The following post outlines installing Arch Linux with full-disk encryption–more specifically LVM on LUKS. After recently getting a Framework 13 laptop, I wanted to install Arch Linux on it with FDE to be on the safer side as well as try out Btrfs system snapshots and restore capabilities.
The Arch Wiki is a must read for comprehensive details, but these notes serve as a quick guide for future installations. The commands listed are what I used during my installation, but of course drive names, labels, etc. can vary.
Notes include:
- Working minimal Arch installation with latest and LTS kernels
- Full-disk encryption (LVM on LUKS)
- Use of Btrfs filesystem
Further things to consider after installation:
- Enable zram for swap
- Plymouth for graphical boot process
- Snapper for managing snapshots of Btrfs subvolumes
- grub-btrfs for adding a btrfs snapshots Grub sub-menu, allowing to boot into snapshots.
- grub2-themes for modern design themes for Grub2
- Encrypted swapfile and hibernation setup
Network
After booting installatino .iso, ensure there is a working network connection. An ethernet cable connection should automatically pick up a DHCP IP or connect to WiFi.
ip a – Show network interfaces and address info.
iwctl – Enter Net wireless daemon client.
station wlan0 get-networks – List wireless networks.
iwctl --passphrase "Passphrase" station wlan0 connect <NetworkName> – Connect wlan0 interface to NetworkName wireless network.
Disk Partitions
lsblk – show available storage volumes, nvme0n1 in my case.
fdisk /dev/nvme0n1 – enter fdisk utility.
g – create empty partitioin table.
n – create new partition.
Use defaults until end. Size of +1G to be used for EFI partition
n
+1G – for boot partition.
n – Defults till end for LVM partition.
t
Default 2, 44 for Linux LVM
w – write to disk.
Format Partitions
mkfs.fat -F32 /dev/nvme0n1p1
mkfs.ext4 /dev/nvme0n1p2
cryptsetup luksFormat /dev/nvme0n1p3
Enter encryption key
cryptsetup open --type luks /dev/nvme0n1p3 cryptlvm – open encrypted partition and name it cryptlvm (can be something else to liking).
pvcreate /dev/mapper/cryptlvm – create physical volume.
vgcreate Arch /dev/mapper/cryptlvm – create volume group.
lvcreate -L 68G Arch -n swap – partition for using later with hibernation, but will use zram for swap.
lvcreate -l 100%FREE Arch -n root – Entire rest of space for btrfs partition.
modprobe dm_mod – load dm_mod kernel module.
vgscan – verifying VolGrouop was found.
vgchange -ay – Activate all volume groups.
mkfs.btrfs -L root -n 32k /dev/Arch/root – Format btrfs with larger 32k nodesize for less fragmentation at the cost of more expensive memory operations.
Prepare Btrfs Subvolumes
mount /dev/mapper/Arch-root /mnt
cd /mnt
btrfs su create @
btrfs su create @snapshots
btrfs su create @home
btrfs su create @root
btrfs su create @log
btrfs su create @sddm
btrfs su create @tmp
btrfs su create @opt
btrfs su create @images
btrfs su create @containers
umount /mnt
mount -o subvol=@,noatime,compress=zstd:1 /dev/mapper/Arch-root /mnt
cd /mnt
mkdir -p efi
mkdir -p boot
mkdir -p .snapshots
mkdir -p home
mkdir -p root
mkdir -p var/log
mkdir -p var/lib/sddm
mkdir -p tmp
mkdir -p opt
mkdir -p var/lib/libvirt/images
mkdir -p var/lib/containers
mount -o subvol=@snapshots,noatime,compress=zstd:1 /dev/mapper/Arch-root /mnt/.snapshots
mount -o subvol=@home,noatime,compress=zstd:1 /dev/mapper/Arch-root /mnt/home
mount -o subvol=@root,noatime,compress=zstd:1 /dev/mapper/Arch-root /mnt/root
mount -o subvol=@log,noatime,compress=zstd:1 /dev/mapper/Arch-root /mnt/var/log
mount -o subvol=@sddm,noatime,compress=zstd:1 /dev/mapper/Arch-root /mnt/var/lib/sddm
mount -o subvol=@tmp,noatime,compress=zstd:1 /dev/mapper/Arch-root /mnt/tmp
mount -o subvol=@opt,noatime,compress=zstd:1 /dev/mapper/Arch-root /mnt/opt
mount -o subvol=@images,noatime,compress=zstd:1 /dev/mapper/Arch-root /mnt/var/lib/libvirt/images
mount -o subvol=@containers,noatime,compress=zstd:1 /dev/mapper/Arch-root /mnt/var/lib/containers
mount /dev/nvme0n1p1 /mnt/efi
mount /dev/nvme0n1p2 /mnt/boot
Install required packages
pacstrap -i /mnt base
Generate fstab file
genfstab -U -p /mnt >> /mnt/etc/fstab
Update fstab for btrfs mounts
vim /mnt/etc/fstab (Default UUID may be fine) Edit mount lines to subvol=@,noatime,compress=zstd:1
Finish installation
arch-chroot /mnt
passwd – set root password.
useradd -m -g users -G wheel <username> – create a user.
passwd <username> – create password for user.
pacman -S base-devel dosfstools grub efibootmgr lvm2 mtools vim networkmanager os-prober sudo iwd btrfs-progs
Install Linux Kernel
pacman -S linux linux-headers linux-lts linux-lts-headers – linux and lts kernel.
pacman -S linux-firmware
GPU Driver
AMD/Intel: pacman -S mesa
Nvidia: pacman -S nvidia nvidia-utils nvidia-lts
AMD: pacman -S libva-mesa-driver
Intel: pacman -S intel-media-driver
Generate ram disks for kernels
vim /etc/mkinitcpio.conf
Add to HOOKS: after block and before filesystems add encrypt and lvm2.
mkinitcpio -p linux
mkinitcpio -p linux-lts
Set locale and boot loader
vim /etc/locale.gen and uncomment line you want (en_US.UTF-8 UTF-8)
locale-gen
vim /etc/default/grub
On GRUB_CMDLINX_LINUX_DEFAULT after loglevel and before quiet add cryptdevice=/dev/nvme0n1p3:Arch
vim /etc/hostname – change hostname to whatever you want.
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=grub_uefi --recheck
cp /usr/share/locale/en\@quot/LC_MESSAGES/grub.mo /boot/grub/locale/en.mo
grub-mkconfig -o /boot/grub/grub.cfg
Enable network manager
systemctl enable NetworkManager
Cleanup and reboot
exit
umount -a – unmount everything can ignore errors.
reboot
Fresh install ready
Arch Linux install ready for use and tinkering :)