Last active
October 20, 2024 07:09
-
-
Save ansulev/7cdf38a3d387599adf9addd248b09db8 to your computer and use it in GitHub Desktop.
Install Arch Linux with full encrypted btrfs subvolume inside luks
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Install Arch Linux with full encrypted btrfs subvolume inside luks | |
| # Hardware: BIOS system, Intel GPU, Nvidia Optimus, Toshiba SSD, Wifi | |
| # Please adjust for your needs. | |
| # filename: install-arch-linux-on-btrfs-subvolume-inside-luks.txt | |
| # The official guide: https://wiki.archlinux.org/index.php/Installation_Guide | |
| # Download the archiso image from https://www.archlinux.org/download/ | |
| # Copy to a usb-drive | |
| dd bs=4M if=archlinux.iso of=/dev/sdx status=progress oflag=sync # on linux | |
| # Boot from the usb. | |
| # Set your keymap | |
| loadkeys es | |
| # Connect to Internet: | |
| # Ethernet - plug in the cable | |
| # WLAN - use iwctl utility | |
| # WWAN - use mmcli utility | |
| # Connect to WLAN using wlan0: | |
| iwctl | |
| [iwd]# station wlan0 connect SSID | |
| # enter the passphras | |
| # or directly connect from zsh: | |
| iwctl --passphrase passphrase station wlan0 connect SSID | |
| # Check connection: | |
| ping archilinux.org | |
| # Create a primary partition - entire disk | |
| parted -s /dev/sda mklabel msdos | |
| parted -s /dev/sda mkpart primary 2048s 100% | |
| # Create luks container (luks1 for compatibility with grub) | |
| cryptsetup --type luks1 --cipher aes-xts-plain64 --hash sha512 \ | |
| --use-random --verify-passphrase luksFormat /dev/sda1 | |
| # Create btrfs filesystem | |
| cryptsetup open /dev/sda1 archlinux | |
| mkfs.btrfs --force --label archlinux -n 32k /dev/mapper/archlinux | |
| # ... and subvolumes | |
| mount -t btrfs -o compress=lzo /dev/mapper/archlinux /mnt | |
| btrfs subvolume create /mnt/@ | |
| btrfs subvolume create /mnt/@home | |
| btrfs subvolume create /mnt/@snapshots | |
| # Unmount and remount with the corect partitions | |
| umount /mnt | |
| # Mount options | |
| o=defaults,x-mount.mkdir | |
| o_btrfs=$o,compress=zstd,ssd,noatime,nodiratime,space_cache | |
| # Remount the partitions | |
| mount -o compress=lzo,subvol=@,$o_btrfs /dev/mapper/archlinux /mnt | |
| mount -o compress=lzo,subvol=@home,$o_btrfs /dev/mapper/archlinux /mnt/home | |
| mount -o compress=lzo,subvol=@snapshots,$o_btrfs /dev/mapper/archlinux /mnt/.snapshots | |
| # Install the system, wifi and some tools | |
| pacstrap /mnt base base-devel btrfs-progs snapper zsh mlocate htop \ | |
| net-tools wireless_tools wpa_supplicant dialog vim \ | |
| intel-ucode grub aria2 hping elinks bash-completion | |
| # Generate fstab | |
| genfstab -L -p /mnt >> /mnt/etc/fstab | |
| # Enter the new system | |
| arch-chroot /mnt /bin/bash | |
| # Setup system clock | |
| ln -s /usr/share/zoneinfo/Europe/Madrid /etc/localtime | |
| hwclock --systohc --utc | |
| # Set the hostname | |
| echo arch > /etc/hostname | |
| # Generate and set default locale | |
| vim /etc/locale.gen | |
| # Uncomment en_US.UTF-8 | |
| locale-gen | |
| echo LANG=en_US.utf8 >> /etc/locale.conf | |
| echo LANGUAGE=en_US >> /etc/locale.conf | |
| echo LC_ALL=C >> /etc/locale.conf | |
| # Set virtul console lang and font | |
| echo KEYMAP=es > /etc/vconsole.conf | |
