Arch Linux with Encrypted LVM on hardware

Hey! Listen! To make sure you’re reading the most current version of this post, check the table below.

DateURLUpdates
2017-01-02Encrypted Arch Linux install
  • New partition layouts
  • 2014-11-15Arch Linux with Encrypted LVM on hardware
  • Replaced Cinnamon with Openbox
  • 2014-11-10Arch Linux with Encrypted LVM on hardware
  • Installing on hardware instead of inside VM
  • 2014-10-06Arch Linux with Encrypted LVM in VirtualBox
  • Using 64bit instead of 32bit
  • Replaced GDM with LightDM
  • 2014-09-05Arch Linux with Encrypted LVM in VirtualBox
  • Replaced MBR with GPT
  • Added encryption
  • 2014-08-27Arch Linux with LVM in VirtualBox
  • Initial post
  •  

     

    This post is the same as my last post, except instead of Cinnamon, I’ll be using Openbox as a standalone window manager. As much as I love Cinnamon, Openbox is lighter on resources, and with a few tweaks, it’s as functional as a full Desktop Environment. This tutorial is loosely based on the Arch Linux Beginner’s Guide. By the end of this, we should have a setup like below.

    • 300GB disk with the following partitions:
      • /dev/sda1
        • 1007K BIOS boot partition – required when using GRUB2 + GPT + BIOS
      • /dev/sda2
        • 128MB boot partition for GRUB2
      • /dev/sda3
        • Encryption with LUKS+dm-crypt
          • LVM
            • 8GB swap
            • 25GB root
            • 265GB home
    • GRUB2 bootloader
    • Light display manager (LightDM)
    • Openbox window manager

    You’ll need the following before you begin:

    • A copy of the Arch Linux ISO (I recommend using a torrent instead of a direct download)
    • A USB flash drive
    • A willing guinea pig laptop

     

    Hardware info

    I thought it would be helpful if you knew what hardware I’m working with. Currently, I’m using an Acer Aspire Timeline X 4830T that I bought in June 2012. Specs are as follows:

    It’s not the fastest thing in the world, but it’s no slouch. In fact, the biggest problem I have with it is the CPU doesn’t support the AES instruction set that applications use to increase the speed of AES encryption and decryption. Out-of-the-box, this machine has fairly good Linux support. Using a newer kernel, almost everything works. I don’t use hibernate/suspend, or many of the FN keys, so I haven’t tested these.

     

    Explanation

    Before I begin, I wanted to explain a few of the decisions I made:

    1. Again, I chose to go with a traditional BIOS instead of UEFI. My laptop doesn’t support UEFI, so I’m forced to stay with a traditional BIOS.
    2. This time around, I chose to go with a GUID Partition Table (GPT) instead of a Master Boot Record (MBR). I’m probably not going to utilize all the advantages GPT offers, but it’s never bad to learn a new technology.
    3. Both BIOS boot and /boot need to be on their own, unencrypted partitions. Then, I’ll encrypt my third partition and install LVM on it, which is where my three logical volumes for swap, root, and home will be stored. With this setup (called LVM on LUKS), I can unlock all three volumes with one password. See the figure below for an illustrated example.
      +-----------+ +----------------+ +---------------------------------------------------------------------------+
      |           | |                | |Logical volume1        | Logical volume2        | Logical volume3          |
      | GPT-BIOS  | | Boot partition | |/dev/mapper/lvolswap   | /dev/mapper/volroot    | /dev/mapper/lvolhome     |
      | partition | | (may be on     | |_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ |_ _ _ _ _ _ _ _ _ _ _ _ _ |
      |           | | other device)  | |                                                                           |
      |           | |                | |                        LUKS encrypted partition                           |
      | /dev/sda1 | | /dev/sda2      | |                          /dev/sda3                                        |
      +-----------+ +----------------+ +---------------------------------------------------------------------------+
    4. Again, I chose ext4 over ext3.

     

    Base Install

    Step 1 – Setup your installation media

    Download the Arch Linux ISO and install it to your USB flash drive, as described here. Then, set your BIOS boot order to removable media first, plug in your USB flash drive, and boot it up.

    At this point, you should be automatically logged into a root prompt. Until we get Openbox installed and working, this is all going to be text-based and you’ll only be using the keyboard, no mouse.

