Arch Linux Installation and Setup Guide

Published . Nil revisions.

This guide intends to be as perspicuous as possible, while seeking a balance between being brief but also informative. Given that it is predicated on my own installation process, the following system specific factors should be considered:

  • Assumes the use of an AMD CPU and Nvidia GPU, both utilising proprietary microcode and drivers, respectively. If you are using different hardware, or are averse to proprietary code, replace the AMD- and Nvidia-specific packages with alternative counterparts. Unfortunately, proprietary code for hardware is often a necessity if you are either: (a) attempting to use the latest hardware, or (b) require maximal performance, particularly in the case for Nvidia GPUs.
  • Assumes the use of a motherboard with UEFI firmware.
  • Assumes that the B-Tree File System (btrfs) with encryption is required or desired.
  • Assumes the use of an NVMe SSD as the target installation drive. Although, the steps remain very similar for other devices (e.g. SATA SSDs).
  • Assumes systemd-boot is required or desired.
  • Assumes the Wayland compositor is required or desired.
  • Assumes the minimal KDE Plasma desktop environment is required or desired (given the prior assumption that the Wayland compositor is employed). The reason for this decision is that many window managers that make use of the older and less secure X compositor are either not compatible with Wayland, or from experience (as of early 2023), contain bugs that cause complete dysfunction.

Creating the USB Installation Media

Follow one of the options listed under the In GNU/Linux or In Windows sections of the Arch Linux USB flash installation medium web-page if you are using Linux or Windows, respectively.

Installation

Booting into the Arch Installation ISO

Plug-in the USB installation media and boot the computer. Assuming no other bootable media is available (e.g. old operating systems installed on other drives), the GRUB menu should display presenting a series of options.

Select the Arch Installation medium (top option) from the GRUB menu.

Potential Issue with Nvidia GPUs

After attempting to boot into the Arch Linux ISO and starting the udev hook events, the nouveau driver will output unknown chipset error. Restart the computer, and when presented with the GRUB menu again, press e on the Arch Installation ISO (top option).

Find the line that begins with linux and append the following to the end of the line: 

nomodeset nouveau.modeset=0

After appending the above line, press Ctrl + x to boot. This will disable mode setting for the Nouveau driver that is used by default for Nvidia GPUs and allow the Arch Installation ISO to boot successfully. Alternative parameters may be required for different GPU manufacturers. More information on this solution can be found under the disabling mode setting section of the Arch Linux kernel mode setting web-page.

Verify the Boot Mode

Once the Arch Installation ISO has booted successfully, verify the boot mode by listing the efivars directory: 

ls /sys/firmware/efi/efivars

If the command shows the directory without error, then the system has booted in UEFI mode. If the directory does not exist, then the system may have booted in BIOS (or CSM) mode.

Connect to the Internet

Ensure the network interface is listed (e.g. wlan0):

ip link

Launch the internet wireless control utility:

iwctl

Note that after launching this utility, the command line will prefix [iwd] to show that the utility is active. The following commands replicate this by also prefixing [iwd] to indicate that these commands have to executed inside the iwctl utility.

If the local wireless device name is not known, list all Wi-Fi devices:

[iwd] device list

There should be wlan0 or a similar device name listed. Replace <device> in the following commands with the appropriate device name.

If the device or its corresponding adapter is turned off, turn it on:

[iwd] device <device> set-property powered on

Initiate a scan for networks (note that this command will not output anything): 

[iwd] station <device> scan

List all available networks:

[iwd] station <device> get-networks

Select a network from the listed networks and connect to it via its SSID: 

[iwd] station <device> connect <SSID>

Enter the pass-phrase for the network, then exit the internet wireless control utility: 

[iwd] exit

Verify the connection:

ping archlinux.org

If the connection was successful, the above command should start printing 64 bytes from archlinux.org ... repeatedly indicating that the wireless device was able to successfully ping the archlinux.org server. To stop pinging the server (i.e. exit the packet transmission-receive process), press Ctrl + c.

Update the System Clock

In the live environment systemd-timesyncd is enabled by default and time will be synced automatically once a connection to the internet is established. Use timedatectl to ensure the system clock is accurate: 

timedatectl status

If the timezone is not set, find your timezone:

timedatectl list-timezones

The time-zones will be listed as zone/sub-zone corresponding to country/area. Scroll through the fine or rough scroll through the options using the arrow keys or the page-up and page-down keys, respectively.

Once the time-zone has been found, set the time-zone:

timedatectl set-timezone <zone/sub-zone>

Sanitise an Old Drive

Find the available drives:

fdisk -l

Solid State SATA Drives

Find the device you intend to sanitise and then use (e.g. dev/sda). Then, follow the SATA drive section of the Arch Linux solid state drive/memory cell clearing web-page.

Some BIOSes block the ATA Secure Erase feature. If this is the case, and the steps in the web-page linked prior do not work, one may create a bootable USB with an image of ShredOS which allows one to boot via the USB and run the nwipe utility.

Solid State NVMe Drives

Find the device you intend to sanitise and then use. Note that the <device> parameter in the following commands must be an NVMe character device as the operation necessarily applies to whole devices and not to block devices. As a concrete example, /dev/nvme0 is referred to as a character device which is the NVMe controller; whereas /dev/nvme0n1 is a block device which are the NVMe storage namespaces that are used as as device for storage (essentially behaving as disks).

Cryptographically erase the drive (i.e. change any media encryption keys on the device): 

nvme sanitize <device> -a 4

Block erase the device (i.e. force erasure on all blocks including space that is generally inaccessible to the host computer like over-provisioning and retired blocks): 

nvme sanitize <device> -a 2

More information on sanitising NVMe SSDs can found under the NVMe drive section of the Arch Linux solid state drive/memory cell clearing web-page.

Preparing a Drive for Encryption

Once the drive has been sanitised. One can prepare the drive for encryption.

List the available block devices:

lsblk
For NVMe drives, a complete device will be of the form nvmeX where X is some alphanumeric combination (e.g. 1n1) corresponding to a particular NVMe drive. For partitions on a particular NVMe drive (if they already exist), the partition will be of the form nvmeXY where Y is some number (e.g. p1) corresponding to the particular partition.

Create a temporary encrypted container called "to_be_wiped" on the complete device sanitised prior (e.g. the <block-device> below would be nvme1n1 if that was the device sanitised in the prior section): 

cryptsetup open --type plain -d /dev/urandom /dev/<block-device> to_be_wiped

Verify that the temporary encrypted container was created by entering lsblk. Something similar to the following output should be displayed (note the to_be_encrypted container under the nvme1n1 device): 

NAME          MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
nvme1n1         8:0    0  1.8T  0 disk
└─to_be_wiped 252:0    0  1.8T  0 crypt

Wipe the container with zeros:

dd if=/dev/zero of=/dev/mapper/to_be_wiped bs=1M status=progress

The use of if=/dev/urandom is not required as the encryption cipher is used for randomness. bs=1M is used to increase the read/write speeds.

Wiping the container can take some time. Once complete, the following line will be printed: 

dd: writing to ‘/dev/mapper/to_be_wiped’: No space left on device

Close the temporary container:

cryptsetup close to_be_wiped

Make and Format Partitions with Encryption

Use gdisk which is GPT fdisk designed for creating GUID (UUID) Partition Tables 

gdisk /dev/<device>

One must create an EFI System Partition (ESP) that will be used by the UEFI firmware to boot the operating system.

Create new partition by pressing n for new.

Assign default partition number 1:

1

Accept the default first sector allocation by pressing Enter.

Set the last sector allocation at +550M:

+550M

Set the partition type to EFI System Partition:

EF00

The remaining space on the drive will be used for storing the operating and user files. This will be done by creating a B-Tree File System (BTRFS) System Partition that uses the remaining drive sectors.

Create another new partition by pressing n for new.

Assign the defaults for the rest of the settings by pressing Enter for each option. More specifically:

  • the default partition number should be 2;
  • the first sector should be automatically calculated based on the sectors previously allocated to the EFI system partition;
  • the last sector will be automatically calculated to use the remaining space on device; and
  • the partition type should default to the Linux file system (8300).

Write the changes to disk:

w

Confirm the changes:

y

List the partitions that have been created:

lsblk

Two partitions should be listed: one with 550MB and the other with the (approximate) remaining space on the drive.

Set the file system to be used on the EFI System Partition to the FAT32 filesystem: 

mkfs.fat -F 32 /dev/<efi_system_partition>

In my case, the <efi_system_partition> was nvme1n1p1.

Making the dm-crypt default settings stronger and then encrypt the device: 

cryptsetup --type luks2 --cipher aes-xts-plain64 --hash sha512 --iter-time 5000 --key-size 512 --pbkdf argon2id --use-random --verify-passphrase luksFormat <device>

More information on the dm-crypt tool can be found on the Encryption options for LUKS mode section on the Arch Linux Device encryption web-page.

