Compare commits

...

10 commits

Author SHA1 Message Date
Maciej Lebiest
5920fb3b2e
subvolume for swapfile 2022-02-18 20:33:36 +01:00
Maciej Lebiest
83c1403e91
Who uses nano anyway 2022-02-17 11:52:08 +01:00
Maciej Lebiest
f32097bc53
Small rework 2022-02-16 21:10:29 +01:00
Maciej Lebiest
97455800f4
markdown fix 2021-11-09 09:48:56 +01:00
Maciej Lebiest
8e8d57a1f2
Update locales conf, update markdown formatting 2021-07-25 16:20:59 +02:00
Maciej Lebiest
2eb3d0c374
UUID, not PARTUUID 2021-06-30 17:57:40 +02:00
Maciej Lebiest
a901659584
correct comment 2021-06-29 19:35:38 +02:00
Maciej Lebiest
36c057967b
update luks comment 2021-06-29 19:00:33 +02:00
Maciej Lebiest
b31ef40510
typo 2021-06-29 18:35:36 +02:00
Maciej Lebiest
b76d7cac69
fix md formatting 2021-06-29 18:18:54 +02:00

562
README.md
View file

@ -1,260 +1,480 @@
# Install Arch Linux with encrypted filesystem(optional) and on btrfs partition (UEFI) # ArchLinux install encrypted btrfs
Official guide for basic install: [https://wiki.archlinux.org/index.php/Installation_Guide](https://wiki.archlinux.org/index.php/Installation_Guide)
# Install Arch Linux on EFI system with full filesystem (including /boot) encrypted and on btrfs partition
Official guide for basic install: [https://wiki.archlinux.org/index.php/Installation\_Guide](https://wiki.archlinux.org/index.php/Installation_Guide)
it is always good to consult with official guide, cause arch config might change in time it is always good to consult with official guide, cause arch config might change in time
For setting up different locale than pl check official guide For setting up different locale, or better explanations check out Arch Wiki
# 1. Boot ISO ## 1. Boot ISO
### Download the ISO file from [https://www.archlinux.org](https://www.archlinux.org/)
### Put on pedrive
>dd if=archlinux.img of=/dev/sdX bs=16M && sync
### Boot from the usb. #### Download the ISO file from [https://www.archlinux.org](https://www.archlinux.org/)
### Set keymap #### Put on pendrive
>loadkeys pl
### Update clock ```bash
>timedatectl set-ntp true dd if=archlinux.img of=/dev/sdX bs=16M && sync
```
### Optionally (recommended) update mirrorlist #### Boot from the USB.
>reflector --country 'Poland' --age 24 --verbose --sort rate --save /etc/pacman.d/mirrorlist
# 2. Prepare Disk #### Optional (**experimental** approach to have desktop environment during install):
### Update btrfs-progs ##### Extend writable space so you can install basic desktop in live environment and for example use gparted for partitioning or open this tutorial in web browser or whatever you want.
