Read the Official Arch Installation Guide.
Done and tested with a new Thinkpad T490s.
Download image and .sig files from here: https://www.archlinux.org/download/
$ gpg --keyserver-options auto-key-retrieve --verify archlinux-<VERSION>-x86_64.iso.sig
$ dd if=archlinux-<VERSION>-x86_64.iso of=/dev/sdX bs=16M && sync
Disable secure boot (newer BIOS + pre-installed Windows machines have that).
$ wifi-menu
Be sure the disk is the right disk to wipe! Open a crypto container on the disk, zero it, and close the crypto container. See the drive-preparation wiki for more details.
$ cryptsetup open --type plain -d /dev/urandom /dev/nvme0n1 wipeme
$ dd if=/dev/zero of=/dev/mapper/wipeme status=progress bs=4M
$ cryptsetup close wipeme
$ fdisk /dev/nvme0n1
# create EFI boot partition: n .... 512M .... t .... 1 (= EFI partition)
# use the rest for system partition (t 83)
It should look somewhat like this:
$ lsblk
# NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
# nvme0n1 259:0 0 477G 0 disk
# ├─nvme0n1p1 259:1 0 512M 0 part
# └─nvme0n1p2 259:2 0 476.4G 0 part
mkfs.fat -F32 /dev/nvme0n1p1
This follows plain LUKS_on_a_partition instructions.
Check cryptsetup --help and cryptsetup benchmark as your SSD might operate better with non-defaults.
The following command will prompt you for the disk password. We will call the disk cryptroot.
$ cryptsetup --use-random luksFormat /dev/nvme0n1p2
$ cryptsetup luksOpen /dev/nvme0n1p2 cryptroot
After this, your crypto disk is to be found under /dev/mapper/cryptroot
You might want to read about LVM.
Note: When you have LVM partition/s, make sure to format and mount them instead of cryptroot in the following.
$ mkfs.ext4 -L root /dev/mapper/cryptroot
$ mount /dev/mapper/cryptroot /mnt # arch will install here, on encrypted drive
$ mkdir /mnt/boot
$ mount /dev/nvme0n1p1 /mnt/boot # unencrypted boot partition
You can alter the package bundles. linux will give you the standard kernel.
$ pacstrap /mnt base base-devel linux linux-firmware efibootmgr intel-ucode dialog wpa_supplicant zsh vim git sudo
$ genfstab -U /mnt >> /mnt/etc/fstab
If you have an SSD, consider changing relatime to noatime in the fstab for non-boot partitions. See FSTab atime_options.
$ arch-chroot /mnt
$ ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime
$ hwclock --systohc
$ echo MY_HOSTNAME > /etc/hostname
See the official installguide#network_configuration for /etc/hosts file details.
Uncomment your locale/s in /etc/locale.gen
$ vim /etc/locale.gen # e.g., en_US.UTF-8
$ locale-gen
$ localectl set-locale LANG=en_US.UTF-8
$ echo LANG=en_US.UTF-8 >> /etc/locale.conf
$ passwd # root password
$ useradd -m -g users -G wheel,power -s /bin/zsh <YOUR_USER_NAME>
$ passwd <YOUR_USER_NAME> # password for you user
Modify the sudoer's file and give your user appropriate rights
$ visudo
# e.g., <YOUR_USER_NAME> ALL=(ALL) ALL
$ vim /etc/mkinitcpio.conf
- Add
ext4toMODULEShttps://wiki.archlinux.org/index.php/Mkinitcpio#MODULES - Add
encryptiontoHOOKShttps://wiki.archlinux.org/index.php/Mkinitcpio#HOOKS
Important:
- If you have virtual partitions in your crypto volume, i.e., you are using LVM, you must add the
lvm2hook. - If you have a swap partition, read about hibernation and the
resumehook.
Build kernel with your wanted presets
$ mkinitcpio -p linux # for linux preset
$ mkinitcpio -P # for all presets (per default there should only be `linux`)
You may encounter warnings like WARNING: Possibly missing firmware for module XXX:
For thinkpad t490s I got:
- wd719x
- aic94xx
Install them via AUR if possible or directly from git. Note: do this as non-root user. I prefer to use yay for installing AUR packages.
Yay is an AUR helper (like yaourt). It's written in Go, new, fast, actively maintained...
$ su - <YOUR_USER_NAME> # take identity of your user
$ git clone https://aur.archlinux.org/yay.git
$ cd yay
$ makepkg -si
$ exit # exit your user, switches back to root
Note: In case you installed missing firmware, don't forget to call mkinitcpio -P again, to create the initrd properly.
See the configuration wiki.
$ bootctl --path=/boot install
$ echo default arch >> /boot/loader/loader.conf # name `arch`. You can change that
$ echo timeout 3 >> /boot/loader/loader.conf
$ echo console-mode max >> /boot/loader/loader.conf
$ echo editor no >> /boot/loader/loader.conf
$ touch /boot/loader/entries/arch.conf # config must have name as your `default` in `/boot/loader/loader.conf`
Find out your disk UUID for /dev/nvme0n1p2. (Take a photo, you have to type that in.)
$ blkid
Replace <YOUR_UUID> with the UUID of /dev/nvme0n1p2.
See the adding_loaders wiki. See also the wiki for SSD kernel parameters.
$ vim /boot/loader/entries/arch.conf
title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options cryptdevice=UUID=<YOUR_UUID>:cryptroot root=/dev/mapper/cryptroot rw
$ exit
$ umount -R /mnt
$ reboot # remove thumbdrive before reboot
You can always come back with the live-iso, in case you messed something up.
Boot again from the stick, then luksOpen the device. Mount the mapped device accordingly to /mnt. Don't forget to mount /mnt/boot. Afterwards you can continue whereever you mixed up your installation/config.
$ cryptsetup luksOpen /dev/nvme0n1p2 cryptroot
$ mount /dev/mapper/cryptroot /mnt
$ mount /dev/nvme0n1p1 /mnt/boot
$ arch-chroot /mnt