Enter a pass-phrase and then verify the pass-phrase.

Open the encrypted partition and give a name to the mapper partition that is going to be created. In my case, the <encrypted_partition> was nvme1n1p2 and the mapper partition was named root. 

cryptsetup luksOpen /dev/<encrypted_partition> root

Format the mapper partition as B-Tree File System:

mkfs.btrfs /dev/mapper/root

Mount the mapper partition to /mnt:

mount /dev/mapper/root /mnt

Move into the /mnt directory:

cd /mnt

Create root subvolume (the use of the @ symbol is convention, it was chosen arbitrarily as a means to distinguish what appear to be directories from subvolumes: 

btrfs subvolume create @

Create home sub-volume:

btrfs subvolume create @home

Change back to the main directory:

cd

Unmount the mount partition:

umount /mnt

Mount the root sub-volume (@):

mount -o noatime,discard=async,compress=zstd,space_cache=v2,ssd,subvol=@ /dev/mapper/root /mnt

Some details on the options selected in the prior command:

  • Compression: zstd provides the best performance-compression ratio compared to zlib and lzo. Further detail on compression can be found on the BTRFS Compression web-page.
  • Space cache: as of late 2022, space_cache should be set to v2 by default per the GitHub issue tracker. The BTRFS documentation as of early 2023 had not yet been updated to reflect this change.
  • SSD: if using an SSD, it should automatically be detected. However, manually setting this if you know you're using an SSD should not cause any issues.

More information on the btrfs options can be found on the BTRFS Adminstration web-page.

Before mounting the home sub-volume and boot partition, create their directories: 

mkdir /mnt/{boot,home}

The curly braces allow you to create subdirectories for each element listed inside the braces. The boot subdirectory is going to be used to mount the EFI System Partition, and the home subdirectory is going to be used to mount the home subvolume.

Mount the home subvolume (@home) in the home subdirectory:

mount -o noatime,discard=async,compress=zstd,space_cache=v2,ssd,subvol=@home /dev/mapper/root /mnt/home

Mount the EFI System Partition in the boot subdirectory:

mount /dev/efi_system_partition /mnt/boot

More information on partitioning disks and the gdisk tool can be found on the Arch Linux Partitioning and GPT fdisk web-pages, respectively.

Selecting Mirror Servers

On Arch Linux, a mirror list is defined in /etc/pacman.d/mirrorlist which specifies the mirror servers from which packages are downloaded. The higher a mirror on this list, the more priority it is given when downloading a package.

After initially connecting to the internet, the Reflector script found on the Arch Linux installation media updates its own mirror list by choosing the 20 most recently synchronized HTTPS mirrors and sorting them by download rate. When pacstrap is eventually run to install the Arch Linux operating system, this mirror list is copied over. Hence, one should inspect the file to check if it is satisfactory. If it is not, one can either manually edit the file or use the Reflector script to generate a new list based on some desired criteria. This process is detailed below.

Backup the old mirror list:

cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.old

Check the list of countries on the Arch Linux Pacman Mirrorlist Generator web-page and select three countries close to you (one of which is the one you are located in). Enter the following command to select the top 200 latest HTTPS mirrors available in those countries and sort them by download rate: 

reflector --latest 200 --protocol https --sort rate --country 'New Zealand',Australia,Singapore --save /etc/pacman.d/mirrorlist

Install Essential Packages

To create the Arch Linux operating system, one uses the Pacstrap utility which will "bootstrap" the new installation with listed packages.

Install the essential packages in the /mnt directory:

pacstrap -K /mnt base linux linux-firmware base-devel efibootmgr amd-ucode nvidia nvidia-settings dosfstools btrfs-progs exfatprogs networkmanager firewalld bluez neovim man-db man-pages texinfo

The -K flag initialises a new pacman keyring, instead of using the hosts keyring. Those who are using unofficial mirrors within their chroot and want to import their keys from the host can omit this flag.