| echo FONT=Lat2-Terminus16 >> /etc/vconsole.conf | |
| # Set password for root | |
| passwd | |
| # Create user | |
| useradd -m -G wheel angel | |
| passwd angel | |
| # Configure mkinitcpio | |
| vim /etc/mkinitcpio.conf | |
| # Early modules load | |
| MODULES=(atkbd intel_agp i915) | |
| # Embed btrfs to initramfs | |
| BINARIES=(/usr/sbin/btrfs) | |
| # Add 'encrypt' to HOOKS before filesystems | |
| HOOKS="base udev autodetect modconf block encrypt filesystems keyboard fsck" | |
| # Regenerate initrd image | |
| mkinitcpio -p linux | |
| # Setup grub | |
| # Edit /etc/default/grub, add GRUB_ENABLE_CRYPTODISK=y and GRUB_DISABLE_SUBMENU=y | |
| GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda1:archlinux:allow-discards" | |
| # Extra kernel options to add to GRUB_CMDLINE_LINUX (for old laptop 2011-2012) | |
| # https://forum.manjaro.org/t/howto-power-savings-setup-20180906/1445 | |
| # ACPI | |
| acpi_osi=Linux acpi_osi='!Windows 2012' acpi=force acpi_enforce_resources=lax | |
| # i915 | |
| i915.modeset=1 i915.fastboot=1 i915.enable_rc6=1 i915.enable_fbc=1 i915.lvds_downclock=1 i915.semaphores=1 | |
| # Varios power saving and performance settings | |
| net.ifnames=0 spectre_v2=off nopti nowatchdog vsyscall=emulate ath9k.ps_enable=1 pcie_aspm=force ipv6.disable=1 | |
| # Audit | |
| audit=1 audit_backlog_limit=8192 | |
| # Quite boot | |
| quiet loglevel=3 rd.systemd.show_status=auto rd.udev.log_priority=3 | |
| # My actual CMDLINE for ThinkPad T480s | |
| BOOT_IMAGE=/vmlinuz-linux-zen root=/dev/mapper/archlinux rw rootflags=subvol=root \ | |
| cryptdevice=/dev/nvme0n1p4:archlinux:allow-discards rd.luks.options=discards rw \ | |
| acpi_osi=! "acpi_osi=Windows 2018" acpi=force acpi_enforce_resources=lax drm.vblankoffdelay=1 acpi_backlight=native \ | |
| i915.modeset=1 i915.fastboot=1 i915.enable_psr=1 i915.enable_guc=3 i915.enable_fbc=1 \ | |
| net.ifnames=0 spectre_v2=off nopti nowatchdog vsyscall=emulate audit=1 audit_backlog_limit=8192 \ | |
| fan_control=1 psmouse.elantech_smbus=0 ec_sys.write_support=1 \ | |
| quiet loglevel=3 rd.systemd.show_status=auto rd.udev.log_priority=3 | |
| # Install grub and create configuration | |
| grub-install --target=i386-pc /dev/sda | |
| grub-mkconfig -o /boot/grub/grub.cfg | |
| # Exit new system and go into the cd shell | |
| exit | |
| # Unmount all partitions | |
| umount -R /mnt | |
| # Reboot into the new system, don't forget to remove the usb | |
| reboot | |
| # Create keyfile for paswordless login | |
| dd bs=512 count=4 if=/dev/urandom of=/crypto_keyfile.bin | |
| cryptsetup luksAddKey /dev/sda1 /crypto_keyfile.bin | |
| and add to /etc/mkinitcpio.conf | |
| FILES=(/crypto_keyfile.bin) | |
| # run: | |
| mkinitcpio -p linux | |
| # Reboot again, you’ll only need to enter your password once. | |
| reboot | |
| # Secure keyfile and /boot | |
| chmod 000 /crypto_keyfile.bin # actually, even root doesn't need to access this | |
| chmod -R g-rwx,o-rwx /boot # just to be safe | |
| # Optional: Install Aur helper, X, WM, Software and Configure the System | |
| # Install AUR helper - yaourt | |
| wget https://aur.archlinux.org/cgit/aur.git/snapshot/package-query.tar.gz | |
| wget https://aur.archlinux.org/cgit/aur.git/snapshot/yaourt.tar.gz | |
| # Install as regular user (extract, run makepkg, pacman -U) | |
