Small rework

This commit is contained in:
Maciej Lebiest 2022-02-16 21:10:29 +01:00 committed by GitHub
parent 97455800f4
commit f32097bc53
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

407
README.md
View file

@ -1,186 +1,257 @@
# Install Arch Linux with encrypted filesystem(optional) and on btrfs partition (UEFI) # ArchLinux install encrypted btrfs
Official guide for basic install: [https://wiki.archlinux.org/index.php/Installation_Guide](https://wiki.archlinux.org/index.php/Installation_Guide)
it is always good to consult with official guide, cause arch config might change in time # Install Arch Linux on EFI system with full filesystem (including /boot) encrypted and on btrfs partition
For setting up different locale, check official guide
Official guide for basic install: [https://wiki.archlinux.org/index.php/Installation\_Guide](https://wiki.archlinux.org/index.php/Installation_Guide)
it is always good to consult with official guide, cause arch config might change in time
For setting up different locale, or better explanations check out Arch Wiki
## 1. Boot ISO
#### Download the ISO file from [https://www.archlinux.org](https://www.archlinux.org/)
#### Put on pendrive
# 1. Boot ISO
### Download the ISO file from [https://www.archlinux.org](https://www.archlinux.org/)
### Put on pedrive
```bash ```bash
dd if=archlinux.img of=/dev/sdX bs=16M && sync dd if=archlinux.img of=/dev/sdX bs=16M && sync
``` ```
### Boot from the usb.
### Set keymap #### Boot from the USB.
#### Optional (**experimental** approach to have desktop environment during install):
##### Extend writable space so you can install basic desktop in live environment and for example use gparted for partitioning or open this tutorial in web browser or whatever you want.
<p class="callout warning">Remember this area is saved in your RAM, so make sure you have enough of it</p>
```
mount -o remount,size=5G /run/archiso/cowspace
pacman -Syy plasma-desktop glibc konsole xorg
pacman -Scc
startplasma-wayland
```
#### Set key map
```bash ```bash
loadkeys pl loadkeys pl
``` ```
### Update clock
#### Update clock
```bash ```bash
timedatectl set-ntp true timedatectl set-ntp true
``` ```
### Optionally (recommended) update mirrorlist
#### Optionally (recommended) update mirrorlist
```bash ```bash
reflector --country 'Poland' --age 24 --verbose --sort rate --save /etc/pacman.d/mirrorlist reflector --country 'Poland' --age 24 --verbose --sort rate --save /etc/pacman.d/mirrorlist
``` ```
# 2. Prepare Disk
### Update btrfs-progs ## 2. Prepare Disk
#### Update btrfs-progs
```bash ```bash
pacman -Syy btrfs-progs pacman -Syy btrfs-progs
``` ```
### Display disks setup
#### Display disks and partitions
```bash ```bash
fdisk -l lsblk
``` ```
### Create partitions (if you have not already)
#### Create partitions (if you have not already)
```bash ```bash
fdisk /dev/sdX fdisk /dev/sdX
``` ```
1. 100MB EFI partition 1. 100MB EFI partition
2. 100% size partiton # ( encrypted optionally) for BTRFS, this partition will require formatting AFTER encryption if you do encryption 2. 100% size partiton # ( encrypted optionally) for BTRFS partition, this partition will require formatting AFTER encryption if you do encryption
### Swap will be as file in its own subvolume
```bash ##### Swap will bin in file with CoW disabled, which will be prepared later
#### Format EFI partition
```Bash
mkfs.vfat -F32 /dev/sdX1 mkfs.vfat -F32 /dev/sdX1
``` ```
### ----------------- encryption (optional) ------------------ ##### ----------------- encryption (optional) ------------------
#### Setup the encryption of the system,
<p class="callout info">Don't use regional letters (not in en-us keyboard) like ąęć etc. for password. This requires additional steps, which are not covered by this tutorial.</p>