Packages installed at this point should be those that are critical for a system to boot:

  • base: a meta-package that contains a list of dependencies (other packages) that are the bare minimum for Arch Linux to function.
  • linux, linux-firmware: the Linux kernel and firmware.
  • base-devel: tools for building Arch Linux packages.
  • efibootmgr: a tool for managing the boot loader.
  • amd-ucode or intel-ucode: the microcode for your processor.
  • nvidia, nvidia-settings or amdgpu: the drivers for your graphics card. Note that nvidia and nvidia-settings both depend on nvidia-utilities so there is no need to list it explicitly.
  • btrfs-progs: user-space utilities for the management of BTRFS file systems. For EXT4 file systems, use e2fsprogs; for NTFS file systems, use ntfs-3g; for FAT file systems, use dosfstools; for exFAT file systems, use exfatprogs. If none of these file systems are being used, find the appropriate user-space utility under the Types of file systems section of the Arch Linux file systems web-page.
  • networkmanager, firewalld, bluez: software necessary for networking, firewall configuration and Bluetooth.
  • neovim: a text editor. Other traditional options like vim or nano.
  • man-db, man-pages and texinfo: packages for accessing documentation in manual and information pages.

Once packages have been installed, generate the file system table:

genfstab -U /mnt >> /mnt/etc/fstab

Move into the new installation:

arch-chroot /mnt

Configuring and Remaking the Initial RAM Disk

Edit the mkinitcpio BASH script's configuration file: 

nvim /etc/mkinitcpio.conf

Under MODULES, add "btrfs" inside the parentheses. If you are using a Nvidia graphics card with the nvidia or nvivia-open drivers, also add "nvidia nvidia_modeset nvidia_uvm nvidia_drm" after "btrfs". The resultant line should look like this: 

MODULES=(btrfs nvidia nvidia_modeset nvidia_uvm nvidia_drm)

Scroll down to the HOOKS and insert "encrypt" prior to "filesystems". The resultant line should look like this: 

HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt filesystems fsck)

As the hooks where changed, one has to recreate the initramfs based on the kernel installed (e.g. linux or another kernel if another type of kernel was selected): 

mkinitcpio -p linux

If the nvidia modules were added to the initramfs, then every time there is a Nvidia driver update, mkinitcpio has to be re-run. This can be automated by setting up a pacman hook. Create the nvidia.hook: 

nvim /etc/pacman.d/hooks/nvidia.hook

Add the following to the nvidia.hook file:

[Trigger]
Operation=Install
Operation=Upgrade
Operation=Remove
Type=Package
Target=nvidia
Target=linux
# Change the linux part above and in the Exec line if a different kernel is used

[Action]
Description=Update NVIDIA module in initcpio
Depends=mkinitcpio
When=PostTransaction
NeedsTargets
Exec=/bin/sh -c 'while read -r trg; do case $trg in linux) exit 0; esac; done; /usr/bin/mkinitcpio -P'

Make sure the Target package set in this hook is the same one installed in steps prior (e.g. nvidia, nvidia-dkms, nvidia-lts or nvidia-ck-something). For example, if you are using a custom GPU kernel, then nvidia-dkms would be required instead of nvidia.

Note: the complication in the Exec line above is used to avoid running mkinitcpio multiple times if both the Nvidia driver and Linux kernel get updated. If this does not bother you, the lines containing "Target=linux" and "NeedsTargets" may be dropped, and the Exec line may be reduced to: 

Exec=/usr/bin/mkinitcpio -P

Basic Setup

Set the time zone:

ln -sf /usr/share/zoneinfo/<Region>/<City> /etc/localtime

Synchronise the software and hardware clock. Run the following command to generate /etc/adjtime: 

hwclock --systohc

Edit the locale file:

nvim /etc/locale.gen

Uncomment the required locale (e.g. en_AU.UTF-8 UTF-8). Additional locales may be uncommented if needed.

Generate the locales:

locale-gen

Create the locale.conf file, and set the LANG variable accordingly:

echo "LANG=en_AU.UTF-8" >> /etc/locale.conf

Create the hostname file:

echo "Workstation" >> /etc/hostname

To make the machine accessible on your LAN via its hostname you can edit the /etc/hosts file for every device in your LAN: 

echo "127.0.0.1 localhost" >> /etc/hosts
echo "::1       localhost" >> /etc/hosts
echo "127.0.1.1 workstation.localdomain workstation" >> /etc/hosts

Enable the Network Manager:

systemctl enable NetworkManager

Enable the Firewall:

systemctl enable firewalld

Enable bluetooth:

systemctl enable bluetooth

Configuring Users, Passwords and Privileges

Set the root password:

passwd

Add a user:

useradd -m <USERNAME>

Set user's password:

echo <USERNAME>:<PASSWORD> | chpasswd

Note that passwd changes the password for an existing user, whereas chpasswd reads a file of login name and password pairs (name:password), and updates the passwords.

