Installation of an encrypted Arch Linux (2025)

Martin Pilote September 6, 2025

Objectives

The goal of this guide is to install Arch Linux

This guide is base on the following documentation:

Remote Installation (Optional)

iwctl

station wlan0 scan
station wlan0 get-networks
station wlan0 connect SSID
exit

passwd
systemctl start sshd.service
ip addr

Variables

Set some variable

DRIVE=/dev/nvme0n1
o=defaults,discard,x-mount.mkdir
o_btrfs=$o,compress=zstd,ssd,noatime

Partition Disk

sgdisk -Z $DRIVE
sgdisk -n1:0:+512M  -t1:ef00 -c1:EFI \
       -n2          -t2:8304 -c2:LINUXROOT $DRIVE
partprobe -s $DRIVE

Encrypt Disk

cryptsetup luksFormat --use-random -s 512 -i 5000 -h sha512 -c aes-xts-plain64 /dev/disk/by-partlabel/LINUXROOT
cryptsetup open /dev/disk/by-partlabel/LINUXROOT linuxroot

Format disk

mkfs.fat -F32 -n EFI /dev/disk/by-partlabel/EFI
mkfs.btrfs -f -L linuxroot /dev/mapper/linuxroot

Create btrfs Subvolume

mount -t btrfs LABEL=linuxroot /mnt
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home
btrfs subvolume create /mnt/@root
btrfs subvolume create /mnt/@snapshots
btrfs subvolume create /mnt/@srv
btrfs subvolume create /mnt/@var-cache-pacman-pkg
btrfs subvolume create /mnt/@var-log
btrfs subvolume create /mnt/@var-tmp
chattr +C /mnt/@var-log
chattr +C /mnt/@var-tmp
btrfs subvolume set-default /mnt/@
umount -R /mnt

Mount Partition

mount -t btrfs -o subvol=@,$o_btrfs LABEL=linuxroot /mnt
mount -t btrfs -o subvol=@home,$o_btrfs LABEL=linuxroot /mnt/home
mount -t btrfs -o subvol=@root,$o_btrfs LABEL=linuxroot /mnt/root
mount -t btrfs -o subvol=@snapshots,$o_btrfs LABEL=linuxroot /mnt/.snapshots
mount -t btrfs -o subvol=@srv,$o_btrfs LABEL=linuxroot /mnt/srv
mount -t btrfs -o subvol=@var-cache-pacman-pkg,$o_btrfs LABEL=linuxroot /mnt/var/cache/pacman/pkg
mount -t btrfs -o subvol=@var-log,$o_btrfs LABEL=linuxroot /mnt/var/log
mount -t btrfs -o subvol=@var-tmp,$o_btrfs LABEL=linuxroot /mnt/var/tmp
mount -t vfat -o $o LABEL=EFI /mnt/efi

Pacstrap System

reflector --country CA --age 24 --protocol http,https --sort rate --save /etc/pacman.d/mirrorlist
pacstrap -K /mnt base base-devel linux linux-firmware intel-ucode nano cryptsetup btrfs-progs dosfstools util-linux git unzip sbctl networkmanager sudo efibootmgr wget sbctl

Local Settings

sed -i -e "/^#"en_CA.UTF-8"/s/^#//" /mnt/etc/locale.gen
systemd-firstboot --root /mnt --prompt
Welcome to your new installation of Arch Linux!
Please configure your system!

-- Press any key to proceed --
‣ Please enter system keymap name or number (empty to skip, "list" to list options): us
/mnt/etc/vconsole.conf written.
‣ Please enter timezone name or number (empty to skip, "list" to list options): America/Montreal
/mnt/etc/localtime written
‣ Please enter hostname for new system (empty to skip): wks-lpt01
/mnt/etc/hostname written.
arch-chroot /mnt locale-gen
Generating locales...
  en_CA.UTF-8... done
Generation complete.
genfstab -U /mnt >> /mnt/etc/fstab

User Creation

arch-chroot /mnt useradd -G wheel -m martin 
arch-chroot /mnt passwd martin
sed -i -e '/^# %wheel ALL=(ALL:ALL) NOPASSWD: ALL/s/^# //' /mnt/etc/sudoers

Unified Kernel

echo "quiet rw" > /mnt/etc/kernel/cmdline
mkdir -p /mnt/efi/EFI/Linux
nano /mnt/etc/mkinitcpio.conf
# vim:set ft=sh
MODULES=(btrfs)

BINARIES=()

FILES=()