>pacman -Syy btrfs-progs
### Display disks setup <p class="callout warning">Remember this area is saved in your RAM, so make sure you have enough of it</p>
>fdisk -l
```
mount -o remount,size=5G /run/archiso/cowspace
pacman -Syy plasma-desktop glibc konsole xorg
pacman -Scc
startplasma-wayland
```
#### Set key map
```bash
loadkeys pl
```
#### Update clock
```bash
timedatectl set-ntp true
```
#### Optionally (recommended) update mirrorlist
```bash
reflector --country 'Poland' --age 24 --verbose --sort rate --save /etc/pacman.d/mirrorlist
```
## 2. Prepare Disk
#### Update btrfs-progs
```bash
pacman -Syy btrfs-progs
```
#### Display disks and partitions
```bash
lsblk
```
#### Create partitions (if you have not already)
```bash
fdisk /dev/sdX
```
### Create partitions (if you have not already)
>fdisk /dev/sdX
1. 100MB EFI partition 1. 100MB EFI partition
2. 100% size partiton # ( encrypted optionally) for BTRFS, this partition will require formatting AFTER encryption if you do encryption 2. 100% size partiton # ( encrypted optionally) for BTRFS partition, this partition will require formatting AFTER encryption if you do encryption
### Swap will be as file in its own subvolume
>mkfs.vfat -F32 /dev/sdX1 ##### Swap will bin in file with CoW disabled, which will be prepared later
### ----------------- encryption (optional) ------------------ #### Format EFI partition
### Setup the encryption of the system, don't use letters outside en-us keyboard like ąęć etc. for password ```Bash
### Grub have partial support for luks2 now, but can handle only pbkdf2 mkfs.vfat -F32 /dev/sdX1
>cryptsetup -c=aes-xts-plain64 --key-size=512 --hash=sha512 --iter-time=3000 --pbkdf=pbkdf2 --use-random luksFormat --type=luks2 /dev/sdX2 ```
>cryptsetup luksOpen /dev/sdX2 MainPart ##### ----------------- encryption (optional) ------------------
#### Setup the encryption of the system,
<p class="callout info">Don't use regional letters (not in en-us keyboard) like ąęć etc. for password. This requires additional steps, which are not covered by this tutorial.</p>
#### Grub have some kind of support for luks2, but not entirely, so for more fail-safe setup use luks1
```bash
cryptsetup -c=aes-xts-plain64 --key-size=512 --hash=sha512 --iter-time=3000 --pbkdf=pbkdf2 --use-random luksFormat --type=luks1 /dev/sdX2
cryptsetup luksOpen /dev/sdX2 MainPart
```
### Formatting as btrfs now when it is already encrypted ### Formatting as btrfs now when it is already encrypted
>mkfs.btrfs -L "Arch Linux" /dev/mapper/MainPart
```bash
mkfs.btrfs -L "Arch Linux" /dev/mapper/MainPart
```
### ---------------- end of encryption ------------------------ ##### ---------------- end of encryption ------------------------
### Format the partition if not yet formatted: #### Format the partition if not yet formatted:
>pacman -Syy btrfs-progs
>mkfs.btrfs -L "Arch Linux" /dev/sdX2 ```bash
pacman -Syy btrfs-progs
### Mount partition to be able to create btrfs subvolumes mkfs.btrfs -L "Arch Linux" /dev/sdX2
### If using encryption, change /dev/sdX2 to /dev/mapper/MainPart: ```
>mount /dev/sdX2 /mnt
## Create subvolumes #### Mount partition to be able to create btrfs subvolumes
### Using more complicated sheme, (but there actually is only need for separate @swap subvolume , other files can be on default top subvolume)
>btrfs su cr /mnt/@ ##### If using encryption, change **/dev/sdX2** to **/dev/mapper/MainPart**:
>btrfs su cr /mnt/@swap ```bash
mount /dev/sdX2 /mnt
```
>btrfs su cr /mnt/@home #### Create subvolumes
>btrfs su cr /mnt/@var ##### This scheme can be adjusted to your needs, I'd suggest at least one subvolume for root (@) and one for snapshots (@snapshots). varlog and tmp are created to easily disable Copy on Write on` /var/log` and `/tmp`.