To allow the user to gain full root privileges when they precede a command with sudo, edit the sudoers file: 

visudo

Note that the default editor for visudo is vi. To use another editor, precede the visudo command with the desired editor (EDITOR=<EDITOR>), for example, to use the Neovim editor: 

EDITOR=nvim visudo

Add the following line to sudoers file under the "User privilege specification": 

<USERNAME> ALL=(ALL:ALL) ALL

The configuration file for sudo (i.e. /etc/sudoers) should always be edited with the visudo command as done above. visudo locks the sudoers file, saves edits to a temporary file, and checks it for syntax errors before copying it to /etc/sudoers.

Setting Up the Bootloader

Create the bootloader by using bootctlto install systemd-boot to the EFI System Partition: 

bootctl --path=/boot install

Edit the boot loader configuration file:

nvim /boot/loader/loader.conf

Uncomment the time-out line (increase or decrease the time-out to your liking), and then insert "default arch.conf" on a new line below the line containing "timeout _".

Now one has to create a boot entry, specifically, the arch.conf file that is referenced by the "default arch.conf" line added to the loader.conf file in the previous step: 

nvim /boot/loader/entries/arch.conf

Add the following lines to the arch.conf file, then save and quit: 

title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
cryptdevice-UUID=

The entries in the lines above are explained below:

  • title Arch Linux: the title for the boot entry (i.e. the name that appears in the boot menu).
  • linux /vmlinuz-linux: define which kernel you want to boot.
  • initrd /initramfs-linux.img: define the initrd.
  • cryptdevice-UUID=: the UUID of the partition to be decrypted and the mapper partition (this is temporarily left blank and will be completed next).

Find the UUID of the partition to be decrypted and then append this to the arch.conf file: 

blkid /dev/<device> >> /boot/loader/entries/arch.conf

Find the UUID of the mapper partition and append this to the arch.conf file: 

blkid /dev/mapper/root >> /boot/loader/entries/arch.conf

Reopen the arch.conf file:

nvim /boot/loader/entries/arch.conf

Edit the information that was appended to the arch.conf file to look like the following 

title Arch Linux
linux /vmlinuz-linux
initrd /initramfs-linux.img
cryptdevice-UUID=<encrypted-partition-uuid>:root root=UUID=<mapper-partition-uuid> rootflags=subvol=@ rw

This option tells the boot loader that:

  1. the UUID of the encrypted partition is the root partition, and that this partition is equal to the root mapper partition UUID;
  2. within the root mapper partition, the "@" sub-volume is the root; and
  3. both read and write should be enabled.
More information on Kernel parameters: https://wiki.archlinux.org/title/Kernel_parameters cryptdevice Specify the location of a dm-crypt-encrypted partition plus a device mapper name. root Root filesystem. See init/do_mounts.c for kernel's supported device name formats. Note that an initramfs with udev supports more name formats. rootflags Root filesystem mount options. Useful for setting options that cannot be applied by remounting (i.e. by systemd-remount-fs.service). For example, the discard option of an XFS root volume or subvol= option of Btrfs when using a subvolume as root. rw Mount root device read-write on boot.

Create fall-back option for the boot loader configuration:

cp /boot/loader/entries/arch.conf /boot/loader/entries/arch-fallback.conf

Edit the fall-back boot loader configuration to include "-fallback" after the "/initramfs-linux" initrd option. In other words, the line:

initrd /initramfs-linux.img becomes initrd /initramfs-linux-fallback.img 
vim /boot/loader/entries/arch-fallback.conf

Go back to the arch.iso (i.e. Arch USB installation ISO):

exit

Unmount the partitions:

umount -R /mnt

Reboot the computer:

reboot

Log-in and then enter the command startplasma-wayland. Once booted you can then launch a terminal and begin to install other desired applications and configuration your settings.

Recommended applications can be installed with the following command: 
sudo pacman -S alacritty firefox keepassxc lf zathura zathura-pdf-mupdf okular pdftk gimp inskcape darktable shotcut audacity libreoffice-fresh vlc libdvdread libdvdcss libdvdnav k3b obs-studio android-file-transfer gnucash texlive-basic texlive-bibtexextra texlive-bin texlive-binextra texlive-fontsextra texlive-fontsrecommended texlive-fontutils texlive-formatsexta texlive-latex texlive-latexextra texlive-latexrecommended texlive-mathscience texlive-pictures texlive-plaingeneric freecad prusaslicer