#### Grub have some kind of support for luks2, but not entirely, so for more fail-safe setup use luks1
### Setup the encryption of the system, don't use letters outside en-us keyboard like ąęć etc. for password
### Grub have some kind of support for luks2 now but still cannot decrypt luks2, so specify luks1 for now
```bash ```bash
cryptsetup -c=aes-xts-plain64 --key-size=512 --hash=sha512 --iter-time=3000 --pbkdf=pbkdf2 --use-random luksFormat --type=luks1 /dev/sdX2 cryptsetup -c=aes-xts-plain64 --key-size=512 --hash=sha512 --iter-time=3000 --pbkdf=pbkdf2 --use-random luksFormat --type=luks1 /dev/sdX2
cryptsetup luksOpen /dev/sdX2 MainPart cryptsetup luksOpen /dev/sdX2 MainPart
``` ```
### Formatting as btrfs now when it is already encrypted ### Formatting as btrfs now when it is already encrypted
```bash ```bash
mkfs.btrfs -L "Arch Linux" /dev/mapper/MainPart mkfs.btrfs -L "Arch Linux" /dev/mapper/MainPart
``` ```
### ---------------- end of encryption ------------------------ ##### ---------------- end of encryption ------------------------
#### Format the partition if not yet formatted:
### Format the partition if not yet formatted:
```bash ```bash
pacman -Syy btrfs-progs pacman -Syy btrfs-progs
mkfs.btrfs -L "Arch Linux" /dev/sdX2 mkfs.btrfs -L "Arch Linux" /dev/sdX2
``` ```
### Mount partition to be able to create btrfs subvolumes
### If using encryption, change /dev/sdX2 to /dev/mapper/MainPart: #### Mount partition to be able to create btrfs subvolumes
##### If using encryption, change **/dev/sdX2** to **/dev/mapper/MainPart**:
```bash ```bash
mount /dev/sdX2 /mnt mount /dev/sdX2 /mnt
``` ```
## Create subvolumes
### Using more complicated sheme, (but there actually is only need for separate @swap subvolume , other files can be on default top subvolume) #### Create subvolumes
##### This scheme can be adjusted to your needs, I'd suggest at least one subvolume for root (@) and one for snapshots (@snapshots). varlog and tmp are created to easily disable Copy on Write on` /var/log` and `/tmp`.
```bash ```bash
btrfs su cr /mnt/@ btrfs su cr /mnt/@
btrfs su cr /mnt/@swap
btrfs su cr /mnt/@home btrfs su cr /mnt/@home
btrfs su cr /mnt/@var btrfs su cr /mnt/@varlog
btrfs su cr /mnt/@tmp btrfs su cr /mnt/@tmp
btrfs su cr /mnt/@snapshots btrfs su cr /mnt/@snapshots
```
#### disable copy on write on var, tmp and swap
```bash
chattr +C /mnt/@var
chattr +C /mnt/@tmp
chattr +C /mnt/@swap
umount /mnt
``` ```
### If using encryption, change /dev/sdX2 to /dev/mapper/MainPart:
##### Disable copy on write on `/var/log` and `/tmp`
```bash
chattr +C /mnt/@varlog
chattr +C /mnt/@tmp
umount /mnt
```
#### If using encryption, change **/dev/sdX2** to **/dev/mapper/MainPart**:
```bash ```bash
mount -o defaults,noatime,discard,ssd,subvol=@ /dev/sdX2 /mnt mount -o defaults,noatime,discard,ssd,subvol=@ /dev/sdX2 /mnt
mkdir /mnt/swap
mkdir /mnt/home mkdir /mnt/home
mkdir /mnt/var mkdir -p /mnt/var/log
mkdir /mnt/tmp mkdir /mnt/tmp
mkdir /mnt/snapshots mkdir /mnt/snapshots
mkdir /mnt/efi # for EFI partition /dev/sdX1 mkdir /mnt/efi # for EFI partition /dev/sdX1
``` ```
### If using encryption, change /dev/sdX2 to /dev/mapper/MainPart
### for swap subvolume add nodatacow option to disable CoW (works only if its separate partition)
### Discard ssd and noatime are for ssd disks only
```bash
mount -o defaults,noatime,nodatacow,discard,ssd,subvol=@swap /dev/sdX2 /mnt/swap
#### Discard and ssd options and are for ssd disks only
#### If using encryption, change **/dev/sdX2** to **/dev/mapper/MainPart**
```bash
mount -o defaults,noatime,discard,ssd,subvol=@home /dev/sdX2 /mnt/home mount -o defaults,noatime,discard,ssd,subvol=@home /dev/sdX2 /mnt/home