| ::TODO:: Update the installed packages. Finish configuration. | |
| # Install Zen Kernel , X, DE, some basic tools | |
| pacman -S linux-zen linux-zen-headers irqbalance cpupower x86_energy_perf_policy \ | |
| pacman -S xorg-server xf86-video-intel xf86-video-nouveau xf86-input-synaptics \ | |
| xorg-xbacklight xorg-xinit xterm rxvt-unicode compton openbox tint2 \ | |
| conky dmenu volumeicon slock feh nitrogen scrot xarchiver p7zip \ | |
| unzip unrar rfkill ttf-liberation ttf-droid ttf-hack terminus-font \ | |
| powertop wget whois ethtool archey3 gvim | |
| # Look and feel | |
| pacman -S gtk-engine-murrine numix-themes faenza-icon-theme | |
| # Office programs | |
| # Some graphics applications | |
| pacman -S gimp inkscape dia mtpaint gpicview graphicsmagick cups-pdf simple-scan | |
| # Utilities | |
| pacman -S stardict-lite aspell-en aspell-es hunspell-en hunspell-es \ | |
| mythes-en mythes-es hyphen-en hyphen-es perl-file-mimeinfo \ | |
| keepassx cherrytree zim gprename galculator gsimplecal | |
| # System tools | |
| pacman -S bleachbit nethogs gparted dosfstools ntfs-3g grsync gsmartcontrol \ | |
| lxterminal lxappearance lxtask obconf geany scite sshfs gpart \ | |
| nmap macchanger ghex yajl pssh wpa_actiond ifplugd gvfs dnsutils\ | |
| ifplugd gvfs dnsutils grsync xdotool alsa-plugins alsa-utils lsof | |
| # Multimedia | |
| pacman -S avidemux-gtk audacity guvcview gtk-recordmydesktop pragha winff \ | |
| handbrake mpv easytag smplayer deadbeef gst-plugins-bad \ | |
| gst-plugins-ugly gst-libav openshot libquicktime \ | |
| frei0r-plugins flashplayer youtube-dl rtmpdump atomicparsley | |
| # Network | |
| pacman -S pidgin pidgin-otr purple-skypeweb linphone xchat transmission-gtk \ | |
| uget filezilla claws-mail opera wireshark-gtk openvpn pptpclient \ | |
| xl2tpd torsocks | |
| # Virtualisation | |
| pacman -S virtualbox virtualbox-host-dkms wine winetricks | |
| # Nvidia Optimus | |
| pacman -S --needed bumblebee primus bbswitch-dkms libva-intel-driver \ | |
| libva-mesa-driver libva-vdpau-driver mesa-vdpau nvidia-dkms \ | |
| nvidia-utils nvidia-settings mesa-demos | |
| # Development | |
| pacman -S nginx-mainline php php-apcu php-fpm php-gd php-mcrypt php-snmp \ | |
| php-tidy composer apache nghttp2 lighttpd openvpn \ | |
| mariadb xdebug nodejs ruby npm colordiff git jdk8-openjdk | |
| # Security | |
| pacman -S rkhunter clamav gufw | |
| yaourt -S ananicy-git cdw csslint dbeaver freeplane freshplayerplugin gtk-theme-numix-sx icecat-bin \ | |
| lostfiles nodejs-jshint pepper-flash playerctl profile-cleaner purple-facebook purple-hangouts-hg \ | |
| virtualbox-ext-oracle clipit spacefm-git scite sublime-text-dev megasync thermald genymotion |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You are right - it's not necessary... or better say, we are both right - one need to add
cryptkeyin case the key is not named crypto_keyfile.bin. From Arch Wiki dm-crypt Device Encryption page:In my case, I've named it differently (just following some steps from some other guide I found), so I needed the
cryptkeyargument included.Sorry for bothering you, I've just started with diving deeper into Arch Linux and there is so many information that I just overlooked this one. Anyway, thanks for sharing your script, it gave me few good pointers!