those looking to install Arch Linux, it is my hope that this guide will prove useful. Most of the information here is from https://wiki.archlinux.org/. The advantage of this guide is all the information being available on one opinionated page. This guide assumes that we know how to download an Arch Linux image and boot into it, along with the system booting into UEFI mode. We will be messing with our systems so I strongly recommend to read this guide carefully. With that out of the way let's begin.

Change console keymap

Those using a different keyboard layout may want to change the console keymap. To change to dvorak, run:

loadkeys dvorak

Connectivity

Next we will want to connect to the internet. If your device is plugged in via Ethernet cable then you should be good to go. Otherwise, we can connect to a Wi-Fi network using iwctl:

iwctl

Find out the name of your wireless device:

device list

Scan for networks:

station <device name> scan

List network SSID:

station <device name> get-networks

Connect to network:

station <device-name> connect <SSID>

Leave iwctl by sending a SIGINT signal with Ctrl+c.
Test connection:

ping archlinux.org

If we get a response then we can stop pinging using Ctrl+c.

Update system clock

With connectivity taken care of let's enable and start network time synchronisation:

timedatectl set-ntp true

Partitioning

Now we start the process for partitioning the disks. First we will identify disks in /proc/partitions:

fdisk -l

We are looking for a drive we want to install Arch on. The section labeled Disk model should help us identify what drive we want. In the image above, if we wanted to install on the SanDisk, the location of the block device would be /dev/sda.

Since we are going to encrypt our root directory, let's securely erase the drive. First, create a container called to_be_wiped:

cryptsetup open --type plain -d /dev/urandom /dev/<block-device> to_be_wiped

Next we will zero out the container:

dd bs=1M if=/dev/zero of=/dev/mapper/to_be_wiped status=progress

Then we close the container:

cryptsetup close to_be_wiped

With the drive erased, we will now use fdisk to partition the disk. fdisk is interactive and we will walk through the process together. First lets manipulate the drive we want to partition:

fdisk /dev/<block-device>

We can enter m to see the available commands. The first thing we want to do is create a new partition table. We can do that by entering g.
We need two partitions: An EFI system partition to boot and a root directory / partition to hold our data. Let's create them now with n.
We will be prompted to assign a partition number, leave it at the default by hitting enter. Similarly, leave the first sector at the default and hit enter. Our first partition will be 512M so for the last sector enter +512M.
Change the partition type with t then 1 for EFI.
Next we create another partition with n and leave everything at their default values.
If we enter p fdisk will print out our partition table and we should see something like this:

Finally, we write the partition table to disk with w.

Format partitions

We can now format the partitions. First we will format the boot partition, we are looking for the device with the type EFI System. Partition it to FAT32 and label it ESP with:

mkfs.fat -F32 -n ESP /dev/<boot-partition>

In order to encrypt our data, we will need to create a Linux Unified Key Setup (LUKS) partition. Look for the device with the type Linux filesystem. Format and label it ARCH_LUKS with:

cryptsetup luksFormat --label ARCH_LUKS /dev/<linux-partition>

After setting a password, let's open the LUKS partition and map it to the device name of cryptroot. If using a SSD, we can disable internal read and write workqueue for increased performance with encryption using cryptsetup --perf-no_read_workqueue --perf-no_write_workqueue --persistent open /dev/<luks-partition> cryptroot. Otherwise:

cryptsetup open /dev/<luks-partition> cryptroot

Our LUKS partition is now mapped to /dev/mapper/cryptroot. Next we'll finally format cryptroot to Btrfs and label it ARCH:

mkfs.btrfs -L ARCH /dev/mapper/cryptroot

List block devices and view filesystem info with lsblk:

lsblk -f

Mounting

We will first mount our Btrfs filesystem cryptroot. To improve performance we will disable access time metadata updates. We will also use ZSTD compression with a level of 1 to prioritise performance:

mount -o noatime,compress=zstd:1 /dev/mapper/cryptroot /mnt

Now that we have mounted cryptroot we will create subvolumes. Create root and home with:

btrfs subvolume create /mnt/root
btrfs subvolume create /mnt/home

Unmount cryptroot:

umount /mnt

We will now mount the subvolumes root and home at the appropriate locations instead of the toplevel subvolume. This is done to simplify the creation of snapshots:

mount -o noatime,compress=zstd:1,subvol=root /dev/mapper/cryptroot /mnt
mount --mkdir -o noatime,compress=zstd:1,subvol=home /dev/mapper/cryptroot /mnt/home

Finally mount the boot partition we previously created:

mount --mkdir /dev/<boot-partition> /mnt/boot

Install essential packages

Use pacstrap to install some packages so we can start using our system:

pacstrap /mnt base linux linux-firmware btrfs-progs networkmanager vim man-db man-pages

Fstab

Use genfstab to create a fstab file:

genfstab -L /mnt >> /mnt/etc/fstab

Chroot

chroot into our new system:

arch-chroot /mnt

Congratulations! We are now in our now system.