    Arch Linux 3.17.1-1-ARCH (tty1)
    
    archiso login: root (automatic login)
    root@archiso ~ #

     

    Step 1a – Securely wipe your disk

    You should always wipe your disk before doing anything. Unfortunately, depending on the size of the disk, this could take a long time. If your drive is already encrypted, you could simply wipe the header and your data would be safe. Since I’m paranoid, I always choose to nuke the entire drive. You could use badblocks to do a destructive write test (as I did here), or use dd, as shown below. If you’re using a SSD, your techniques will have to be a little different.

    dd if=/dev/zero of=/dev/sda iflag=nocache oflag=direct bs=4096

    Please don’t copy/paste this command directly, as you could risk destroying your current system. I’m not responsible for anything you break 🙂

     

    Step 1b – Setup SSH access

    I want to copy text from my laptop to this blog to give you examples of what I’m seeing. Since Openbox isn’t installed yet, I’m going to setup SSH access as described here. You don’t need to do this step unless you want to copy/paste text to/from the other machine.

    systemctl start sshd
    systemctl start dhcpcd
    passwd

     

    Step 2 – Test internet connectivity

    Enter the following at the prompt to test your internet connection. If you loaded the DHCP client daemon, you should expect a response with 0% packet loss.

    ping -c 3 www.google.com

     

    Step 3 – Setup partitions

    First, we need to setup partitions. However, before we do anything, we need to make sure the device mapper and encryption kernel modules are loaded with the command below.

    modprobe -a dm-mod dm_crypt

     

    Next, use the fdisk utility to find the name of your disk. More than likely, the disk will be /dev/sda.

    fdisk -l

    Below is the ~300GB disk called /dev/sda. This is the disk we want to work with.

    Disk /dev/sda: 298.1 GiB, 320072933376 bytes, 625142448 sectors
    Units: sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    Disklabel type: dos
    Disk identifier: 0x000f2596

    Note – I will be using /dev/sda in this guide. Please don’t copy/paste from this guide directly, as you could risk destroying your current system. I’m not responsible for anything you break 🙂

     

    Optionally, you can erase the partition tables on your disk.

    sgdisk --zap-all /dev/sda

    Next, we want to use gdisk to create the partitions. The fdisk utility only works with MBR disks, while gdisk only works with GPT disks.

    gdisk /dev/sda

     

    Use the o option to create a new GPT.

    Command (? for help): o
    This option deletes all partitions and creates a new protective MBR.
    Proceed? (Y/N): Y

     

    Use the n option to create a new partition, then press Enter to use the first partition

    Command (? for help): n
    Partition number (1-128, default 1):

     

    This first partition (/dev/sda1) will be our BIOS boot partition. This partition needs to be 1007K, which, when added to the size of the preceding GPT of 17K, will align the partition to 1024K. Press Enter to select the default option for the first sector of the partition, then +1007K for the last.

    First sector (34-41943006, default = 2048) or {+-}size{KMGTP}:
    Last sector (2048-41943006, default = 41943006) or {+-}size{KMGTP}: +1007K
    Current type is 'Linux filesystem'

    Note – This partition is only required when using GRUB2 + GPT + BIOS.

     

    Use the L option to list all available partition types.

    Hex code or GUID (L to show codes, Enter = 8300): L
    0700 Microsoft basic data  0c01 Microsoft reserved    2700 Windows RE
    3000 ONIE boot             3001 ONIE config           4100 PowerPC PReP boot
    4200 Windows LDM data      4201 Windows LDM metadata  7501 IBM GPFS
    7f00 ChromeOS kernel       7f01 ChromeOS root         7f02 ChromeOS reserved
    8200 Linux swap            8300 Linux filesystem      8301 Linux reserved
    8302 Linux /home           8400 Intel Rapid Start     8e00 Linux LVM
    a500 FreeBSD disklabel     a501 FreeBSD boot          a502 FreeBSD swap
    a503 FreeBSD UFS           a504 FreeBSD ZFS           a505 FreeBSD Vinum/RAID
    a580 Midnight BSD data     a581 Midnight BSD boot     a582 Midnight BSD swap
    a583 Midnight BSD UFS      a584 Midnight BSD ZFS      a585 Midnight BSD Vinum
    a800 Apple UFS             a901 NetBSD swap           a902 NetBSD FFS
    a903 NetBSD LFS            a904 NetBSD concatenated   a905 NetBSD encrypted
    a906 NetBSD RAID           ab00 Apple boot            af00 Apple HFS/HFS+
    af01 Apple RAID            af02 Apple RAID offline    af03 Apple label
    af04 AppleTV recovery      af05 Apple Core Storage    be00 Solaris boot
    bf00 Solaris root          bf01 Solaris /usr & Mac Z  bf02 Solaris swap
    bf03 Solaris backup        bf04 Solaris /var          bf05 Solaris /home
    bf06 Solaris alternate se  bf07 Solaris Reserved 1    bf08 Solaris Reserved 2
    bf09 Solaris Reserved 3    bf0a Solaris Reserved 4    bf0b Solaris Reserved 5
    c001 HP-UX data            c002 HP-UX service         ea00 Freedesktop $BOOT
    eb00 Haiku BFS             ed00 Sony system partitio  ed01 Lenovo system partit
    Press the <Enter> key to see more codes:
    ef00 EFI System            ef01 MBR partition scheme  ef02 BIOS boot partition
    fb00 VMWare VMFS           fb01 VMWare reserved       fc00 VMWare kcore crash p
    fd00 Linux RAID
    

     

    Then, enter ef02 as the partition type.

