Skip to content

Instantly share code, notes, and snippets.

@dargmuesli

dargmuesli/arch-setup.md

Last active February 8, 2025 21:48
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save dargmuesli/961202927629cad227a5b9e50ea8b1a8 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save dargmuesli/961202927629cad227a5b9e50ea8b1a8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
arch-setup.md

Arch setup

Erase

Source: https://wiki.archlinux.org/title/Solid_state_drive/Memory_cell_clearing

SATA

Make sure SSD is not frozen.

  • sudo hdparm -I /dev/sdX | grep frozen

Enable security by setting a user password.

  • sudo hdparm --user-master u --security-set-pass PasSWorD /dev/sdX

Check if it says "enabled".

  • sudo hdparm -I /dev/sdX

SATA secure erase.

  • sudo hdparm --user-master u --security-erase PasSWorD /dev/sdX

Check if it says "not enabled".

  • sudo hdparm -I /dev/sdX

NVMe

Verify support:

  • nvme id-ctrl /dev/nvme0 -H | grep -E 'Format |Crypto Erase|Sanitize'

Crypto erase:

  • nvme sanitize /dev/nvme0 -a start-crypto-erase

Block erase (optional):

  • nvme sanitize /dev/nvme0 -a start-block-erase

Fill (optional)

Open.

  • sudo cryptsetup open --type plain -d /dev/urandom /dev/sdX to_be_wiped

Verify existence.

  • lsblk

Write all.

  • sudo dd if=/dev/zero of=/dev/mapper/to_be_wiped status=progress

Close.

  • sudo cryptsetup close to_be_wiped

EFI Partition

Create.

  • sudo gdisk /dev/nvme0n1
  • n
  • <default> (1)
  • <default> (e.g. 2048)
  • +500M
  • ef00
  • w
  • Y

Format.

  • sudo mkfs.fat -F32 /dev/nvme0n1p1

LUKS Partition

Create.

  • sudo gdisk /dev/nvme0n1
  • n
  • <default> (2)
  • <default> (e.g. 1026048)
  • +867G
  • 8309
  • w
  • Y

Install Windows

To the end of the drive. Run powercfg -h off in an administrator command prompt.

LUKS Setup

  • cryptsetup luksFormat --pbkdf pbkdf2 /dev/nvme0n1pX (remove pbkdf downgrade once https://savannah.gnu.org/bugs/?59409 is resolved)
  • cryptsetup open /dev/nvme0n1pX cryptlvm
  • pvcreate /dev/mapper/cryptlvm
  • vgcreate VolGrp /dev/mapper/cryptlvm
  • lvcreate -L 250G VolGrp -n root
  • lvcreate -L 250G VolGrp -n home
  • lvcreate -l 100%FREE VolGrp -n data
  • mkfs.ext4 /dev/VolGrp/root
  • mkfs.ext4 /dev/VolGrp/home
  • mkfs.ext4 /dev/VolGrp/data
  • mkswap /dev/VolGrp/swap
  • mount /dev/VolGrp/root /mnt
  • mkdir /mnt/home
  • mount /dev/VolGrp/home /mnt/home
  • swapon /dev/VolGrp/swap
  • mkdir /mnt/efi
  • mount /dev/nvme0n1p1 /mnt/efi

Install Arch Linux

  • loadkeys de-latin1
  • cat /sys/firmware/efi/fw_platform_size should return 64
  • connect to the internet
    • iwctl
    • station list
    • station wlan0 get-networks
    • station wlan0 connect <SSID_NAME>
    • input password and exit (ctrl+c)
  • ping archlinux.org
  • timedatectl should return correct time
  • echo "Server = https://archive.archlinux.org/repos/2024/06/28/$repo/os/$arch" > /etc/pacman.d/mirrorlist
  • pacstrap /mnt base base-devel efibootmgr git gnome grub intel-ucode linux linux-firmware lvm2 networkmanager ntfs-3g os-prober rsync vim zsh
  • mv /mnt/etc/fstab /mnt/etc/fstab.orig
  • genfstab -U /mnt >> /mnt/etc/fstab
  • arch-chroot /mnt
  • systemctl enable gdm
  • systemctl enable NetworkManager
  • systemctl enable bluetooth
  • ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
  • hwclock --systohc
  • vim /etc/locale.gen, uncomment en_US.UTF-8
  • locale-gen
  • vim /etc/locale.conf, set LANG=en_US.UTF-8
  • vim /etc/vconsole.conf, set KEYMAP=de-latin1
  • vim /etc/hostname, set hostname

  • vim /etc/mkinitcpio.conf, set HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems fsck)

  • passwd, set root password

  • useradd -U -G users,wheel -m -s /bin/zsh jonas (keep /bin/bash if you don't have a .zshrc at hand)

  • visudo, uncomment the first %wheel line

  • mkdir -m 700 /etc/cryptsetup-keys.d

  • dd bs=512 count=4 if=/dev/random of=/etc/cryptsetup-keys.d/cryptlvm.key iflag=fullblock

  • chmod 600 /etc/cryptsetup-keys.d/cryptlvm.key

  • cryptsetup -v luksAddKey /dev/sda3 /etc/cryptsetup-keys.d/cryptlvm.key

  • add /etc/cryptsetup-keys.d/cryptlvm.key to /etc/mkinitcpio.conf

  • mkinitcpio -P

  • vim /etc/default/grub

    • to GRUB_CMDLINE_LINUX add cryptdevice=UUID=<device-UUID>:cryptlvm cryptkey=rootfs:/etc/cryptsetup-keys.d/cryptlvm.key,
    • to GRUB_CMDLINE_LINUX_DEFAULT add resume=/dev/VolGrp/swap,
    • to GRUB_PRELOAD_MODULES addlvm,
    • set GRUB_DISABLE_OS_PROBER=false and
    • set GRUB_ENABLE_CRYPTODISK=y

  • grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --recheck

  • grub-mkconfig -o /boot/grub/grub.cfg

  • git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si

  • yay -S oh-my-zsh-git

Reenable Windows Fastboot

  • powercfg -h on, as described above.

Restore Data

  • copy: sudo rsync --acls --archive --checksum --hard-links --numeric-ids --sparse --xattrs --info=progress2 /mnt/data_old/X /mnt/data/
  • check: sudo rsync --acls --archive --checksum --delete --dry-run --hard-links --numeric-ids --sparse --verbose --xattrs /mnt/data_old/X /mnt/data/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment