Arch Linux UEFI+Encrypted+i3 Minimal Installation

So I finally got around to installing Arch Linux on my Node 202 SFF PC build. There’s still no GPU yet since prices are still pretty high as of writing this, but I figured I might as well install Arch on it while I wait for GPU prices to drop. This post will be documenting how to install Arch Linux on a UEFI system with an encrypted disk and i3/i3-gaps. This will also be using systemd-boot instead of GRUB. I’ll make future posts about my ricing setup soon.

Assumptions

The following assumptions will be made:

  1. Secure boot has been disabled.
  2. The system is using UEFI.
  3. The system is Wi-Fi capable.

Deliverables

By the end of this, the following deliverables will be met:

  1. A minimal Arch Linux installation.
  2. Separate boot, swap, root, and home partitions.
  3. Encrypted swap/root/home partitions.
  4. A systemd-boot boot manager.
  5. An i3/i3-gaps tiling window manager.

Installation Procedure

  1. Load the Arch Linux installation image onto a USB stick or other installation medium and boot to it from the target device.

  2. Once you’re booted into the Arch Linux installation medium, make sure that you’re booted in UEFI. The following command should run with no errors. If there are errors, then you’re not booted in UEFI.

$ ls /sys/firmware/efi/efivars/
  1. Connect to the internet.
$ iwctl
[iwd]# device list
[iwd]# station <DEVICE> scan
[iwd]# station <DEVICE> get-networks
[iwd]# station <DEVICE> connect <SSID>
[iwd]# quit
  1. Enable NTP.
$ timedatectl set-ntp true
  1. Find out the name of your drive and start partitioning. This is usually going to be something like sda, sdb, or nvme0n1, in which case the <DEVICE>s would be /dev/sda, /dev/sdb, or /dev/nvme0n1, respectively.
$ lsblk
$ gdisk <DEVICE>

From here, you can enter n to create a new partition. If you’re overwriting whatever data is pre-existing on the drive, then you’ll also want to enter o before you enter n.

We need two partitions at this point: the boot partition, and the LVM partition.

Partition Item Value
Boot Partition number Default
Boot First sector Default
Boot Last sector +512M
Boot Hex code or GUID ef00
LVM Partition number Default
LVM First sector Default
LVM Last sector Default
LVM Hex code or GUID 8e00

You can then enter p to print out the partitions being made and verify that they are correct, and then enter w to write the partitions.

  1. Find out the name of the newly made partitions and format the boot partition.
$ lsblk
$ mkfs.fat -F 32 <BOOT_PARTITION>
  1. Create and format the encrypted LVM swap, root, and home partitions.
$ modprobe dm-crypt
$ cryptsetup luksFormat <LVM_PARTITION>
$ cryptsetup open --type luks <LVM_PARTITION> lvm
$ pvcreate /dev/mapper/lvm
$ vgcreate vg0 /dev/mapper/lvm
$ lvcreate -L 4G vg0 -n swap
$ lvcreate -L 64G vg0 -n root
$ lvcreate -l 100%FREE vg0 -n home
$ mkswap /dev/vg0/swap
$ mkfs.ext4 /dev/vg0/root
$ mkfs.ext4 /dev/vg0/home
  1. Mount everything.
$ mount /dev/vg0/root /mnt
$ mkdir /mnt/boot /mnt/home
$ mount <BOOT_PARTITION> /mnt/boot
$ mount /dev/vg0/home /mnt/home
  1. Enable the swap.
$ swapon /dev/vg0/swap
  1. Install essential packages.
$ pacstrap /mnt base base-devel linux linux-firmware lvm2 vim
  1. Generate the filesystems table.
$ genfstab -U /mnt >> /mnt/etc/fstab
  1. Change root into the install.
$ arch-chroot /mnt
  1. Install a network manager.
$ pacman -Sy networkmanager
  1. Set the timezone.
$ ln -sf /usr/share/zoneinfo/<REGION> /etc/localtime

<REGION> can be found by hitting tab a few times and going through the suggested responses. For example, mine would be /usr/share/zoneinfo/US/Pacific since I’m in California.

  1. Set the hardware clock from the system clock and update /etc/adjtime.
$ hwclock --systohc
  1. Generate the locale.
$ vim /etc/locale.gen

You’ll want to uncomment whatever your locale is and then save the file. For example, I would uncomment en_US.UTF-8 UTF-8. If you’re from the United States like me, then you would probably uncomment the same thing as well.

$ locale-gen
$ vim /etc/locale.conf

Add LANG=<LOCALE> to /etc/locale.conf and save the file, where <LOCALE> is the first part of what you uncommented earlier. For example, I would write LANG=en_US.UTF-8.

  1. Define the hostname.
$ echo <HOSTNAME> > /etc/hostname
$ vim /etc/hosts

Your /etc/hosts file should look something like the following:

# Static table lookup for hostnames.
# See hosts(5) for details.

127.0.0.1  <HOSTNAME>.<DOMAIN>  <HOSTNAME>
::1        <HOSTNAME>.<DOMAIN>  <HOSTNAME>

For example, mine would look like:

# Static table lookup for hostnames.
# See hosts(5) for details.

127.0.0.1  anubis.net  anubis
::1        anubis.net  anubis
  1. Configure the hooks.
$ vim /etc/mkinitcpio.conf

You’ll want to find the HOOKS variable and set it to the following values. It is very important that it is in this order, or else you won’t be able to decrypt your drive!

HOOKS="base udev autodetect modconf block keyboard encrypt lvm2 filesystems fsck"

Remember to save your file, and then run:

$ mkinitcpio -p linux
  1. Set the root password.
$ passwd
  1. Configure the bootloader.
$ bootctl --path=/boot install
$ vim /boot/loader/loader.conf

Your /boot/loader/loader.conf should look something like the following:

default arch
timeout 3
editor 0

Then you need to create the bootloader entry.

$ vim /boot/loader/entries/arch.conf

title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
options cryptdevice=UUID=<UUID>:lvm root=/dev/mapper/vg0-root quiet rw

<UUID> can be retrieved by running :r !blkid <LVM_PARTITION> from within vim.

  1. Wrap up and power down.
$ exit
$ umount -R /mnt
$ poweroff

Post-Installation Procedure

Now it’s time to set up some basic stuff like networking, a user account, extra display drivers, and i3/i3-gaps.

  1. Remove the installation medium from the computer.
  2. Boot into the computer. Boot into Arch Linux and enter the decryption password.
  3. Log into the root account and enter the root password.
  4. Create a user account.
$ useradd -m -G wheel <USERNAME>
$ passwd <USERNAME>
  1. Give the user sudo permissions.
$ vim /etc/sudoers

Uncomment the following line in the /etc/sudoers file:

%wheel ALL=(ALL) ALL
  1. Log out of the root account and log in as the new user using the configured password.
$ exit
  1. Enable networking and connect to a network.
$ systemctl enable NetworkManager
$ systemctl start NetworkManager
$ nmtui
  1. Install i3/i3-gaps, fonts, and X.
$ sudo pacman -Sy i3-gaps ttf-dejavu xorg xorg-xinit xterm
  1. Install extra display drivers based on your system. You should be picking only one of these three:
$ sudo pacman -Sy xf86-video-intel mesa
$ sudo pacman -Sy xf86-video-amdgpu mesa
$ sudo pacman -Sy nvidia nvidia-utils
  1. Configure the xinitrc to automatically start i3. If you installed i3-gaps instead of i3, this is still the same.
$ echo "exec i3" > ~/.xinitrc
  1. Configure the Bash profile to automatically start X.
$ vim ~/.bash_profile

#
# ~/.bash_profile
#

[[ -f ~/.bashrc ]] && . ~/.bashrc

if systemctl -q is-active graphical.target && [[ ! $DISPLAY && $XDG_VTNR -eq 1 ]]; then
	exec startx 1>/dev/null 2>&1
fi
  1. Reboot.

You should now have an Arch Linux installation with an encrypted disk, i3/i3-gaps, systemd boot, and separate boot, swap, root, and home partitions! I’ll be making another post in the future about ricing up this installation.

Happy hacking!