    Hex code or GUID (L to show codes, Enter = 8300): ef02
    Changed type of partition to 'BIOS boot partition'

     

    Use the n option to create a new partition, then press Enter to use the second partition

    Command (? for help): n
    Partition number (2-128, default 2):

     

    This second partition (/dev/sda2) will be our /boot partition. This partition needs to be around 13MB, but we want a nice, even number that will leave plenty of room for growth/changes. Anything over 100MB will do, but I’m using 128MB. Press Enter to select the default option for the first sector of the partition, then +128M for the last.

    First sector (34-41943006, default = 4096) or {+-}size{KMGTP}:
    Last sector (4096-41943006, default = 41943006) or {+-}size{KMGTP}: +128M
    Current type is 'Linux filesystem'

     

    Use the L option to list all available partition types.

    Hex code or GUID (L to show codes, Enter = 8300): L
    0700 Microsoft basic data  0c01 Microsoft reserved    2700 Windows RE
    3000 ONIE boot             3001 ONIE config           4100 PowerPC PReP boot
    4200 Windows LDM data      4201 Windows LDM metadata  7501 IBM GPFS
    7f00 ChromeOS kernel       7f01 ChromeOS root         7f02 ChromeOS reserved
    8200 Linux swap            8300 Linux filesystem      8301 Linux reserved
    8302 Linux /home           8400 Intel Rapid Start     8e00 Linux LVM
    a500 FreeBSD disklabel     a501 FreeBSD boot          a502 FreeBSD swap
    a503 FreeBSD UFS           a504 FreeBSD ZFS           a505 FreeBSD Vinum/RAID
    a580 Midnight BSD data     a581 Midnight BSD boot     a582 Midnight BSD swap
    a583 Midnight BSD UFS      a584 Midnight BSD ZFS      a585 Midnight BSD Vinum
    a800 Apple UFS             a901 NetBSD swap           a902 NetBSD FFS
    a903 NetBSD LFS            a904 NetBSD concatenated   a905 NetBSD encrypted
    a906 NetBSD RAID           ab00 Apple boot            af00 Apple HFS/HFS+
    af01 Apple RAID            af02 Apple RAID offline    af03 Apple label
    af04 AppleTV recovery      af05 Apple Core Storage    be00 Solaris boot
    bf00 Solaris root          bf01 Solaris /usr & Mac Z  bf02 Solaris swap
    bf03 Solaris backup        bf04 Solaris /var          bf05 Solaris /home
    bf06 Solaris alternate se  bf07 Solaris Reserved 1    bf08 Solaris Reserved 2
    bf09 Solaris Reserved 3    bf0a Solaris Reserved 4    bf0b Solaris Reserved 5
    c001 HP-UX data            c002 HP-UX service         ea00 Freedesktop $BOOT
    eb00 Haiku BFS             ed00 Sony system partitio  ed01 Lenovo system partit
    Press the <Enter> key to see more codes:
    ef00 EFI System            ef01 MBR partition scheme  ef02 BIOS boot partition
    fb00 VMWare VMFS           fb01 VMWare reserved       fc00 VMWare kcore crash p
    fd00 Linux RAID
    

     

    We can leave this partition at 8300 by pressing Enter.

    Hex code or GUID (L to show codes, Enter = 8300):
    Changed type of partition to 'Linux filesystem'

     

    Use the n option to create a new partition, then press Enter to use the third partition

    Command (? for help): n
    Partition number (3-128, default 3):

     

    This third partition (/dev/sda3) will be encrypted and have LVM running on top of the encryption. This partition will take up the rest of the disk. Press Enter to select the default option for the first sector of the partition, then +0 to take up the remainder of the free space.

    First sector (34-41943006, default = 266240) or {+-}size{KMGTP}:
    Last sector (266240-41943006, default = 41943006) or {+-}size{KMGTP}: +0
    Current type is 'Linux filesystem'

     

    Use the L option to list all available partition types.

    Hex code or GUID (L to show codes, Enter = 8300): L
    0700 Microsoft basic data  0c01 Microsoft reserved    2700 Windows RE
    3000 ONIE boot             3001 ONIE config           4100 PowerPC PReP boot
    4200 Windows LDM data      4201 Windows LDM metadata  7501 IBM GPFS
    7f00 ChromeOS kernel       7f01 ChromeOS root         7f02 ChromeOS reserved
    8200 Linux swap            8300 Linux filesystem      8301 Linux reserved
    8302 Linux /home           8400 Intel Rapid Start     8e00 Linux LVM
    a500 FreeBSD disklabel     a501 FreeBSD boot          a502 FreeBSD swap
    a503 FreeBSD UFS           a504 FreeBSD ZFS           a505 FreeBSD Vinum/RAID
    a580 Midnight BSD data     a581 Midnight BSD boot     a582 Midnight BSD swap
    a583 Midnight BSD UFS      a584 Midnight BSD ZFS      a585 Midnight BSD Vinum
    a800 Apple UFS             a901 NetBSD swap           a902 NetBSD FFS
    a903 NetBSD LFS            a904 NetBSD concatenated   a905 NetBSD encrypted
    a906 NetBSD RAID           ab00 Apple boot            af00 Apple HFS/HFS+
    af01 Apple RAID            af02 Apple RAID offline    af03 Apple label
    af04 AppleTV recovery      af05 Apple Core Storage    be00 Solaris boot
    bf00 Solaris root          bf01 Solaris /usr & Mac Z  bf02 Solaris swap
    bf03 Solaris backup        bf04 Solaris /var          bf05 Solaris /home
    bf06 Solaris alternate se  bf07 Solaris Reserved 1    bf08 Solaris Reserved 2
    bf09 Solaris Reserved 3    bf0a Solaris Reserved 4    bf0b Solaris Reserved 5
    c001 HP-UX data            c002 HP-UX service         ea00 Freedesktop $BOOT
    eb00 Haiku BFS             ed00 Sony system partitio  ed01 Lenovo system partit
    Press the <Enter> key to see more codes:
    ef00 EFI System            ef01 MBR partition scheme  ef02 BIOS boot partition
    fb00 VMWare VMFS           fb01 VMWare reserved       fc00 VMWare kcore crash p
    fd00 Linux RAID
    

     

    Then, enter 8e00 as the partition type.

    Hex code or GUID (L to show codes, Enter = 8300): 8e00
    Changed type of partition to 'Linux LVM'

     

    Use the p option to preview your changes.

    Command (? for help): p
    Disk /dev/sda: 625142448 sectors, 298.1 GiB
    Logical sector size: 512 bytes
    Disk identifier (GUID): 3F828435-C1DA-4EDD-B730-EEA36736EED2
    Partition table holds up to 128 entries
    First usable sector is 34, last usable sector is 625142414
    Partitions will be aligned on 2048-sector boundaries
    Total free space is 2048 sectors (1024.0 KiB)
    
    Number  Start (sector)    End (sector)  Size       Code  Name
       1            2048            4061   1007.0 KiB  EF02  BIOS boot partition
       2            4096          266239   128.0 MiB   8300  Linux filesystem
       3          266240       625142414   298.0 GiB   8E00  Linux LVM

     

    Use the w option to write your changes to disk.

    Command (? for help): w
    
    Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
    PARTITIONS!!
    
    Do you want to proceed? (Y/N): Y
    OK; writing new GUID partition table (GPT) to /dev/sda.
    Warning: The kernel is still using the old partition table.
    The new table will be used at the next reboot.
    The operation has completed successfully.

    At this point, you’ll need to reboot for the kernel to pick up the new partition changes.

     

    Step 4 – Setup encryption

    Again, the setup we’re going to be using is called LVM on LUKS. This means we’re setting up encryption first, then putting our logical volumes on top of it.

    +-----------+ +----------------+ +---------------------------------------------------------------------------+
    |           | |                | |Logical volume1        | Logical volume2        | Logical volume3          |
    | GPT-BIOS  | | Boot partition | |/dev/mapper/lvolswap   | /dev/mapper/volroot    | /dev/mapper/lvolhome     |
    | partition | | (may be on     | |_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ |_ _ _ _ _ _ _ _ _ _ _ _ _ |
    |           | | other device)  | |                                                                           |
    |           | |                | |                        LUKS encrypted partition                           |
    | /dev/sda1 | | /dev/sda2      | |                          /dev/sda3                                        |
    +-----------+ +----------------+ +---------------------------------------------------------------------------+

     

    First, we need to setup encryption on our partition. Please consult this table for other encryption options before you copy/paste my command below.

    cryptsetup -v -y -c aes-xts-plain64 -s 512 -h sha512 -i 5000 --use-random luksFormat /dev/sda3

    -v = verbose
    -y = verify password, ask twice, and complain if they don’t match
    -c = specify the cipher used
    -s = specify the key size used
    -h = specify the hash used
    -i = number of milliseconds to spend passphrase processing (if using anything more than sha1, must be great than 1000)
    –use-random = which random number generator to use
    luksFormat = to initialize the partition and set a passphrase
    /dev/sda3 = the partition to encrypt

    Seriously, read the man page and the FAQ on cryptsetup.

     

    Now, use the command below to view the header information of your LUKS device. Save this somewhere.

    cryptsetup luksDump /dev/sda3

     

    Finally, we need to unlock the LUKS device before we can setup LVM on it. This will mount the device at /dev/mapper/crypto.

    cryptsetup luksOpen /dev/sda3 crypto

     

    Step 5 – Setup a physical volume

    First, we’re going to scan for disks that are capable of hosting a physical volume.

    lvmdiskscan

    In the example below, we’re going to focus on the LUKS device /dev/mapper/crypto.

      /dev/loop0                [     248.46 MiB]
      /dev/mapper/arch_airootfs [      32.00 GiB]
      /dev/loop1                [      32.00 GiB]
      /dev/mapper/crypto        [     297.96 GiB]
      /dev/loop2                [     256.00 MiB]
      /dev/sda2                 [     128.00 MiB]
      /dev/sda3                 [     297.96 GiB]
      /dev/sdb1                 [     577.00 MiB]
      /dev/sdb2                 [      31.00 MiB]
      2 disks
      7 partitions
      0 LVM physical volume whole disks
      0 LVM physical volumes

    Now, we’re going to create a physical volume on /dev/mapper/crypto.

    pvcreate /dev/mapper/crypto

    Finally, we’ll display the physical volume we created.

    pvdisplay

     

    Step 6 – Setup a volume group

    We’re going to create a volume group named VolGroup00 on the physical volume /dev/mapper/crypto. You can name the volume group whatever you’d like.

    vgcreate VolGroup00 /dev/mapper/crypto

    Finally, we’ll display the volume group we created.

    vgdisplay

     

    Step 7 – Setup logical volumes

    In this step, we’re going to create three logical volumes on the volume group VolGroup00.

    lvcreate -C y -L 8GB VolGroup00 -n lvolswap
    lvcreate -L 25GB VolGroup00 -n lvolroot
    lvcreate -l +100%FREE VolGroup00 -n lvolhome

    Note – In the first command, the -C y options are used to create a contiguous partition for swap. In the last command, the 100%FREE option is used to fill the remainder of the space.

    Finally, we’ll display the logical volumes we created.

    lvdisplay

     

    Step 8 – Create filesystems and mount logical volumes

    The first things we need to do are scan for volume groups and then import any changes.

    vgscan
    vgchange -ay

     

    Next, we’re going to create filesystems on each logical volume.

    mkfs.ext4 /dev/sda2
    mkswap /dev/mapper/VolGroup00-lvolswap
    mkfs.ext4 /dev/mapper/VolGroup00-lvolroot
    mkfs.ext4 /dev/mapper/VolGroup00-lvolhome

    Note – The partition /dev/sda2 needs a filesystem, while /dev/sda1 does not.

     

    Now, we’re going to mount the filesystems we just created.

    swapon /dev/mapper/VolGroup00-lvolswap
    mount /dev/mapper/VolGroup00-lvolroot /mnt
    mkdir /mnt/boot
    mount /dev/sda2 /mnt/boot
    mkdir /mnt/home
    mount /dev/mapper/VolGroup00-lvolhome /mnt/home

     

    Finally, we’ll display the filesystems we created.

    lsblk /dev/sda

    Here, you can see the physical disk called /dev/sda with three partitions on it. Then, you can see that the third partition is a LUKS device that contains a volume group called VolGroup00 with three logical volumes.

    NAME                      MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
    sda                         8:0    0 298.1G  0 disk
    ├─sda1                      8:1    0  1007K  0 part
    ├─sda2                      8:2    0   128M  0 part  /mnt/boot
    └─sda3                      8:3    0   298G  0 part
      └─crypto                254:1    0   298G  0 crypt
        ├─VolGroup00-lvolswap 254:2    0     8G  0 lvm   [SWAP]
        ├─VolGroup00-lvolroot 254:3    0    25G  0 lvm   /mnt
        └─VolGroup00-lvolhome 254:4    0   265G  0 lvm   /mnt/home

     

    Step 9 – Select a mirror

    Next, we need to select a mirror to use when downloading packages. You can use the Mirrorlist Generator to find the best mirror for you based on your country.  Then, I would recommend renaming the current mirrorlist to have a backup.

    mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist_old

     

    Use vi to create a new list…

    vi /etc/pacman.d/mirrorlist

    …and populate it with the entries from the mirrorlist generator. Mine is below.