HOOKS=(base systemd autodetect modconf kms keyboard sd-vconsole sd-encrypt block filesystems fsck)
nano /mnt/etc/mkinitcpio.d/linux.preset
# mkinitcpio preset file to generate UKIs

ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/boot/vmlinuz-linux"

PRESETS=('default' 'fallback')

#default_config="/etc/mkinitcpio.conf"
#default_image="/boot/initramfs-linux.img"
default_uki="/efi/EFI/Linux/arch-linux.efi"
default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp"

#fallback_config="/etc/mkinitcpio.conf"
#fallback_image="/boot/initramfs-linux-fallback.img"
fallback_uki="/efi/EFI/Linux/arch-linux-fallback.efi"
fallback_options="-S autodetect"
arch-chroot /mnt mkinitcpio -P
ls -lR /mnt/efi
/mnt/efi:
total 4
drwxr-xr-x 3 root root 4096 Mar 17 21:11 EFI

/mnt/efi/EFI:
total 4
drwxr-xr-x 2 root root 4096 Mar 17 21:12 Linux

/mnt/efi/EFI/Linux:
total 171832
-rwxr-xr-x 1 root root  36822528 Mar  6 14:46 arch-linux.efi
-rwxr-xr-x 1 root root 139132416 Mar  6 14:46 arch-linux-fallback.efi

Services and Boot Loader

systemctl --root /mnt enable systemd-resolved systemd-timesyncd NetworkManager
systemctl --root /mnt mask systemd-networkd
arch-chroot /mnt bootctl install --esp-path=/efi
sync
systemctl reboot

Gnome

sudo pacman -Syu pipewire pipewire-jack pipewire-alsa pipewire-pulse wireplumber noto-fonts-emoji gnome

Secure Boot and TMP2

sudo sbctl create-keys
sudo sbctl enroll-keys -m
sudo sbctl sign -s -o /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi
sudo sbctl sign -s /efi/EFI/BOOT/BOOTX64.EFI
sudo sbctl sign -s /efi/EFI/Linux/arch-linux.efi
sudo sbctl sign -s /efi/EFI/Linux/arch-linux-fallback.efi
systemctl reboot
sudo systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+7 /dev/gpt-auto-root-luks
systemctl reboot

Connect Arch Linux to FreeIPA

Martin Pilote April 18, 2020

Objectives

The goal of this guide is to connect an Arch Linux computer to a FreeIPA server.

This guide is base on the following documentation:

https://wiki.archlinux.org/index.php/FreeIPA
https://wiki.archlinux.org/index.php/LDAP_authentication
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html

SSSD Installation

pacman -S sssd

SSSD Configuration

vi /etc/sssd/sssd.conf
[domain/mpilote.com]

id_provider = ipa
ipa_server = _srv_, srv-ldap.mpilote.com
ipa_domain = mpilote.com
ipa_hostname = wks-lpt01.mpilote.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
krb5_store_password_if_offline = True
realmd_tags = manages-system
default_shell = /usr/bin/zsh
override_shell = /usr/bin/zsh
use_fully_qualified_names = False
fallback_homedir = /home/%u

[sssd]
services = nss, pam, ssh, sudo
domains = mpilote.com

[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

[session_recording]

chmod 600 /etc/sssd/sssd.conf

Kerberos Configuration

vi /etc/krb5.conf
[libdefaults]
        default_realm = MPILOTE.COM
        dns_lookup_realm = true
        dns_lookup_kdc = true
        rdns = false
        dns_canonicalize_hostname = false
        ticket_lifetime = 24h
        forwardable = yes
        udp_preference_limit = 0
        default_ccache_name = KEYRING:persistent:%{uid}

[realms]
        MPILOTE.COM = {
                admin_server = srv-ldap.mpilote.com
                kdc = srv-ldap.mpilote.com
                default_admin = mpilote.com
        }

[domain_realm]
        mpilote.com = MPILOTE.COM
        .mpilote.com = MPILOTE.COM
        wks-lpt01.mpilote.com = MPILOTE.COM
[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log

NSCD Configuration

vi /etc/nscd.conf
[...]
enable-cache		passwd		no
[...]
enable-cache		group		no
[...]
enable-cache		hosts		yes
[...]
enable-cache		netgroup	no
[...]

NSS Configuration

vi /etc/nsswitch.conf
# Name Service Switch configuration file.
# See nsswitch.conf(5) for details.

passwd: files sss mymachines systemd
group: files sss mymachines systemd
shadow: files sss
sudoers: files sss

publickey: files

hosts: files mymachines myhostname resolve [!UNAVAIL=return] dns
networks: files

protocols: files
services: files
ethers: files
rpc: files

netgroup: files

PAM Configuration

vi /etc/pam.d/system-auth
#%PAM-1.0

auth      sufficient pam_sss.so forward_pass
auth      required   pam_unix.so     try_first_pass nullok
auth      optional   pam_permit.so
auth      required   pam_env.so

account   [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
account   required   pam_unix.so
account   optional   pam_permit.so
account   required   pam_time.so

password  sufficient pam_sss.so use_authtok
password  required   pam_unix.so     try_first_pass nullok sha512 shadow
password  optional   pam_permit.so

session   required   pam_mkhomedir.so skel=/etc/skel/ umask=0077
session   required   pam_limits.so
session   required   pam_unix.so
session   optional   pam_permit.so

vi /etc/pam.d/su
#%PAM-1.0

auth            sufficient      pam_rootok.so
auth            sufficient      pam_sss.so forward_pass
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            required        pam_unix.so

account         [default=bad success=ok user_unknown=ignore authinfo_unavail=ignore] pam_sss.so
account         required        pam_unix.so

session         required        pam_unix.so
session         optional        pam_sss.so

Password Management

vi /etc/pam.d/passwd
#%PAM-1.0
password        sufficient      pam_sss.so
#password       required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password       required        pam_unix.so sha512 shadow use_authtok
password        required        pam_unix.so sha512 shadow nullok

SSH integration

vi /etc/ssh/sshd_config
[...]
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
[...]

vi /etc/ssh/ssh_config
[...]
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

Create host in FreeIPA

Enroll the client (On the FreeIPA server)

kinit admin
ipa-getkeytab -s srv-ldap.mpilote.com -p host/wks-lpt01.mpilote.com -k /tmp/wks-lpt01.keytab

Enroll the client (On the Client)

scp root@srv-ldap.mpilote.com:/tmp/wks-lpt01.keytab krb5.keytab
mv krb5.keytab /etc/krb5.keytab

Enable SSSD

systemctl enable sssd.service
reboot

Installation of an encrypted Arch Linux

Martin Pilote October 25, 2019

Objectives

The goal of this guide is to install Arch Linux

This guide is base on the following documentation:

Remote Installation (Optional)

iwctl

station wlan0 scan
station wlan0 get-networks
station wlan0 connect SSID
exit

passwd
systemctl start sshd.service
ip addr

Variables

Set some variable

DRIVE=/dev/nvme0n1
o=defaults,x-mount.mkdir
o_btrfs=$o,compress=zstd,ssd,noatime

Partition Disk

sgdisk --clear \
       --new=1:0:+260MiB --typecode=1:ef00 --change-name=1:EFI \
       --new=2:0:+240MiB --typecode=2:8309 --change-name=2:cryptboot \
       --new=3:0:+32GiB  --typecode=3:8309 --change-name=3:cryptswap \
       --new=4:0:0       --typecode=4:8309 --change-name=4:cryptsystem \
       $DRIVE

Encrypt Disk

cryptsetup luksFormat --type luks1 --align-payload=8192 -s 512 -h sha512 -c aes-xts-plain64 /dev/disk/by-partlabel/cryptboot
cryptsetup luksFormat --align-payload=8192 -s 512 -h sha512 -c aes-xts-plain64 /dev/disk/by-partlabel/cryptsystem
cryptsetup luksFormat --align-payload=8192 -s 512 -h sha512 -c aes-xts-plain64 /dev/disk/by-partlabel/cryptswap
cryptsetup open /dev/disk/by-partlabel/cryptboot boot
cryptsetup open /dev/disk/by-partlabel/cryptsystem system
cryptsetup open /dev/disk/by-partlabel/cryptswap swap

Format disk

mkfs.fat -F32 -n EFI /dev/disk/by-partlabel/EFI
mkfs.ext4 -L boot /dev/mapper/boot
mkfs.btrfs --label system /dev/mapper/system
mkswap -L swap /dev/mapper/swap
swapon -L swap

Create btrfs Subvolume

mount -t btrfs LABEL=system /mnt
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home
btrfs subvolume create /mnt/@log
btrfs subvolume create /mnt/@pkg
btrfs subvolume create /mnt/@srv
btrfs subvolume create /mnt/@tmp
btrfs subvolume create /mnt/@root
btrfs subvolume create /mnt/@snapshots
umount -R /mnt

