Szwendacz/Arch-install-encrypted-btrfs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Update locales conf, update markdown formatting

Browse source
This commit is contained in:
Maciej Lebiest 2021-07-25 16:20:59 +02:00 committed by GitHub
parent 2eb3d0c374
commit 8e8d57a1f2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 217 additions and 155 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

372
README.md
View file

@ -1,260 +1,322 @@
# Install Arch Linux with encrypted filesystem(optional) and on btrfs partition (UEFI) # Install Arch Linux with encrypted filesystem(optional) and on btrfs partition (UEFI)
Official guide for basic install: [https://wiki.archlinux.org/index.php/Installation_Guide](https://wiki.archlinux.org/index.php/Installation_Guide) Official guide for basic install: [https://wiki.archlinux.org/index.php/Installation_Guide](https://wiki.archlinux.org/index.php/Installation_Guide)
it is always good to consult with official guide, cause arch config might change in time it is always good to consult with official guide, cause arch config might change in time
For setting up different locale than pl check official guide For setting up different locale, check official guide
# 1. Boot ISO # 1. Boot ISO
### Download the ISO file from [https://www.archlinux.org](https://www.archlinux.org/) ### Download the ISO file from [https://www.archlinux.org](https://www.archlinux.org/)
### Put on pedrive ### Put on pedrive
>dd if=archlinux.img of=/dev/sdX bs=16M && sync ```bash
dd if=archlinux.img of=/dev/sdX bs=16M && sync
```
### Boot from the usb. ### Boot from the usb.
### Set keymap ### Set keymap
>loadkeys pl ```bash
loadkeys pl
```
### Update clock ### Update clock
>timedatectl set-ntp true ```bash
timedatectl set-ntp true
### Optionally (recommended) update mirrorlist ```
>reflector --country 'Poland' --age 24 --verbose --sort rate --save /etc/pacman.d/mirrorlist ### Optionally (recommended) update mirrorlist
```bash
reflector --country 'Poland' --age 24 --verbose --sort rate --save /etc/pacman.d/mirrorlist
```
# 2. Prepare Disk # 2. Prepare Disk
### Update btrfs-progs ### Update btrfs-progs
>pacman -Syy btrfs-progs ```bash
pacman -Syy btrfs-progs
### Display disks setup ```
>fdisk -l ### Display disks setup
```bash
fdisk -l
```
### Create partitions (if you have not already) ### Create partitions (if you have not already)
>fdisk /dev/sdX ```bash
fdisk /dev/sdX
```
1. 100MB EFI partition 1. 100MB EFI partition
2. 100% size partiton # ( encrypted optionally) for BTRFS, this partition will require formatting AFTER encryption if you do encryption 2. 100% size partiton # ( encrypted optionally) for BTRFS, this partition will require formatting AFTER encryption if you do encryption
### Swap will be as file in its own subvolume ### Swap will be as file in its own subvolume
```bash
>mkfs.vfat -F32 /dev/sdX1 mkfs.vfat -F32 /dev/sdX1
```
### ----------------- encryption (optional) ------------------ ### ----------------- encryption (optional) ------------------
### Setup the encryption of the system, don't use letters outside en-us keyboard like ąęć etc. for password ### Setup the encryption of the system, don't use letters outside en-us keyboard like ąęć etc. for password
### Grub have some kind of support for luks2 now but still cannot decrypt luks2, so specify luks1 for now ### Grub have some kind of support for luks2 now but still cannot decrypt luks2, so specify luks1 for now
>cryptsetup -c=aes-xts-plain64 --key-size=512 --hash=sha512 --iter-time=3000 --pbkdf=pbkdf2 --use-random luksFormat --type=luks1 /dev/sdX2 ```bash