    ##
    ## Arch Linux repository mirrorlist
    ## Sorted by mirror score from mirror status page
    ## Generated on 2014-11-08
    ##
    
    ## Score: 0.5, United States
    Server = http://mirror.us.leaseweb.net/archlinux/$repo/os/$arch
    ## Score: 1.0, United States
    Server = http://mirror.rit.edu/archlinux/$repo/os/$arch
    ## Score: 1.0, United States
    Server = http://lug.mtu.edu/archlinux/$repo/os/$arch
    ## Score: 1.2, United States
    Server = http://www.gtlib.gatech.edu/pub/archlinux/$repo/os/$arch
    ## Score: 1.2, United States
    Server = http://archlinux.pallissard.net/archlinux/$repo/os/$arch
    ## Score: 1.2, United States
    Server = http://archlinux.surlyjake.com/archlinux/$repo/os/$arch
    ## Score: 1.4, United States
    Server = http://mirror.umd.edu/archlinux/$repo/os/$arch
    ## Score: 1.5, United States
    Server = http://mirrors.cecsresearch.org/archlinux/$repo/os/$arch
    ## Score: 1.5, United States
    Server = http://mirrors.cat.pdx.edu/archlinux/$repo/os/$arch
    ## Score: 1.6, United States
    Server = http://mirror.nexcess.net/archlinux/$repo/os/$arch
    ## Score: 1.6, United States
    Server = http://mirror.jmu.edu/pub/archlinux/$repo/os/$arch
    ## Score: 1.6, United States
    Server = http://mirrors.acm.wpi.edu/archlinux/$repo/os/$arch
    ## Score: 1.8, United States
    Server = http://mirror.cc.columbia.edu/pub/linux/archlinux/$repo/os/$arch
    ## Score: 1.8, United States
    Server = http://mirrors.aggregate.org/archlinux/$repo/os/$arch
    ## Score: 1.9, United States
    Server = http://mirror.grig.io/archlinux/$repo/os/$arch
    ## Score: 1.9, United States
    Server = http://mirrors.abscission.net/archlinux/$repo/os/$arch
    ## Score: 2.3, United States
    Server = http://mirror.cs.pitt.edu/archlinux/$repo/os/$arch
    ## Score: 2.4, United States
    Server = http://mirrors.einhammr.com/archlinux/$repo/os/$arch
    ## Score: 2.5, United States
    Server = http://mirror.pw/archlinux/$repo/os/$arch
    ## Score: 2.6, United States
    Server = http://mirror.yellowfiber.net/archlinux/$repo/os/$arch
    ## Score: 2.6, United States
    Server = http://mirrors.kernel.org/archlinux/$repo/os/$arch
    ## Score: 2.7, United States
    Server = http://mirrors.advancedhosters.com/archlinux/$repo/os/$arch
    ## Score: 2.8, United States
    Server = http://mirror.vtti.vt.edu/archlinux/$repo/os/$arch
    ## Score: 2.8, United States
    Server = http://mirrors.rutgers.edu/archlinux/$repo/os/$arch
    ## Score: 2.9, United States
    Server = http://mirrors.gigenet.com/archlinux/$repo/os/$arch
    ## Score: 2.9, United States
    Server = http://mirrors.liquidweb.com/archlinux/$repo/os/$arch
    ## Score: 3.4, United States
    Server = http://mirror.ancl.hawaii.edu/linux/archlinux/$repo/os/$arch
    ## Score: 3.6, United States
    Server = http://cosmos.cites.illinois.edu/pub/archlinux/$repo/os/$arch
    ## Score: 4.1, United States
    Server = http://mirror.metrocast.net/archlinux/$repo/os/$arch
    ## Score: 4.4, United States
    Server = http://mirror.es.its.nyu.edu/archlinux/$repo/os/$arch
    ## Score: 6.1, United States
    Server = http://ftp.osuosl.org/pub/archlinux/$repo/os/$arch
    ## Score: 11.0, United States
    Server = http://mirrors.xmission.com/archlinux/$repo/os/$arch
    ## Score: 12.9, United States
    Server = http://dfw.mirror.rackspace.com/archlinux/$repo/os/$arch
    ## Score: 12.9, United States
    Server = http://iad.mirror.rackspace.com/archlinux/$repo/os/$arch
    ## Score: 13.0, United States
    Server = http://ord.mirror.rackspace.com/archlinux/$repo/os/$arch
    Note – The list of mirrors generated has every server commented out. Use a text editor to do a find/replace on #Server with Server. The mirrors are used by pacman in the order they are listed.

