Arch Linux install guide

Introduction

The goal of this guide is to set up a minimal installation of Arch Linux with full disk encryption on an UEFI system. This guide is meant to be read alongside the Arch wiki. It does not cover implementing Secure Boot

Info

I’ll skip the Arch ISO installation media preparation.
I won’t prepare the system for secure boot because the procedure of custom key enrollment in the` BIOS
I’ll use a wired connection, so no wireless configuration steps will be shown. If you want to connect to wifi, you can either use iwctl (CLI) or install and launch impala (TUI).

Preliminary steps

Check that we are in UEFI mode

If this command prints 64 or 32 then you are in UEFI

cat /sys/firmware/efi/fw_platform_size

Update the system clock

# Check if ntp is active and if the time is right
timedatectl

# In case it's not active you can do
timedatectl set-ntp true

Partition the disk

Throughout this guide nvme0n1 will be used as the target install drive. The drive will be separated into two partitions:

Number	Type	Size
1	EFI	512 Mb
2	Linux Filesystem	All of the remaining space

Warning

The following steps will wipe completely your nvme0n1 drive

Run gdisk

gdisk /dev/nvme0n1

Press x to enter expert mode. Then press z to zap our drive. Then hit y when prompted about wiping out GPT and blanking out MBR.
Run gdisk

gdisk /dev/nvme0n1

Delete any existing partitions. Repeat until none are left.

Command (m for help): d

Create a boot partition

Command (m for help): n
Partition number (1-128, default 1):
First sector (...):
Last sector (...): +512M
Hex code or GUID (...): ef00

Create a root partition

Command (m for help): n
Partition number (2-128, default 1):
First sector (...):
Last sector (...):
Hex code or GUID (...): 8300

Write the changes

Command (m for help): w
Do you want to proceed? (Y/N): y

Verify partitioning

lsblk

Note

It should look something like this

NAME        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
nvme0n1     259:0    0 465,8G  0 disk
├─nvme0n1p1 259:1    0   512M  0 part
└─nvme0n1p2 259:2    0 465,3G  0 part

nvme0n1 is the main disk nvme0n1p1 is the boot partition nvme0n1p2 is the root partition

Encrypt root partition

Encrypt your root partition

Tip

Make sure to enter a secure passphrase and to write it down

cryptsetup luksFormat /dev/nvme0n1p2
Are you sure (Type `yes` in capital letters): YES

Open the encrypted partition

cryptsetup open /dev/nvme0n1p2 root

Create filesystems

Create the boot file system

mkfs.fat -F32 /dev/nvme0n1p1

Create the root file system

mkfs.ext4 /dev/mapper/root

Mount file systems

Mount the root file system

mount /dev/mapper/root /mnt

Mount the boot file system

mount -m /dev/nvme0n1p1 /mnt/boot -o dmask=0077,fmask=0077

Verify mounting

lsblk

Note

It should look something like this

NAME        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
nvme0n1     259:0    0 465,8G  0 disk
├─nvme0n1p1 259:1    0   512M  0 part  /mnt/boot
└─nvme0n1p2 259:2    0 465,3G  0 part
  └─root    254:0    0 465,2G  0 crypt /mnt

Install essentials

Install the base system, kernel, init system and other essential packages.

pacstrap /mnt base base-devel linux linux-firmware efibootmgr doas neovim

Note

Install AMD or Intel microcode, depending on your system’s CPU

Microcode

AMD CPU

pacstrap /mnt amd-ucode

Intel CPU

pacstrap /mnt intel-ucode

Generate file system table

genfstab -U /mnt >> /mnt/etc/fstab

Now edit /mnt/etc/fstab and change fmask=0022,dmask=0022 to fmask=0077,dmask=0077.

Switch to new Installation

arch-chroot /mnt

Network stack

pacman -S networkmanager iwd
systemctl enable NetworkManager

1
[device]
2
wifi.backend=iwd

Localization

Set the locale

Tip

Feel free to change en_US.UTF-8 to your preferred locale such as en_GB.UTF-8.`

Uncomment en_US.UTF-8

1
#en_US.UTF-8 UTF-8
2
en_US.UTF-8 UTF-8

Generate locales

echo 'LANG=en_US.UTF-8' > /etc/locale.conf
locale-gen

Set the timezone

Example

ln -sf /usr/share/zoneinfo/Asia/Dubai /etc/localtime

ln -sf /usr/share/zoneinfo/YourRegion/YourCity /etc/localtime

Set hardware clock from system clock

hwclock --systohc

Hostname

Set your preferred hostname, I will be using MYHOSTNAME throughout this guide.

echo 'MYHOSTNAME' > /etc/hostname

1
# Static table lookup for hostnames.
2
# See hosts(5) for details.
3

4
127.0.0.1     localhost
5
::1           localhost
6
127.0.1.1     MYHOSTNAME.localdomain     MYHOSTNAME

Initramfs

In the HOOKS array, add encrypt between block and filesystems

HOOKS=(... block encrypt filesystems ...)