cryptsetup -c=aes-xts-plain64 --key-size=512 --hash=sha512 --iter-time=3000 --pbkdf=pbkdf2 --use-random luksFormat --type=luks1 /dev/sdX2
>cryptsetup luksOpen /dev/sdX2 MainPart cryptsetup luksOpen /dev/sdX2 MainPart
```
### Formatting as btrfs now when it is already encrypted ### Formatting as btrfs now when it is already encrypted
>mkfs.btrfs -L "Arch Linux" /dev/mapper/MainPart ```bash
mkfs.btrfs -L "Arch Linux" /dev/mapper/MainPart
```
### ---------------- end of encryption ------------------------ ### ---------------- end of encryption ------------------------
### Format the partition if not yet formatted: ### Format the partition if not yet formatted:
>pacman -Syy btrfs-progs ```bash
pacman -Syy btrfs-progs
>mkfs.btrfs -L "Arch Linux" /dev/sdX2 mkfs.btrfs -L "Arch Linux" /dev/sdX2
```
### Mount partition to be able to create btrfs subvolumes ### Mount partition to be able to create btrfs subvolumes
### If using encryption, change /dev/sdX2 to /dev/mapper/MainPart: ### If using encryption, change /dev/sdX2 to /dev/mapper/MainPart:
>mount /dev/sdX2 /mnt ```bash
mount /dev/sdX2 /mnt
```
## Create subvolumes ## Create subvolumes
### Using more complicated sheme, (but there actually is only need for separate @swap subvolume , other files can be on default top subvolume) ### Using more complicated sheme, (but there actually is only need for separate @swap subvolume , other files can be on default top subvolume)
```bash
>btrfs su cr /mnt/@ btrfs su cr /mnt/@
>btrfs su cr /mnt/@swap btrfs su cr /mnt/@swap
>btrfs su cr /mnt/@home btrfs su cr /mnt/@home
>btrfs su cr /mnt/@var btrfs su cr /mnt/@var
>btrfs su cr /mnt/@tmp btrfs su cr /mnt/@tmp
>btrfs su cr /mnt/@snapshots
btrfs su cr /mnt/@snapshots
```
#### disable copy on write on var, tmp and swap #### disable copy on write on var, tmp and swap
>chattr +C /mnt/@var ```bash
>chattr +C /mnt/@tmp chattr +C /mnt/@var
>chattr +C /mnt/@swap chattr +C /mnt/@tmp
chattr +C /mnt/@swap
>umount /mnt umount /mnt
```
### If using encryption, change /dev/sdX2 to /dev/mapper/MainPart: ### If using encryption, change /dev/sdX2 to /dev/mapper/MainPart:
>mount -o defaults,noatime,discard,ssd,subvol=@ /dev/sdX2 /mnt ```bash
mount -o defaults,noatime,discard,ssd,subvol=@ /dev/sdX2 /mnt
>mkdir /mnt/swap mkdir /mnt/swap
>mkdir /mnt/home mkdir /mnt/home
>mkdir /mnt/var mkdir /mnt/var
>mkdir /mnt/tmp mkdir /mnt/tmp
>mkdir /mnt/snapshots mkdir /mnt/snapshots
>mkdir /mnt/efi # for EFI partition /dev/sdX1 mkdir /mnt/efi # for EFI partition /dev/sdX1
```
### If using encryption, change /dev/sdX2 to /dev/mapper/MainPart ### If using encryption, change /dev/sdX2 to /dev/mapper/MainPart
### for swap subvolume add nodatacow option to disable CoW (works only if its separate partition) ### for swap subvolume add nodatacow option to disable CoW (works only if its separate partition)
### Discard ssd and noatime are for ssd disks only ### Discard ssd and noatime are for ssd disks only
```bash
mount -o defaults,noatime,nodatacow,discard,ssd,subvol=@swap /dev/sdX2 /mnt/swap
mount -o defaults,noatime,discard,ssd,subvol=@home /dev/sdX2 /mnt/home
mount -o defaults,noatime,discard,ssd,subvol=@var /dev/sdX2 /mnt/var
mount -o defaults,noatime,discard,ssd,subvol=@tmp /dev/sdX2 /mnt/tmp
mount -o defaults,noatime,discard,ssd,subvol=@snapshots /dev/sdX2 /mnt/snapshots
mount /dev/sdX1 /mnt/efi
>mount -o defaults,noatime,nodatacow,discard,ssd,subvol=@swap /dev/sdX2 /mnt/swap ```