     

    Finally, use pacman to refresh the package lists. You should do this every time you update your mirrorlist.

    pacman -Syy

     

    Step 10 – Install the base system

    Finally, we’re installing Arch Linux! Use the pacstrap command to install the system to /mnt. Use the -i option to ignore being prompted for all 75 packages we’re about to install.

    pacstrap -i /mnt base base-devel

    You’ll need to press Enter once to confirm all packages in the base group, then again for the base-devel group.

    :: There are 50 members in group base:
    :: Repository core
       1) bash  2) bzip2  3) coreutils  4) cryptsetup  5) device-mapper
       6) dhcpcd  7) diffutils  8) e2fsprogs  9) file  10) filesystem
       11) findutils  12) gawk  13) gcc-libs  14) gettext  15) glibc
       16) grep  17) gzip  18) inetutils  19) iproute2  20) iputils
       21) jfsutils  22) less  23) licenses  24) linux  25) logrotate
       26) lvm2  27) man-db  28) man-pages  29) mdadm  30) nano  31) netctl
       32) pacman  33) pciutils  34) pcmciautils  35) perl  36) procps-ng
       37) psmisc  38) reiserfsprogs  39) s-nail  40) sed  41) shadow
       42) sysfsutils  43) systemd-sysvcompat  44) tar  45) texinfo
       46) usbutils  47) util-linux  48) vi  49) which  50) xfsprogs
    
    Enter a selection (default=all): 
    :: There are 25 members in group base-devel:
    :: Repository core
       1) autoconf  2) automake  3) binutils  4) bison  5) fakeroot  6) file
       7) findutils  8) flex  9) gawk  10) gcc  11) gettext  12) grep
       13) groff  14) gzip  15) libtool  16) m4  17) make  18) pacman
       19) patch  20) pkg-config  21) sed  22) sudo  23) texinfo
       24) util-linux  25) which
    
    Enter a selection (default=all):

     

    Step 11 – Generate a fstab

    The fstab file tells the sytem what each disk/partition/logical volume does and how to mount it. Use the command below to generate one.

    genfstab -U -p /mnt >> /mnt/etc/fstab

    It’s always recommended to check the fstab file for errors.

    blkid

    Cat out the /mnt/etc/fstab file and compare the UUIDs and logical volumes types to what was returned by blkid above.

    cat /mnt/etc/fstab

     

    Step 12 – Set locales and system information

    We need to chroot into the newly installed system before we can configure it.

    arch-chroot /mnt /bin/bash

     

    Next, we’re going to set locales. Use vi to edit the /etc/locale.gen file to uncomment your preferred encoding from the file.

    vi /etc/locale.gen

    An excerpt of my file is below, notice the uncommented line.

    #en_PH ISO-8859-1
    #en_SG.UTF-8 UTF-8
    #en_SG ISO-8859-1
    en_US.UTF-8 UTF-8
    #en_US ISO-8859-1
    #en_ZA.UTF-8 UTF-8
    #en_ZA ISO-8859-1

    Then, use the command below to generate a locale.

    locale-gen

    Now, run the following two commands to generate a locale.conf file and set the LANG variable. Substitute en_US.UTF-8 with the encoding you uncommented in the step above.

    echo LANG=en_US.UTF-8 > /etc/locale.conf
    export LANG=en_US.UTF-8

     

    Set a timezone with the following two commands. Substitute America and New_York with your zone and sub-zone.

    rm /etc/localtime
    ln -s /usr/share/zoneinfo/America/New_York /etc/localtime

     

    Set the hardware clock with the following command.

    hwclock --systohc --utc

     

    There’s still more work to be done. Here, set a hostname with the following command. Substitute Arch with your hostname of choice.

    echo Arch > /etc/hostname

     

    Now, use vi to edit the /etc/hosts file to add the same hostname at the end of each line.

    #
    # /etc/hosts: static lookup table for host names
    #
    
    #<ip-address>   <hostname.domain.org>   <hostname>
    127.0.0.1       localhost.localdomain   localhost  Arch
    ::1             localhost.localdomain   localhost  Arch
    
    # End of file
    

     

    Find the name of your network adapter by using ip link.

    ip link

    In the example below, my adapter is enp2s0. Arch Linux uses Consistent Network Interface Naming to name its adapters, which is why your adapters won’t be named like eth0 or wlan0.

    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
        link/ether dc:0e:a1:9b:b0:19 brd ff:ff:ff:ff:ff:ff
    3: wlp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN mode DEFAULT group default qlen 1000
        link/ether 08:11:96:90:20:60 brd ff:ff:ff:ff:ff:ff

    Now, enable the DHCP client daemon on that adapter. Substitute enp2s0 with your adapter name.

    systemctl enable dhcpcd@enp2s0

     

    Step 13 – Generate an initial ramdisk

    This step is very important. Since we’re using LVM and encryption, we need to edit the /etc/mkinitcpio.conf file to include a few extra hooks.

    vi /etc/mkinitcpio.conf

    Before…

    HOOKS="base udev autodetect modconf block filesystems keyboard fsck"

    After…

    HOOKS="base udev autodetect modconf block keymap keyboard usbinput encrypt lvm2 resume filesystems shutdown fsck"

    Note – The hooks keymap, encrypt, lvm2, and resume need to come between block and filesystems. The shutdown hook is after the filesystems entry. I had to add usbinput to use my USB keyboard.

