The following post outlines installing Arch Linux with full-disk encryption on a btrfs filesystem. After recently getting a Framework 13 laptop, I wanted to install Arch Linux on it with FDE to be on the safer side as well as try out Btrfs system snapshots and restore capabilities.
The Arch Wiki is a must read for comprehensive details, but these notes serve as a quick guide for future installations. The commands listed are what I used during my installation, but of course drive names, labels, etc. can vary.
Notes include:
- Working minimal Arch installation with latest and LTS kernels
- Full-disk encryption
- Use of Btrfs filesystem
Further things to consider after installation:
- Enable zram for swap
- Plymouth for graphical boot process
- Snapper for managing snapshots of Btrfs subvolumes
- grub-btrfs for adding a btrfs snapshots Grub sub-menu, allowing to boot into snapshots.
- grub2-themes for modern design themes for Grub2
- Encrypted swapfile and hibernation setup
Network
After booting installatino .iso, ensure there is a working network connection. An ethernet cable connection should automatically pick up a DHCP IP or connect to WiFi.
ip a – Show network interfaces and address info.
iwctl – Enter Net wireless daemon client.
station wlan0 get-networks – List wireless networks.
iwctl --passphrase "Passphrase" station wlan0 connect <NetworkName> – Connect wlan0 interface to NetworkName wireless network.
Disk Partitions
lsblk – show available storage volumes, nvme0n1 in my case.
wipefs --all /dev/nvme0n1 – Clean all partitions on device.
gdisk /dev/nvme0n1 – enter gdisk utility.
n – create new EF00 type partition for EFI. +1G
n – create new boot partition. +1G, rest defaults
n – Defults till end for last partition to use all space.
w – write to disk.
Format Partitions
mkfs.fat -F32 /dev/nvme0n1p1
mkfs.ext4 /dev/nvme0n1p2
cryptsetup luksFormat --type luks2 --hash sha256 --pbkdf pbkdf2 --pbkdf-force-iterations 600000 --label arch /dev/nvme0n1p3
cryptsetup luksOpen /dev/nvme0n1p3 arch
mkfs.btrfs -L btrfs -n 32k /dev/mapper/arch – Format btrfs with larger 32k nodesize for less fragmentation at the cost of more expensive memory operations.
Prepare Btrfs Subvolumes
mount /dev/mapper/arch /mnt
cd /mnt
btrfs su create @
btrfs su create @home
btrfs su create @opt
btrfs su create @cache
btrfs su create @docker
btrfs su create @libvirt
btrfs su create @machines
btrfs su create @sddm
btrfs su create @log
btrfs su create @spool
btrfs su create @tmp
Mount the subvolumes, efi and boot partitions.
umount /mnt
mount -o noatime,nodiratime,compress=zstd:1,subvol=@ /dev/mapper/arch /mnt
cd /mnt
mkdir -p efi
mkdir -p boot
mkdir -p home
mkdir -p opt
mkdir -p var/cache
mkdir -p var/lib/docker
mkdir -p var/lib/libvirt
mkdir -p var/lib/machines
mkdir -p var/lib/sddm
mkdir -p var/log
mkdir -p var/spool
mkdir -p tmp
mount -o noatime,nodiratime,compress=zstd:1,subvol=@home /dev/mapper/arch /mnt/home
mount -o noatime,nodiratime,compress=zstd:1,subvol=@opt /dev/mapper/arch /mnt/opt
mount -o noatime,nodiratime,compress=zstd:1,subvol=@cache /dev/mapper/arch /mnt/var/cache
mount -o noatime,nodiratime,compress=zstd:1,subvol=@docker /dev/mapper/arch /mnt/lib/docker
mount -o noatime,nodiratime,compress=zstd:1,subvol=@libvirt /dev/mapper/arch /mnt/lib/libvirt
mount -o noatime,nodiratime,compress=zstd:1,subvol=@machines /dev/mapper/arch /mnt/lib/machines
mount -o noatime,nodiratime,compress=zstd:1,subvol=@sddm /dev/mapper/arch /mnt/lib/sddm
mount -o noatime,nodiratime,compress=zstd:1,subvol=@log /dev/mapper/arch /mnt/var/log
mount -o noatime,nodiratime,compress=zstd:1,subvol=@spool /dev/mapper/arch /mnt/var/spool
mount -o noatime,nodiratime,compress=zstd:1,subvol=@tmp /dev/mapper/arch /mnt/var/tmp
mount /dev/nvme0n1p1 /mnt/efi
mount /dev/nvme0n1p2 /mnt/boot
Install required packages
pacstrap -i /mnt base
Generate fstab file
genfstab -U /mnt >> /mnt/etc/fstab
Additional installation
arch-chroot /mnt
ln -sf /usr/share/zoneinfo/Region/City /etc/localtime
hwclock --systohc
echo myhostname > /etc/hostname
passwd – set root password.
useradd -m -g users -G wheel <username> – create a user.
passwd <username> – create password for user.
pacman -S base-devel dosfstools grub efibootmgr mtools vim nano networkmanager os-prober sudo iwd btrfs-progs bash-completion
EDITOR=vim visudo uncomment: %wheel ALL=(ALL) ALL
Install Linux Kernel
pacman -S linux linux-headers linux-lts linux-lts-headers – latest and lts kernel.
pacman -S linux-firmware amd-ucode
GPU Driver
AMD/Intel: pacman -S mesa
Nvidia: pacman -S nvidia nvidia-utils nvidia-lts
AMD: pacman -S libva-mesa-driver
Intel: pacman -S intel-media-driver
Generate ram disks for kernels
vim /etc/mkinitcpio.conf
Add to HOOKS: after block and before filesystems add encrypt.
mkinitcpio -p linux
mkinitcpio -p linux-lts
Set locale and boot loader
vim /etc/locale.gen and uncomment line you want (en_US.UTF-8 UTF-8)
locale-gen
vim /etc/default/grub
On GRUB_CMDLINE_LINUX add cryptdevice=UUID=XXX-XXX-XXX:arch
Uncommet GRUB_ENABLE_CRYPTODISK=y
Tip to get partition UUID: blkid -o value -s UUID /dev/nvme0n1p3 and write it at end of /etc/default/grub then cut/paste at cryptdevice line: blkid -o value -s UUID /dev/nvme0n1p3 >> /etc/default/grub
grub-install --target=x86_64-efi --efi-directory=/efi --recheck
grub-mkconfig -o /boot/grub/grub.cfg
Enable network manager
systemctl enable NetworkManager
Cleanup and reboot
exit
umount -R /mnt
reboot
Fresh install ready
Arch Linux install ready for use and tinkering :)