>btrfs su cr /mnt/@tmp ```bash
btrfs su cr /mnt/@
>btrfs su cr /mnt/@snapshots btrfs su cr /mnt/@home
#### disable copy on write on var, tmp and swap btrfs su cr /mnt/@varlog
>chattr +C /mnt/@var
>chattr +C /mnt/@tmp
>chattr +C /mnt/@swap
>umount /mnt btrfs su cr /mnt/@tmp
### If using encryption, change /dev/sdX2 to /dev/mapper/MainPart: btrfs su cr /mnt/@snapshots
>mount -o defaults,noatime,discard,ssd,subvol=@ /dev/sdX2 /mnt
>mkdir /mnt/swap ```
>mkdir /mnt/home ##### Disable copy on write on `/var/log` and `/tmp`
>mkdir /mnt/var ```bash
chattr +C /mnt/@varlog
chattr +C /mnt/@tmp
umount /mnt
>mkdir /mnt/tmp ```
>mkdir /mnt/snapshots #### If using encryption, change **/dev/sdX2** to **/dev/mapper/MainPart**:
>mkdir /mnt/efi # for EFI partition /dev/sdX1 ```bash
mount -o defaults,noatime,discard,ssd,subvol=@ /dev/sdX2 /mnt
### If using encryption, change /dev/sdX2 to /dev/mapper/MainPart mkdir /mnt/home
### for swap subvolume add nodatacow option to disable CoW (works only if its separate partition)
### Discard ssd and noatime are for ssd disks only
>mount -o defaults,noatime,nodatacow,discard,ssd,subvol=@swap /dev/sdX2 /mnt/swap mkdir -p /mnt/var/log
>mount -o defaults,noatime,discard,ssd,subvol=@home /dev/sdX2 /mnt/home mkdir /mnt/tmp
>mount -o defaults,noatime,discard,ssd,subvol=@var /dev/sdX2 /mnt/var mkdir /mnt/snapshots
>mount -o defaults,noatime,discard,ssd,subvol=@tmp /dev/sdX2 /mnt/tmp mkdir /mnt/efi # for EFI partition /dev/sdX1
```
>mount -o defaults,noatime,discard,ssd,subvol=@snapshots /dev/sdX2 /mnt/snapshots #### Discard and ssd options and are for ssd disks only
>mount /dev/sdX1 /mnt/efi #### If using encryption, change **/dev/sdX2** to **/dev/mapper/MainPart**
```bash
mount -o defaults,noatime,discard,ssd,subvol=@home /dev/sdX2 /mnt/home
mount -o defaults,noatime,discard,ssd,subvol=@varlog /dev/sdX2 /mnt/var/log
mount -o defaults,noatime,discard,ssd,subvol=@tmp /dev/sdX2 /mnt/tmp
mount -o defaults,noatime,discard,ssd,subvol=@snapshots /dev/sdX2 /mnt/snapshots
mount /dev/sdX1 /mnt/efi
```
# 3. Install Arch Linux # 3. Install Arch Linux
### Select the mirror to be used if not updated with reflector on start #### Select the mirror to be used if not updated with reflector on start
>nano /etc/pacman.d/mirrorlist
### This command can be customized with additional packages ```bash
>pacstrap /mnt/ base base-devel git btrfs-progs efibootmgr linux linux-headers linux-firmware mkinitcpio dhcpcd bash-completion sudo vim /etc/pacman.d/mirrorlist
```
### Use genfstab with -U parameter if no encryption #### Install base system:
>genfstab /mnt >> /mnt/etc/fstab
### If using swapfile check if nodatacow is added for @swap ##### This command can be customized with additional packages (**btrfs-progs is necessary to let the system boot up from btrfs partition !**)
>nano /mnt/etc/fstab
```bash
pacstrap /mnt/ base base-devel git btrfs-progs efibootmgr linux linux-headers linux-firmware mkinitcpio dhcpcd bash-completion sudo
```
#### Generate fstab:
##### Use genfstab with -U parameter if no encryption
```bash
genfstab /mnt >> /mnt/etc/fstab
```
####
# 4. Configure the system # 4. Configure the system
### Switch to installed system root user #### Switch to installed system root user
>arch-chroot /mnt /bin/bash
### Nano can be usefull when editing config files ```bash
>pacman -Syy nano arch-chroot /mnt /bin/bash
```
### Setup system clock #### Setup system clock
>ln -s /usr/share/zoneinfo/Europe/Warsaw /etc/localtime