mount -o defaults,noatime,discard,ssd,subvol=@var /dev/sdX2 /mnt/var mount -o defaults,noatime,discard,ssd,subvol=@varlog /dev/sdX2 /mnt/var/log
mount -o defaults,noatime,discard,ssd,subvol=@tmp /dev/sdX2 /mnt/tmp mount -o defaults,noatime,discard,ssd,subvol=@tmp /dev/sdX2 /mnt/tmp
mount -o defaults,noatime,discard,ssd,subvol=@snapshots /dev/sdX2 /mnt/snapshots mount -o defaults,noatime,discard,ssd,subvol=@snapshots /dev/sdX2 /mnt/snapshots
mount /dev/sdX1 /mnt/efi mount /dev/sdX1 /mnt/efi
``` ```
# 3. Install Arch Linux # 3. Install Arch Linux
### Select the mirror to be used if not updated with reflector on start #### Select the mirror to be used if not updated with reflector on start
```bash ```bash
nano /etc/pacman.d/mirrorlist vim /etc/pacman.d/mirrorlist
``` ```
### This command can be customized with additional packages
#### Install base system:
##### This command can be customized with additional packages (**btrfs-progs is necessary to let the system boot up from btrfs partition !**)
```bash ```bash
pacstrap /mnt/ base base-devel git btrfs-progs efibootmgr linux linux-headers linux-firmware mkinitcpio dhcpcd bash-completion sudo pacstrap /mnt/ base base-devel git btrfs-progs efibootmgr linux linux-headers linux-firmware mkinitcpio dhcpcd bash-completion sudo
``` ```
### Use genfstab with -U parameter if no encryption
#### Generate fstab:
##### Use genfstab with -U parameter if no encryption
```bash ```bash
genfstab /mnt >> /mnt/etc/fstab genfstab /mnt >> /mnt/etc/fstab
``` ```
### If using swapfile check if nodatacow is added for @swap
```bash
vim /mnt/etc/fstab
```
####
# 4. Configure the system # 4. Configure the system
### Switch to installed system root user #### Switch to installed system root user
```bash ```bash
arch-chroot /mnt /bin/bash arch-chroot /mnt /bin/bash
``` ```
### Nano can be usefull when editing config files #### Nano can be usefull when editing config files
```bash ```bash
pacman -Syy nano pacman -Syy nano
``` ```
### Setup system clock
#### Setup system clock
```bash ```bash
ln -s /usr/share/zoneinfo/Europe/Warsaw /etc/localtime ln -s /usr/share/zoneinfo/Europe/Warsaw /etc/localtime
hwclock --systohc --utc hwclock --systohc --utc
``` ```
### Set the hostname in `/etc/hostname` #### Set the hostname in `/etc/hostname`
```test ```test
myhostname myhostname
``` ```
### Edit vconsole in `/etc/vconsole.conf`
#### Edit vconsole in `/etc/vconsole.conf`
```text ```text
KEYMAP=pl KEYMAP=pl
FONT=Lat2-Terminus16.psfu.gz FONT=Lat2-Terminus16.psfu.gz
FONT_MAP=8859-2 FONT_MAP=8859-2
``` ```
### Setup locale
### Uncomment pl_PL.UTF-8 in /etc/locale.gen and then run: #### Setup locale
##### Uncomment pl\_PL.UTF-8 in /etc/locale.gen and then run:
```bash ```bash
locale-gen locale-gen
``` ```
### Update locale in `etc/locale.conf`
#### Update locale in `etc/locale.conf`
```text ```text
LANG=en_US.UTF-8 LANG=en_US.UTF-8
LC_COLLATE=pl_PL.UTF-8 LC_COLLATE=pl_PL.UTF-8
@ -188,136 +259,228 @@ LC_MEASUREMENT=pl_PL.UTF-8
LC_MONETARY=pl_PL.UTF-8 LC_MONETARY=pl_PL.UTF-8
LC_NUMERIC=pl_PL.UTF-8 LC_NUMERIC=pl_PL.UTF-8
LC_TIME=pl_PL.UTF-8 LC_TIME=pl_PL.UTF-8
```
### Hosts in `/etc/hosts` ```
#### Hosts in `/etc/hosts`
```text ```text
127.0.0.1 localhost 127.0.0.1 localhost
::1 localhost ::1 localhost
127.0.1.1 myhostname.localdomain myhostname 127.0.1.1 myhostname.localdomain myhostname
```
### Now create 4GiB swap file. nodatacow is already on @swap but if you follow exactly then @swap is on same partition as other subvolumes and nodatacow will not work for whole subvolume so you need to disavle CoW manualy : ```
#### Now create empty (with 0 size) swap file:
#### Create separate folder for swapfile. This folder is needed to let you make snapshot of `/`, which would not be possible with any file in it with CoW disabled!
```
mkdir /swap
chattr +C /swap
```
#### Copy on Write should always be disabled on swap file, so it will be done in the next step
```bash ```bash
touch /swap/swapfile touch /swap/swapfile
``` ```
### Check if C attribute is enabled with
#### Check if C attribute is enabled (should be already if created in folder with disabled CoW attribute)
```bash ```bash
lsattr /swap/swapfile' lsattr /swap/swapfile'
``` ```
### If not then disable COW for swapfile manually:
#### If not then disable CoW for swapfile manually:
```bash ```bash
chattr +C /swap/swapfile chattr +C /swap/swapfile
``` ```
### Expanding empty file to 4GiB swap file
#### Expanding empty file to 4GiB swap file
```bash ```bash
dd if=/dev/zero of=/swap/swapfile bs=1024K count=4096 dd if=/dev/zero of=/swap/swapfile bs=1024K count=4096
chmod 600 /swap/swapfile chmod 600 /swap/swapfile
```
### Format the swap file. ```
#### Format the swap file.
```bash ```bash
mkswap /swap/swapfile mkswap /swap/swapfile
``` ```
### Turn swap file on.
#### Turn swap file on.
```bash ```bash
swapon /swap/swapfile swapon /swap/swapfile
``` ```
### You also need to update `/etc/fstab` to mount swapfile on boot:
#### You also need to update `/etc/fstab` to mount swapfile on boot:
```text ```text
/swap/swapfile none swap sw 0 0 /swap/swapfile none swap sw 0 0
``` ```
### Set password for root
#### Set password for root
```bash ```bash
passwd passwd
``` ```
### Add real user
#### Add real user an set password for him
```bash ```bash
useradd -m MYUSERNAME useradd -m MYUSERNAME
passwd MYUSERNAME passwd MYUSERNAME
``` ```
### Configure mkinitcpio with modules needed for the initrd image ### Configure mkinitcpio with modules needed for the initrd image
```bash ```bash
vim /etc/mkinitcpio.conf vim /etc/mkinitcpio.conf
``` ```
### Remove 'fsck' and add 'keyboard', 'keymap', 'encrypt' and 'btrfs' to HOOKS before filesystems
### If no encryption then only remove fsck and add on that place btrfs #### Add 'keyboard', 'keymap', 'encrypt' and 'btrfs' to HOOKS before filesystems:
```
HOOKS=(base udev autodetect keyboard keymap modconf block btrfs filesystems keyboard fsck)
```
#### Add btrfsck to binaries:
```
BINARIES=(btrfsck)
```
#### **With encryption:** also add encrypt before btrfs:
```text ```text
HOOKS=(... keyboard keymap block encrypt btrfs ... filesystems ...) HOOKS=(... keyboard keymap block encrypt btrfs ... filesystems ...)
``` ```
###### optionally add BINARIES=(/usr/bin/btrfs) for rescue?
######
#### Regenerate initrd images
### Regenerate initrd images
```bash ```bash
mkinitcpio -P mkinitcpio -P
``` ```
# 5. Install bootloader
# 5. Install bootloader
#### Setup grub (UEFI)
### Setup grub (UEFI)
```bash ```bash
pacman -S grub efibootmgr os-prober dosfstools mtools pacman -S grub efibootmgr os-prober dosfstools mtools
``` ```
#### -------------encryption only---------------------
### -------------encryption only---------------------
#### edit `/etc/default/grub` #### edit `/etc/default/grub`
```text ```text
GRUB_ENABLE_CRYPTODISK=y GRUB_ENABLE_CRYPTODISK=y
``` ```
### Find UUID (UUID for /dev/sdX2) of crypto partition so we can add it to grub config
#### Find UUID (UUID for /dev/sdX2) of crypto partition so we can add it to grub config
```bash ```bash
blkid blkid
``` ```
### Now set this line including proper UUID in place of "\<device-UUID>":
#### (temporarly you can use /dev/sdX2 in place of "UUID=\<device-UUID>" and change it later easy in gui mode)
edit `/etc/default/grub`
```text
GRUB_CMDLINE_LINUX="cryptdevice=UUID=\<device-UUID>:MainPart:allow-discards"
```
### allow-discards is only for ssd
### Generate key so grub don't ask twice for password on boot #### Now set this line including proper UUID in place of "&lt;device-UUID&gt;":
#### (temporarly you can use /dev/sdX2 in place of "UUID=&lt;device-UUID&gt;" and change it later easy in gui mode)
##### edit `/etc/default/grub`
```text
GRUB_CMDLINE_LINUX="cryptdevice=UUID=<device-UUID>:MainPart:allow-discards"
```
##### allow-discards is only for ssd to let trim work with encryption enabled
#### Generate key so grub don't ask twice for password on boot
```bash ```bash
dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock
chmod 600 /crypto_keyfile.bin chmod 600 /crypto_keyfile.bin
chmod 600 /boot/initramfs-linux* chmod 600 /boot/initramfs-linux*
cryptsetup luksAddKey /dev/sdX2 /crypto_keyfile.bin cryptsetup luksAddKey /dev/sdX2 /crypto_keyfile.bin
``` ```
### If you change name of key file there is need to add kernel parameter like cryptkey=rootfs:path
### Crypto_keyfile.bin is the default name that kernel will guess anyway #### If you change name of key file there is need to add kernel parameter like cryptkey=rootfs:path
### Now add this file to `/etc/mkinitcpio.conf`
#### Crypto\_keyfile.bin is the default name that kernel will guess anyway
#### Now add this file to `/etc/mkinitcpio.conf`
```text ```text
FILES=(/crypto_keyfile.bin) FILES=(/crypto_keyfile.bin)
``` ```
then run: then run:
```bash ```bash
mkinitcpio -P mkinitcpio -P
``` ```
### -------------encryption end---------------------
### Install #### -------------encryption end---------------------
#### Install grub for
```bash ```bash
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg grub-mkconfig -o /boot/grub/grub.cfg
``` ```
### Exit new system
#### Exit new system
```bash ```bash
exit exit
``` ```
### Unmount all partitions
#### Unmount all partitions
```bash ```bash
swapoff -a swapoff -a
umount -R /mnt umount -R /mnt
``` ```
### Reboot into the new system, don't forget to remove the CD/pendrive #### Reboot into the new system, don't forget to remove the pendrive
```bash ```bash
reboot reboot
``` ```
### or
#### or
```bash ```bash
shutdown now shutdown now
``` ```
## Addtitional tips
### To get proper locale and keymap, check: ### 6. Addtitional tips:
#### Install AUR helper (git and base-devel packages needed to do so):
```
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si
```
#### To get proper locale and keymap, check:
```bash ```bash
localectl status localectl status
``` ```
### On KDE plasma , also set settings > ... > keyboard layout && regional settings
#### On KDE plasma , also set settings &gt; ... &gt; keyboard layout &amp;&amp; regional settings