>mount -o defaults,noatime,discard,ssd,subvol=@home /dev/sdX2 /mnt/home
>mount -o defaults,noatime,discard,ssd,subvol=@var /dev/sdX2 /mnt/var
>mount -o defaults,noatime,discard,ssd,subvol=@tmp /dev/sdX2 /mnt/tmp
>mount -o defaults,noatime,discard,ssd,subvol=@snapshots /dev/sdX2 /mnt/snapshots
>mount /dev/sdX1 /mnt/efi
# 3. Install Arch Linux # 3. Install Arch Linux
### Select the mirror to be used if not updated with reflector on start ### Select the mirror to be used if not updated with reflector on start
>nano /etc/pacman.d/mirrorlist ```bash
nano /etc/pacman.d/mirrorlist
```
### This command can be customized with additional packages ### This command can be customized with additional packages
>pacstrap /mnt/ base base-devel git btrfs-progs efibootmgr linux linux-headers linux-firmware mkinitcpio dhcpcd bash-completion sudo ```bash
pacstrap /mnt/ base base-devel git btrfs-progs efibootmgr linux linux-headers linux-firmware mkinitcpio dhcpcd bash-completion sudo
### Use genfstab with -U parameter if no encryption ```
>genfstab /mnt >> /mnt/etc/fstab ### Use genfstab with -U parameter if no encryption
```bash
### If using swapfile check if nodatacow is added for @swap genfstab /mnt >> /mnt/etc/fstab
>nano /mnt/etc/fstab ```
### If using swapfile check if nodatacow is added for @swap
```bash
vim /mnt/etc/fstab
```
# 4. Configure the system # 4. Configure the system
### Switch to installed system root user ### Switch to installed system root user
>arch-chroot /mnt /bin/bash ```bash
arch-chroot /mnt /bin/bash
```
### Nano can be usefull when editing config files ### Nano can be usefull when editing config files
>pacman -Syy nano ```bash
pacman -Syy nano
```
### Setup system clock ### Setup system clock
>ln -s /usr/share/zoneinfo/Europe/Warsaw /etc/localtime ```bash
ln -s /usr/share/zoneinfo/Europe/Warsaw /etc/localtime
```
>hwclock --systohc --utc >hwclock --systohc --utc
### Set the hostname ### Set the hostname in `/etc/hostname`
>/etc/hostname ```test
>>myhostname myhostname
```
### Edit vconsole ### Edit vconsole in `/etc/vconsole.conf`
>/etc/vconsole.conf ```text
>>KEYMAP=pl KEYMAP=pl
>>FONT=Lat2-Terminus16.psfu.gz FONT=Lat2-Terminus16.psfu.gz
>>FONT_MAP=8859-2 FONT_MAP=8859-2
```
### Setup locale ### Setup locale
### Uncomment pl_PL.UTF-8 in /etc/locale.gen and then: ### Uncomment pl_PL.UTF-8 in /etc/locale.gen and then run:
>locale-gen ```bash
locale-gen
### Update locale ```
>/etc/locale.conf ### Update locale in `etc/locale.conf`
>>LANG=pl_PL.UTF-8 ```text
>>LC_ALL=pl_PL.UTF-8 LANG=en_US.UTF-8
LC_COLLATE=pl_PL.UTF-8
### Hosts LC_MEASUREMENT=pl_PL.UTF-8
>/etc/hosts LC_MONETARY=pl_PL.UTF-8
>>127.0.0.1 localhost LC_NUMERIC=pl_PL.UTF-8
>>::1 localhost LC_TIME=pl_PL.UTF-8
>>127.0.1.1 myhostname.localdomain myhostname ```
### Hosts in `/etc/hosts`
```text
127.0.0.1 localhost
::1 localhost
127.0.1.1 myhostname.localdomain myhostname
```
### Now create 4GiB swap file. nodatacow is already on @swap but if you follow exactly then @swap is on same partition as other subvolumes and nodatacow will not work for whole subvolume so you need to disavle CoW manualy : ### Now create 4GiB swap file. nodatacow is already on @swap but if you follow exactly then @swap is on same partition as other subvolumes and nodatacow will not work for whole subvolume so you need to disavle CoW manualy :
>touch /swap/swapfile ```bash
touch /swap/swapfile
```
### Check if C attribute is enabled with ### Check if C attribute is enabled with
>lsattr /swap/swapfile' ```bash
lsattr /swap/swapfile'