>hwclock --systohc --utc ```bash
ln -s /usr/share/zoneinfo/Europe/Warsaw /etc/localtime
### Set the hostname hwclock --systohc --utc
>/etc/hostname ```
>>myhostname
### Edit vconsole #### Set the hostname in `/etc/hostname`
>/etc/vconsole.conf
>>KEYMAP=pl
>>FONT=Lat2-Terminus16.psfu.gz
>>FONT_MAP=8859-2
### Setup locale ```test
### Uncomment pl_PL.UTF-8 in /etc/locale.gen and then: myhostname
>locale-gen ```
### Update locale #### Edit vconsole in `/etc/vconsole.conf`
>/etc/locale.conf
>>LANG=pl_PL.UTF-8
>>LC_ALL=pl_PL.UTF-8
### Hosts ```text
>/etc/hosts KEYMAP=pl
>>127.0.0.1 localhost FONT=Lat2-Terminus16.psfu.gz
>>::1 localhost FONT_MAP=8859-2
>>127.0.1.1 myhostname.localdomain myhostname
### Now create 4GiB swap file. nodatacow is already on @swap but if you follow exactly then @swap is on same partition as other subvolumes and nodatacow will not work for whole subvolume so you need to disavle CoW manualy : ```
>touch /swap/swapfile
### Check if C attribute is enabled with
>lsattr /swap/swapfile'
### If not then disable COW for swapfile manually: #### Setup locale
>chattr +C /swap/swapfile
### Expanding empty file to 4GiB swap file ##### Uncomment pl\_PL.UTF-8 in /etc/locale.gen and then run:
>dd if=/dev/zero of=/swap/swapfile bs=1024K count=4096
>chmod 600 /swap/swapfile ```bash
locale-gen
```
### Format the swap file. #### Update locale in `etc/locale.conf`
>mkswap /swap/swapfile
### Turn swap file on. ```text
>swapon /swap/swapfile LANG=en_US.UTF-8
LC_COLLATE=pl_PL.UTF-8
LC_MEASUREMENT=pl_PL.UTF-8
LC_MONETARY=pl_PL.UTF-8
LC_NUMERIC=pl_PL.UTF-8
LC_TIME=pl_PL.UTF-8
### You also need to update /etc/fstab to mount swapfile on boot: ```
>/etc/fstab
>>/swap/swapfile none swap sw 0 0
### Set password for root #### Hosts in `/etc/hosts`
>passwd
### Add real user
>useradd -m MYUSERNAME
>passwd MYUSERNAME ```text
127.0.0.1 localhost
::1 localhost
127.0.1.1 myhostname.localdomain myhostname
```
#### Now create empty (with 0 size) swap file:
#### Create separate subvolume for swapfile. This subvolume is needed to let you make snapshot of `/`, which would not be possible with any file in it with CoW disabled!
```
btrfs su create /swap
chattr +C /swap
```
#### Copy on Write should always be disabled on swap file, so it will be done in the next step
```bash
touch /swap/swapfile
```
#### Check if C attribute is enabled (should be already if created in folder with disabled CoW attribute)
```bash
lsattr /swap/swapfile'
```
#### If not then disable CoW for swapfile manually:
```bash
chattr +C /swap/swapfile
```
#### Expanding empty file to 4GiB swap file
```bash
dd if=/dev/zero of=/swap/swapfile bs=1024K count=4096
chmod 600 /swap/swapfile
```
#### Format the swap file.
```bash
mkswap /swap/swapfile
```
#### Turn swap file on.
```bash
swapon /swap/swapfile
```
#### You also need to update `/etc/fstab` to mount swapfile on boot:
```text
/swap/swapfile none swap sw 0 0
```
#### Set password for root
```bash
passwd
```
#### Add real user an set password for him
```bash
useradd -m MYUSERNAME
passwd MYUSERNAME
```
### Configure mkinitcpio with modules needed for the initrd image ### Configure mkinitcpio with modules needed for the initrd image
>nano /etc/mkinitcpio.conf
### Remove 'fsck' and add 'keyboard', 'keymap', 'encrypt' and 'btrfs' to HOOKS before filesystems
### If no encryption then only remove fsck and add on that place btrfs
>HOOKS=(... keyboard keymap block encrypt btrfs ... filesystems ...)