Generate initramfs images

mkinitcpio -P

Add a user

Set the root password.

passwd

Create a user and set his password.

useradd -m MYUSERNAME
passwd MYUSERNAME

Configure doas

Create the config file and set the appropriate permissions

touch /etc/doas.conf
chown -c root:root /etc/doas.conf
chmod -c 0400 /etc/doas.conf

Add the following

1
permit MYUSERNAME as root
2
permit nopass MYUSERNAME as root cmd pacman

Boot loader

Note

Use EFISTUB if you dont need to boot into multiple OS’s as it will boot you directly into Arch (very fast) and use systemd-boot if you need to boot into multiple OS’s.

Get the UUID of your root partition

blkid -s UUID -o value /dev/nvme0n1p2

Tip

Replace xxxx with the UUID that you just obtained.

Replace amd-ucode.img with intel-ucode.img if you have an Intel CPU.

EFISTUB

efibootmgr -c -d /dev/nvme0n1 -p 1 -l /vmlinuz-linux -L "Arch Linux" -u "cryptdevice=UUID=xxxx:root root=/dev/mapper/root rw initrd=\amd-ucode.img initrd=\initramfs-linux.img loglevel=3 quiet"

Systemd-boot

Initramfs

Replace the HOOKS array with the following one

1
HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole sd-encrypt block filesystems fsck)

Regenerate initramfs images

mkinitcpio -P

Installation

bootctl install

1
title   Arch Linux
2
linux   /vmlinuz-linux
3
initrd  /amd-ucode.img
4
initrd  /initramfs-linux.img
5
options rd.luks.name=xxxx=root root=/dev/mapper/root rw loglevel=3 quiet

1
#timeout 3
2
timeout 3
3
#console-mode keep

Reboot

You can now reboot and enter into your new installation

Note

Unplug your flash drive after the screen turns black

exit
umount -R /mnt
reboot now

Post install

You will now be greeted with a similar screen as when you first booted from the flash drive. Login using the credentials that you set, if you followed the example your username would be MYUSERNAME.

Swap

doas fallocate -l 4G /swapfile
doas chmod 600 /swapfile
doas mkswap /swapfile
doas swapon /swapfile
doas cp /etc/fstab /etc/fstab.bak
echo '/swapfile none swap sw 0 0' | doas tee -a /etc/fstab

Video drivers

AMD

1
doas pacman -S mesa linux-firmware-amdgpu vulkan-radeon

Intel

1
doas pacman -S mesa linux-firmware-intel vulkan-intel

Nvidia

https://wiki.archlinux.org/title/NVIDIA

https://wiki.hypr.land/Nvidia

Sort for fastest mirrors

doas pacman -Syu reflector
doas reflector --verbose -p https -l 30 -f 5 --sort rate --save /etc/pacman.d/mirrorlist

AUR

Add Chaotic-AUR

doas pacman-key --recv-key 3056513887B78AEB --keyserver keyserver.ubuntu.com
doas pacman-key --lsign-key 3056513887B78AEB
doas pacman -U 'https://cdn-mirror.chaotic.cx/chaotic-aur/chaotic-keyring.pkg.tar.zst'
doas pacman -U 'https://cdn-mirror.chaotic.cx/chaotic-aur/chaotic-mirrorlist.pkg.tar.zst'

[chaotic-aur]
Include = /etc/pacman.d/chaotic-mirrorlist

Install paru

doas pacman -Syu
doas pacman -S paru

Replace sudo with doas

doas pacman -Rdd sudo
doas ln -s /usr/bin/doas /usr/bin/sudo

Laptop power profiles

Install and enable the powerprofiles daemon

pacman -S power-profiles-daemon
systemctl enable power-profiles-daemon
systemctl start power-profiles-daemon start

MAC randomization

Info

MAC randomization can be used for increased privacy by not disclosing your real MAC address to the WiFi network.

[device-mac-randomization]
wifi.scan-rand-mac-address=yes

[connection-mac-randomization]
ethernet.cloned-mac-address=random
wifi.cloned-mac-address=random