Mount Partition

mount -t btrfs -o subvol=@,$o_btrfs LABEL=system /mnt
mount -t btrfs -o subvol=@home,$o_btrfs LABEL=system /mnt/home
mount -t btrfs -o subvol=@log,$o_btrfs LABEL=system /mnt/var/log
mount -t btrfs -o subvol=@pkg,$o_btrfs LABEL=system /mnt/var/cache/pacman/pkg
mount -t btrfs -o subvol=@srv,$o_btrfs LABEL=system /mnt/srv
mount -t btrfs -o subvol=@tmp,$o_btrfs LABEL=system /mnt/var/tmp
mount -t btrfs -o subvol=@root,$o_btrfs LABEL=system /mnt/root
mount -t vfat -o $o LABEL=EFI /mnt/efi
mount -t ext4 -o $o LABEL=boot /mnt/boot

Pacstrap System

pacstrap /mnt base linux linux-firmware nano

Fstab

genfstab -L -p /mnt >> /mnt/etc/fstab

Chroot

arch-chroot /mnt

Set Locale

nano /etc/locale.gen
[...]
#en_SG.UTF-8 UTF-8
#en_SG ISO-8859-1
en_US.UTF-8 UTF-8
#en_US ISO-8859-1
#en_ZA.UTF-8 UTF-8
[...]
locale-gen
nano /etc/locale.conf
LANG=en_US.UTF-8

Set Timezone

ln -sf /usr/share/zoneinfo/America/Montreal /etc/localtime
timedatectl set-ntp true
hwclock --systohc

Set Hostname

nano /etc/hostname
wks-lpt01
nano /etc/hosts
127.0.0.1       localhost.localdomain   localhost
::1             localhost.localdomain   localhost
127.0.1.1       wks-lpt01.mpilote.com   wks-lpt01

Set Keymap

nano /etc/vconsole.conf
KEYMAP=us

Install Packages

pacman -Syu base-devel btrfs-progs gptfdisk zsh intel-ucode efibootmgr

Crypttab

dd bs=512 count=8 if=/dev/random of=/crypto_keyfile.bin iflag=fullblock
chmod 600 /crypto_keyfile.bin
cryptsetup luksDump /dev/disk/by-partlabel/cryptsystem | grep UUID
cryptsetup luksDump /dev/disk/by-partlabel/cryptboot | grep UUID
cryptsetup luksDump /dev/disk/by-partlabel/cryptswap | grep UUID
cryptsetup -v luksAddKey /dev/disk/by-partlabel/cryptsystem /crypto_keyfile.bin
cryptsetup -v luksAddKey /dev/disk/by-partlabel/cryptswap /crypto_keyfile.bin
cryptsetup -v luksAddKey /dev/disk/by-partlabel/cryptboot /crypto_keyfile.bin
nano /etc/crypttab
# Configuration for encrypted block devices.
# See crypttab(5) for details.

# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf).

#                                                           
boot           UUID=e0e548f9-f504-4461-942b-e897959c5c3e    /crypto_keyfile.bin
swap           UUID=5bd410bc-cd2c-4901-834f-fcc643cfd868    /crypto_keyfile.bin

Configure mkinitcpio

rm /etc/mkinitcpio.conf
nano /etc/mkinitcpio.conf
MODULES=""
BINARIES=""
FILES="/crypto_keyfile.bin"
HOOKS="base systemd sd-vconsole modconf keyboard block filesystems btrfs sd-encrypt fsck"
mkinitcpio -p linux

Configure & Install Grub

pacman -Syu grub
lsblk --nodeps --noheadings -oUUID /dev/disk/by-partlabel/cryptsystem
nano /etc/default/grub
# GRUB boot loader configuration

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet"
GRUB_CMDLINE_LINUX="rd.luks.name=425c4549-88c0-432f-a2ff-c1cf73de426d=cryptsystem rd.luks.key=425c4549-88c0-432f-a2ff-c1cf73de426d=/crypto_keyfile.bin"

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"

# Uncomment to enable booting from LUKS encrypted devices
GRUB_ENABLE_CRYPTODISK=y
[..]
grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg

Password

passwd

Create User

useradd -m -s /usr/bin/zsh -g users -G wheel martin
passwd martin

Gnome

pacman -Syu pipewire pipewire-jack pipewire-alsa pipewire-pulse wireplumber noto-fonts-emoji gnome networkmanager

Automatic Screen Rotation On ThinkPad X1 Yoga Gen 4

Martin Pilote October 21, 2019

iio-sensor-proxy

monitor-sensor