###### optionally add BINARIES=(/usr/bin/btrfs) for rescue? ```bash
vim /etc/mkinitcpio.conf
```
### Regenerate initrd images #### Add 'keyboard', 'keymap', 'encrypt' and 'btrfs' to HOOKS before filesystems:
>mkinitcpio -P
# 5. Install bootloader ```
HOOKS=(base udev autodetect keyboard keymap modconf block btrfs filesystems keyboard fsck)
```
### Setup grub (UEFI) #### Add btrfsck to binaries:
>pacman -S grub efibootmgr os-prober dosfstools mtools
```
BINARIES=(btrfsck)
```
### -------------encryption only--------------------- #### **With encryption:** also add encrypt before btrfs:
>nano /etc/default/grub
>>GRUB_ENABLE_CRYPTODISK=y
### Find UUID (PARTUUID for /dev/sdX2) of crypto partition so we can add it to grub config
>blkid
### Now set this line including proper UUID in place of "\<device-UUID>":
####(temporarly you cen use /dev/sdX2 in place of UUID and change it later easy in gui mode)
>/etc/default/grub
>>GRUB_CMDLINE_LINUX="cryptdevice=UUID=\<device-UUID>:MainPart:allow-discards
### allow-discards is only for ssd
### Generate key so grub don't ask twice for password on boot ```text
>dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock HOOKS=(... keyboard keymap block encrypt btrfs ... filesystems ...)
>chmod 600 /crypto_keyfile.bin ```
>chmod 600 /boot/initramfs-linux*
>cryptsetup luksAddKey /dev/sdX2 /crypto_keyfile.bin
### If you change name of key file there is need to add kernel parameter like cryptkey=rootfs:path
### Crypto_keyfile.bin is the default name that kernel will guess anyway
### Now add this file to mkinitcpio.conf
>/etc/mkinitcpio.conf
>>FILES=(/crypto_keyfile.bin)
>mkinitcpio -P ######
### -------------encryption end---------------------
### Install #### Regenerate initrd images
>grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB
>grub-mkconfig -o /boot/grub/grub.cfg
### Exit new system ```bash
>exit mkinitcpio -P
```
### Unmount all partitions # 5. Install bootloader
>swapoff -a
>umount -R /mnt
### Reboot into the new system, don't forget to remove the CD/pendrive #### Setup grub (UEFI)
>reboot
### or
>shutdown now
## Addtitional tips ```bash
### To get proper locale and keymap, check: pacman -S grub efibootmgr os-prober dosfstools mtools
>localectl status ```
### On KDE plasma , also set settings > ... > keyboard layout && regional settings
#### -------------encryption only---------------------
#### edit `/etc/default/grub`
```text
GRUB_ENABLE_CRYPTODISK=y
```
#### Find UUID (UUID for /dev/sdX2) of crypto partition so we can add it to grub config
```bash
blkid
```
#### Now set this line including proper UUID in place of "&lt;device-UUID&gt;":
#### (temporarly you can use /dev/sdX2 in place of "UUID=&lt;device-UUID&gt;" and change it later easy in gui mode)
##### edit `/etc/default/grub`
```text
GRUB_CMDLINE_LINUX="cryptdevice=UUID=<device-UUID>:MainPart:allow-discards"
```
##### allow-discards is only for ssd to let trim work with encryption enabled
#### Generate key so grub don't ask twice for password on boot
```bash
dd bs=512 count=4 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock
chmod 600 /crypto_keyfile.bin
chmod 600 /boot/initramfs-linux*
cryptsetup luksAddKey /dev/sdX2 /crypto_keyfile.bin
```
#### If you change name of key file there is need to add kernel parameter like cryptkey=rootfs:path
#### Crypto\_keyfile.bin is the default name that kernel will guess anyway
#### Now add this file to `/etc/mkinitcpio.conf`
```text
FILES=(/crypto_keyfile.bin)
```
then run:
```bash
mkinitcpio -P
```
#### -------------encryption end---------------------
#### Install grub for
```bash
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg
```
#### Exit new system
```bash
exit
```
#### Unmount all partitions
```bash
swapoff -a
umount -R /mnt
```
#### Reboot into the new system, don't forget to remove the pendrive
```bash
reboot
```
#### or
```bash
shutdown now
```
### 6. Addtitional tips:
#### Install AUR helper (git and base-devel packages needed to do so):
```
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si
```
#### To get proper locale and keymap, check:
```bash
localectl status
```
#### On KDE plasma , also set settings &gt; ... &gt; keyboard layout &amp;&amp; regional settings