Time zone

Set the time zone, we can use tab completion to view possible options:

ln -sf /usr/share/zoneinfo/<region>/<city> /etc/localtime

Set the Hardware Clock:

hwclock --systohc

Localisation

We will use vim as our text editor to uncomment locales in /etc/locale.gen, we should at least uncomment en_US.UTF-8 UTF-8. Afterwards generate locales with:

locale-gen

create locale.conf and set the LANG variable:
vim /etc/locale.conf

LANG=en_US.UTF-8

If we previously changed the console keymap then make it persist with:
vim /etc/vconsole.conf

KEYMAP=dvorak

Network configuration

Create the hostname file and set the hostname as you wish, for example arch:
vim /etc/hostname

arch

Enable networkmanager so we will have connectivity once we leave the live environment:

systemctl enable NetworkManager

Initramfs

Since we are using encryption, we will need to edit mkinitcpio, the script used to create the initial ramdisk. Edit the file /etc/mkinitcpio.conf. Go to the HOOKS line that isn't commented out and replace udev with systemd, and add sd-vconsole (if we changed the keymap) and sd-encrypt hooks after keyboard. Then recreate initramfs:

mkinitcpio -P

Root password

Set the root password:

passwd

Boot loader

Next install GRUB bootloader and microcode updates. If using Intel processor, replace amd-ucode with intel-ucode:

pacman -S grub efibootmgr amd-ucode

We will now install the GRUB EFI application and its modules and name the bootloader GRUB using:

grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB

Let's edit our kernel parameters file. We previously labeled everything but unfortunately need the UUID of our ARCH_LUKS partition. Find the UUID with lsblk -f then edit /etc/default/grub:
All the following parameters need to be appended to GRUB_CMDLINE_LINUX_DEFAULT.
Unlock our device in initramfs by appending rd.luks.name=<UUID>=cryptroot.
Enable TRIM support, append rd.luks.options=discard.
Disable and blacklist watchdog module, append nowatchdog module_blacklist=iTCO_wdt.

Regenerate grub.cfg

grub-mkconfig -o /boot/grub/grub.cfg

Our work in chroot is done, exit out with exit or Ctrl+d and reboot.

Post-installation

After rebooting and decrypting our drive, we should be greeted with a login screen. The only user we have right now is root so enter that as our login username and supply the appropriate password.

Connectivity

If we need to connect to Wi-Fi, use nmcli:

nmcli device wifi list
nmcli device wifi connect <SSID> password <PASSWORD>

Package management

Arch usespacman as its package manager. Enable color output and parallel downloads by editing /etc/pacman.conf and uncommenting Color along with ParallelDownloads and changing the value from 5 to 10. We can also an arguably nicer progress bar by adding ILoveCandy right after ParallelDownloads.

Remaining packages

The choice of desktop environment if any at all is entirely up to the user. For the purposes of this guide we will be using GNOME.
The packages required for display drivers varies based on hardware. I will link the appropriate wiki pages where we can find the correct packages to install:
AMD
Intel
NVIDIA
An example for AMD would be:

pacman -S sudo pacman-contrib archlinux-contrib reflector mesa vulkan-radeon libva-mesa-driver gnome gnome-tweaks pipewire pipewire-alsa pipewire-pulse pipewire-jack wireplumber firewalld $(pacman -Ssq noto-fonts)

The display driver packages are mesa vulkan-radeon libva-mesa-driver. mesa provides 3D acceleration, vulkan-radeon provides vulkan support, and accelerated video decoding is provided by libva-mesa-driver.

Users and groups

Let's create an unprivileged user and add it to the wheel group:

useradd -m -G wheel <user>
passwd <user>

Privilege elevation

We will use sudo to allow the user to run privileged commands. Since we have already added our user to the wheel group, we just need to uncomment %wheel ALL=(ALL) ALL:

EDITOR=vim visudo

We will use reflector to keep our mirrors up to date. To choose mirrors based in our country, and sort them by download rate. Edit /etc/xdg/reflector/reflector.conf, uncomment and update country and sort age to sort rate.

Let's enable some timers and services:

systemctl enable fstrim.timer paccache.timer reflector.timer gdm firewalld bluetooth

Finally reboot and login using our newly created user.

Finishing touches

After decrypting our drive and logging in we should now be inside the GNOME desktop environment. If we changed our keymap, then the GNOME login will unfortunately be in qwerty, we will fix that now.

Go to Settings->Keyboard and add in the desired keyboard layout. Next open terminal and enter (replacing us and dvorak with the appropriate text:

localectl set-x11-keymap us dvorak
localectl set-keymap dvorak

If you are the only user and don't wish to enter a password to login after decrypting our drive, we can go to Settings->Users click unlock and check Automatic Login. Since we are no longer root we need to use sudo to install packages. For tracking unowned files, zsh, firefox, and gvim we will install the following packages:

sudo pacman -S pacutils zsh grml-zsh-config firefox gvim

gvim will conflict with vim-minimal that we installed earlier. Enter y to remove vim-minimal.

Start and configure zsh:

zsh

Change zsh to our default shell:

chsh -s $(which zsh)

Make vim our default editor and enable wayland for Firefox by setting some environmental variables:

mkdir .config/environment.d

Create .config/environment.d/envvars.conf and have the following as the contents:

EDITOR=vim
MOZ_ENABLE_WAYLAND=1

Source the environmental variables by restarting gdm:

systemctl restart gdm

With that we are finally done! I hope this guide was helpful and we learned some things along the way.

DEV Community: Tim Assavarat

Installing Arch Linux with Btrfs and Encryption

Change console keymap

Connectivity

Update system clock

Partitioning

Format partitions

Mounting

Install essential packages

Fstab

Chroot

Time zone

Localisation

Network configuration

Initramfs

Root password

Boot loader

Post-installation

Connectivity

Package management

Remaining packages

Users and groups

Privilege elevation

Finishing touches