Arch Linux install with BTRFS and encrypted root
February 11, 2022
Archived
This post will no longer be updated as of 02-11-2022 but will remain available for historical purposes.
Overview
This post will cover the initial installation of Arch including using BTRFS and encryption. I chose BTRFS because I enjoy using snapshots. Snapshots are especially helpful when updating your system and can be automated to happen when executing Pacman (we’ll cover that in a separate post). As for encryption, many systems do that easily now with BitLocker (Windows) and FileVault (OS X). It is actually quite easy to setup in Linux as well. All of the information in this post can be pulled out of the Arch Linux Wiki. My intent with this post is to put all of that information together in an easy to follow article with links to the wiki. This will also serve as a guide for me when I setup a new machine. Let’s get started.
Boot media and install
Right at the start, here is a link to the install guide on the wiki. Anything that isn’t explained in this post is probably explained in the installation guide or at least somewhere in the wiki. This post is written for a UEFI install, so be sure you’ve booted the installation media in UEFI mode. If you run ls /sys/firmware/efi/efivars
and do not get an error, you’ve booted in UEFI mode. Next, we need to connect to the internet. If you have a network cable plugged in, you’re all set. If you want to use Wi-Fi, there are instructions for getting that setup in the installation guide. Next up is updating the system clock with timedatectl set-ntp true
. Now we’re ready to format the drive
We’ll be creating three partitions: boot, root, and swap. Use fdisk -l
to see the available drives, then use fdisk /dev/sdx
(replace x with drive letter in all code examples) to start working with the drive you want to use. I won’t detail each fdisk command since the menu that fdisk provides is straightforward. Here is how we want to prepare the drive:
- Format the disk with a new GPT partition table.
- Create a 1GB boot partition (sdx1). I know this is overkill.
- Create a root partition (sdx2) sized to leave some space for the swap partition. I have 32GB of ram in my system, so I’m going to leave about 40GB for my swap partition.
- Create a swap partition (sdx3) with the remaining space.
- Set partition type for sdx1 to EFI system.
- Set partition type for sdx3 to Linux swap.
- Write changes and exit fdisk.
Now that our disk partitions are in place, we can start formatting. We need to format the boot partition as FAT32, format the swap space, and create the encrypted container for our root partition. We can then format it as BTRFS and add some subvolumes. We’ll then mount several of the subvolumes along with the boot and swap partitions.
# format boot
mkfs.fat -F32 /dev/sdx1
# create swap
mkswap /dev/sdx3
# create encrypted root and format as BTRFS
cryptsetup -y -v luksFormat /dev/sdx2
cryptsetup open /dev/sdx2 cryptroot
mkfs.btrfs /dev/mapper/cryptroot
# mount the encrypted root and create BTRFS subvolumes
mount /dev/mapper/cryptroot /mnt
btrfs subvolume create /mnt/@ # root
btrfs subvolume create /mnt/@home # home
btrfs subvolume create /mnt/@vms # virtual machines
btrfs subvolume create /mnt/@paccache # pacman cache at /var/cache/pacman
btrfs subvolume create /mnt/@workspace # used to store anything I don't want included in scheduled btrbk snapshots
btrfs subvolume create /mnt/@snapshots # will be used later for btrbk snapshots
# verify subvolumes were created and unmount cryptroot
btrfs subvolume list /mnt
umount /dev/mapper/cryptroot
# mount root subvolume and verify it was mounted
mount -o subvol=@ /dev/mapper/cryptroot /mnt
btrfs subvolume show /mnt
# mount home subvolume
mkdir /mnt/home
mount -o subvol=@home /dev/mapper/cryptroot /mnt/home
# mount paccache subvolume
mkdir /mnt/var/cache/pacman
mount -o subvol=@paccache /dev/mapper/cryptroot /mnt/var/cache/pacman
# mount boot partition
mkdir /mnt/boot
mount /dev/sdx1 /mnt/boot
# mount swap partition
swapon /dev/sdx3
The Arch Linux base package is very minimal so you’ll need to include things such as file system tools and text editors. If you need to use Wi-Fi, be sure to install all of the necessary programs now so you can connect again once you reboot after initial install and configuration. After installation of the base system, pickup in the installation guide at the “Configure the system” section, and follow it through to generating the initramfs image. Since we have an encrypted root container, we’ll need to add some hooks before generating initramfs. Lastly, we’ll set the root password, install the microcode, install/configure GRUB as the boot loader, and reboot.
# install the base system
pacstrap /mnt base linux linux-firmware btrfs-progs exfatprogs dosfstools vim vi dhcpcd cryptsetup
# generate the fstab
genfstab -U /mnt >> /mnt/etc/fstab
# edit the fstab to add the autodefrag option to the BTRFS subvolumes
vim /mnt/etc/fstab
# work through the install guide from Chroot until arriving at the point of generating the initramfs image
vim /etc/mkinitcpio.conf
# the hooks line should be: HOOKS=(base udev autodetect keyboard keymap consolefont modconf block encrypt filesystems fsck)
# save the file and generate initramfs
mkinitcpio -P
# set the root password
passwd
# install AMD microcode. for Intel use intel-ucode
pacman -S amd-ucode
# install GRUB
pacman -S grub efibootmgr
grub-install --target=x86_64-efi --efi-directory=boot --bootloader-id=GRUB
# get device UUID
blkid
# modify GRUB config
vim /etc/default/grub
# add "cryptdevice=UUID=device-UUID:cryptroot root=/dev/mapper/cryptroot" to the end of existing parameters in GRUB_CMDLINE_LINUX_DEFAULT
# replace device-UUID with /dev/sdx2 UUID
# generate GRUB config and finish up
grub-mkconfig -o /boot/grub/grub.cfg
exit
umount -R /mnt
reboot
Post install setup and desktop environment
Now that the main system is installed, we’ll work through some of the general recommendations in the wiki such as adding users and setting up a desktop environment.
# indetify the wired network
ip link
# enable it and establish an IP address
ip link set xxxx up
dhcpcd xxxx
# install sudo and uncomment the line to allow users of group wheel to execute commands as root
pacman -S sudo
visudo
# add a new user and set the password
useradd -m -G wheel username
passwd username
# install display server and AMD drivers
pacman -S xorg-server
pacman -S xf86-video-amdgpu mesa
# install Gnome and enable the display manager
pacman -S gnome gnome-extra
systemctl enable gdm.service
# install and enable the network manager
pacman -S networkmanager
systemctl enable NetworkManager.service
At this point, you could reboot and start using your fresh Arch Linux install with BTRFS, encrypted root, and Gnome desktop environment. The following short section will describe a few additional steps you may want to take.
Optional steps
If you installed your system on a SSD, you may want to enable periodic (not continuous) TRIM. There are some security implications when enabling TRIM on encrypted volumes, but I chose to go ahead with enabling TRIM.
# edit GRUB
vim /etc/default/grub
# add allow-discards after cryptroot "...:cryptroot:allow-discards"
# regenrate GRUB config
grub-mkconfig -o /boot/grub/grub.cfg
# enable periodic TRIM
systemctl enable fstrim.timer
With an encrypted root volume, you may want to consider backing up the LUKS header. The Arch Wiki has some detailed information on this topic and describes how to perform the backup if you chose to do so. Personally, I will be backing up my LUKS header and storing with the rest of my backup data.
Conclusion
Hopefully this was helpful. I know none of this information is unique, and that it is all provided in the excellent Arch Wiki. I just wanted to put it all together in one location with links to many of the wiki articles.