```
### If not then disable COW for swapfile manually: ### If not then disable COW for swapfile manually:
>chattr +C /swap/swapfile ```bash
chattr +C /swap/swapfile
```
### Expanding empty file to 4GiB swap file ### Expanding empty file to 4GiB swap file
>dd if=/dev/zero of=/swap/swapfile bs=1024K count=4096 ```bash
dd if=/dev/zero of=/swap/swapfile bs=1024K count=4096
>chmod 600 /swap/swapfile
chmod 600 /swap/swapfile
```
### Format the swap file. ### Format the swap file.
>mkswap /swap/swapfile ```bash
mkswap /swap/swapfile
```
### Turn swap file on. ### Turn swap file on.
>swapon /swap/swapfile ```bash
swapon /swap/swapfile
### You also need to update /etc/fstab to mount swapfile on boot: ```
>/etc/fstab ### You also need to update `/etc/fstab` to mount swapfile on boot:
>>/swap/swapfile none swap sw 0 0 ```text
/swap/swapfile none swap sw 0 0
```
### Set password for root ### Set password for root
>passwd ```bash
passwd
```
### Add real user ### Add real user
>useradd -m MYUSERNAME ```bash
useradd -m MYUSERNAME
>passwd MYUSERNAME passwd MYUSERNAME
```
### Configure mkinitcpio with modules needed for the initrd image ### Configure mkinitcpio with modules needed for the initrd image
>nano /etc/mkinitcpio.conf ```bash
vim /etc/mkinitcpio.conf
```
### Remove 'fsck' and add 'keyboard', 'keymap', 'encrypt' and 'btrfs' to HOOKS before filesystems ### Remove 'fsck' and add 'keyboard', 'keymap', 'encrypt' and 'btrfs' to HOOKS before filesystems
### If no encryption then only remove fsck and add on that place btrfs ### If no encryption then only remove fsck and add on that place btrfs
>HOOKS=(... keyboard keymap block encrypt btrfs ... filesystems ...) ```text
HOOKS=(... keyboard keymap block encrypt btrfs ... filesystems ...)
```
###### optionally add BINARIES=(/usr/bin/btrfs) for rescue? ###### optionally add BINARIES=(/usr/bin/btrfs) for rescue?
### Regenerate initrd images ### Regenerate initrd images
>mkinitcpio -P ```bash
mkinitcpio -P
```
# 5. Install bootloader # 5. Install bootloader
### Setup grub (UEFI) ### Setup grub (UEFI)
>pacman -S grub efibootmgr os-prober dosfstools mtools ```bash
pacman -S grub efibootmgr os-prober dosfstools mtools
```
### -------------encryption only--------------------- ### -------------encryption only---------------------
>nano /etc/default/grub #### edit `/etc/default/grub`
>>GRUB_ENABLE_CRYPTODISK=y ```text
GRUB_ENABLE_CRYPTODISK=y
```
### Find UUID (UUID for /dev/sdX2) of crypto partition so we can add it to grub config ### Find UUID (UUID for /dev/sdX2) of crypto partition so we can add it to grub config
>blkid ```bash
blkid
```
### Now set this line including proper UUID in place of "\<device-UUID>": ### Now set this line including proper UUID in place of "\<device-UUID>":
#### (temporarly you can use /dev/sdX2 in place of "UUID=\<device-UUID>" and change it later easy in gui mode) #### (temporarly you can use /dev/sdX2 in place of "UUID=\<device-UUID>" and change it later easy in gui mode)
>/etc/default/grub edit `/etc/default/grub`
>>GRUB_CMDLINE_LINUX="cryptdevice=UUID=\<device-UUID>:MainPart:allow-discards" ```text
GRUB_CMDLINE_LINUX="cryptdevice=UUID=\<device-UUID>:MainPart:allow-discards"
```
### allow-discards is only for ssd ### allow-discards is only for ssd
### Generate key so grub don't ask twice for password on boot ### Generate key so grub don't ask twice for password on boot
>dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock ```bash
>chmod 600 /crypto_keyfile.bin dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock
>chmod 600 /boot/initramfs-linux* chmod 600 /crypto_keyfile.bin
>cryptsetup luksAddKey /dev/sdX2 /crypto_keyfile.bin chmod 600 /boot/initramfs-linux*
cryptsetup luksAddKey /dev/sdX2 /crypto_keyfile.bin
```
### If you change name of key file there is need to add kernel parameter like cryptkey=rootfs:path ### If you change name of key file there is need to add kernel parameter like cryptkey=rootfs:path
### Crypto_keyfile.bin is the default name that kernel will guess anyway ### Crypto_keyfile.bin is the default name that kernel will guess anyway
### Now add this file to mkinitcpio.conf ### Now add this file to `/etc/mkinitcpio.conf`
>/etc/mkinitcpio.conf ```text
>>FILES=(/crypto_keyfile.bin) FILES=(/crypto_keyfile.bin)
```
>mkinitcpio -P then run:
```bash
mkinitcpio -P
```
### -------------encryption end--------------------- ### -------------encryption end---------------------
### Install ### Install
>grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB ```bash
>grub-mkconfig -o /boot/grub/grub.cfg grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg
```
### Exit new system ### Exit new system
>exit ```bash
exit
```
### Unmount all partitions ### Unmount all partitions
>swapoff -a ```bash
>umount -R /mnt swapoff -a
umount -R /mnt
```
### Reboot into the new system, don't forget to remove the CD/pendrive ### Reboot into the new system, don't forget to remove the CD/pendrive
>reboot ```bash
reboot
```
### or ### or
>shutdown now ```bash
shutdown now
```
## Addtitional tips ## Addtitional tips
### To get proper locale and keymap, check: ### To get proper locale and keymap, check:
>localectl status ```bash
localectl status
```
### On KDE plasma , also set settings > ... > keyboard layout && regional settings ### On KDE plasma , also set settings > ... > keyboard layout && regional settings