Arch Linux on a personal computer

Arch Linux has an excellent installation guide. Unfortunately, all the options available during installation can make the guide overwhelming for someone not very familiar with the Linux ecosystem. This article is a log of the steps I followed for a recent installation, with a focus on simplicity and conciseness.

Main features of the resulting installation:

• Full-disk encryption with passphrase
• Hibernation to encrypted swap

Note that while I will suggest some alternatives to my own choices, this article is largely opinionated. It is not meant to be a guide but rather a showcase, so use it at your own risk.

UEFI

In the UEFI, disable the following features:

• Secure Boot: it is nontrivial to enable on Arch Linux and doesn't seem to provide many benefits.
• Intel AMT: This is an enterprise feature.
• Absolute Persistence: This is an enterprise feature.

If you plan never to use the remote tracking features, you can choose to disable them forever (at least on ThinkPads).

Prepare the storage drive

From this point on, I assume that you have booted on the Arch Linux ISO from some medium (e.g. a USB drive).

Before using the main drive with full-disk encryption, it is apparently recommended to erase it with random bytes (e.g. so that the entire disk is indistinguishable from random bytes):

shred --verbose --iterations 1 /dev/<device_name>

Typically, the primary SSD on a laptop is called /dev/nvme0n1. This will be used in the rest of this document.

Partitioning

Create a GPT table (g in fdisk) with the following partitions:

• 1 GiB: EFI
• Remaining space: Linux

Here's a possible result:

> fdisk -l
Device           Start        End    Sectors   Size Type
/dev/nvme0n1p1    2048    2099199    2097152     1G EFI System
/dev/nvme0n1p2 2099200 2000408575 1998309376 952.9G Linux filesystem

Set up full-disk encryption

In this section, we set up LVM on LUKS, which is what I think is the most convenient configuration for an encrypted drive.

See LVM on LUKS on the Arch Wiki.

Create encrypted space

Set up encryption on the second partition with the following commands:

cryptsetup luksFormat /dev/nvme0n1p2
cryptsetup open /dev/nvme0n1p2 lvm

The first partition will is used as boot partition and left unencrypted.

Create the LVM partitions

pvcreate /dev/mapper/lvm
vgcreate vol0 /dev/mapper/lvm
lvcreate -L 16G vol0 -n swap
lvcreate -l 100%FREE vol0 -n root

Note that swap space doesn't need to be greater than (or equal to) the memory space of the computer, especially if you have a lot of memory. In my case, I have 32 GiB of memory and use 16 GiB for swap, which works fine even for hibernation.

For more information, see the note about swap size in the Arch Linux wiki.

Format the partitions

mkfs.fat -F 32 /dev/nvme0n1p1
mkswap /dev/vol0/swap
mkfs.ext4 /dev/vol0/root

Mount the partitions

swapon /dev/vol0/swap
mount /dev/vol0/root /mnt
mount --mkdir /dev/nvme0n1p1 /mnt/boot

I used the conventional /mnt directory as root for the new system, but another unused directory would also work.

Install the system

Bootstrap the system

pacstrap -K /mnt base linux linux-firmware lvm2 iwd neovim intel-ucode
genfstab -U /mnt >> /mnt/etc/fstab

• iwd will be used for connecting to a wifi network.
• neovim will be used for editing files. A popular option is nano.
• intel-ucode will update the microcode (use amd-ucode for AMD CPUs).

Configuration

Use the following command to open a shell inside that system:

arch-chroot /mnt

From this point on, commands and paths will be shown as used in the new system, which we mounted at /mnt.

Time

In the following snippet, change Europe/Paris to your preferred timezone.

ln -fs /usr/share/zoneinfo/Europe/Paris /etc/localtime
hwclock --systohc

Locale

In the lines below, we configure the system to only use US English.

nvim /etc/locale.gen  # Select en_US.UTF-8.
locale-gen
nvim /etc/locale.conf  # Write `LANG=en_US.UTF-8`.

Host name

nvim /etc/hostname  # Write your chosen host name.

Boot

In /etc/mkinitcpio.conf, list the appropriate modules for this installation. In my case:

HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt filesystems lvm2 resume fsck)

Then, run the following to generate the Linux images

mkinitcpio -P

I chose to ignore all the remaining "Possibly missing firmware" warnings. Make sure nothing critical is missing. Otherwise, install the missing firmware and try generating the images again.

You can find more information about the extra modules needed in the Arch wiki:

• for LVM
• for hibernation

Set the root password

passwd

Configure the boot loader

Using systemd-boot:

bootctl install
nvim /boot/loader/entries/arch.conf

If you want a different bootloader, you can find some other options in the Arch wiki.

Edit /boot/loader/entries/arch.conf to make a new entry for Linux:

title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
initrd /intel-ucode.img
options cryptdevice=UUID=<uuid>:lvm resume=/dev/vol0/swap root=/dev/vol0/root rw quiet

You need to replace <uuid> with the UUID of your root partition (my root partition is nvme0n1p2). You can find this UUID with lsblk --fs: look for the row with crypto_LUKS as FSTYPE.

If all went well, your system should now be bootable. Proceed with:

reboot

If that didn't work, you may need to boot with the installation medium again and mount the partitions to investigate them.

If it did work, enjoy Arch Linux! :)