     

    Finally, generate the ramdisk. For now, ignore any errors about missing firmware.

    cd /boot
    mkinitcpio -p linux

     

    Step 14 – Create users and set passwords

    Set a password for the root user with the command below.

    passwd

     

    It’s also a good idea to create a normal user for you to use later on. Substitute logan with your username.

    useradd -m -g users -G audio,lp,optical,storage,video,games,power,scanner,wheel -s /bin/bash logan

    Note – I have this user added to the wheel group, which we’ll need to use sudo. More on that later.

     

    Then, change the password for your new user. Substitute logan with your username.

    passwd logan

     

    Step 15 – Install and configure a bootloader

    Use pacman to install a few packages, including the GRUB2 bootloader.

    pacman -S fuse grub lvm2 os-prober

    In the GRUB2 config file, we need to set a kernel parameter. The file to edit, however, depends on which bootloader you are using. In our case, it is GRUB2, and we’ll be editing the /etc/default/grub file.

    vi /etc/default/grub

    Find the line GRUB_CMDLINE_LINUX=”” and add the cryptdevice parameter to specify the location of your encrypted LVM. The format used is cryptdevice=device:vgname. We’re also adding a parameter for swap to be used to suspend/resume the system.

    Before…

    GRUB_CMDLINE_LINUX=""

    After…

    GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda3:VolGroup00 resume=/dev/VolGroup00/lvolswap"

     

    Setup GRUB2 with the following two commands.

    grub-install --target=i386-pc --recheck /dev/sda
    grub-mkconfig -o /boot/grub/grub.cfg

    When you run the second command, you may see warnings like those shown below.

    /run/lvm/lvmetad.socket: connect failed: No such file or directory
    WARNING: Failed to connect to lvmetad. Falling back to internal scanning.

    According to this page, you can ignore those warnings. This means you don’t need to set use_lvmetad = 0.

     

    Exit chroot, unmount any filesystems, and shutdown your machine.

    exit
    umount /mnt/home
    umount /mnt/boot
    umount /mnt
    shutdown -h now

    Remove the USB flash drive from the laptop we inserted back in step 1.

     

    Step 16 – Start Arch Linux

    Start your machine and you should be greeted by the GRUB2 bootloader. Enter the password to unlock your encrypted partition /dev/sda3. After the operating system loads, you should be back at a root prompt where you can login with the root username and root password you set earlier.

     

    The first order of business is to test your internet connectivity.

    ping -c 3 www.google.com

    My network device was down at first, so I brought it up with the command below.

    ip link set dev enp2s0 up

     

    If you’re using 64bit Arch Linux, you should enable the mutlilib repository to install 32bit packages as well. Uncomment the two lines below from the /etc/pacman.conf file.

    [multilib]
    Include = /etc/pacman.d/mirrorlist

    Then, check for updates with pacman.

    pacman -Syy
    pacman -Syu

     

    Next, we need to edit the /etc/sudoers file to allow use of the wheel group for our normal users. Only use visudo to edit /etc/sudoers, as it locks the file while editing, provides basic syntax checking, etc…

    visudo

    Uncomment the %wheel ALL=(ALL) ALL line, like below.

    Before…

    # %wheel ALL=(ALL) ALL
    

    After…

    %wheel ALL=(ALL) ALL

     

    Step 17 – Install drivers

    We need to install graphics drivers for our system. First, find out what kind of graphics adapter you have.

    lspci | grep -i vga

    My laptop is using built-in Intel graphics

    00:02.0 VGA compatible controller: Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller (rev 09)

    …so this is the driver package I’ll be using.

    pacman -S xf86-video-intel libva-intel-driver libva

    Note – If you have a different graphics adapter, check the page here.

     

    Next on the list is wireless drivers. Again, use lspci.

    03:00.0 Network controller: Intel Corporation Centrino Advanced-N 6205 [Taylor Peak] (rev 34)

    According to this page, the wireless driver I need is iwlwifi, which was already included in the linux-firmware package.

     

    Since my touchpad isn’t working, I’m also going to install Synaptics touchpad drivers.

    pacman -S xf86-input-synaptics

     

    Step 18 – Install the GUI

    First, we’re going to start out with a basic installation of XOrg server.

    pacman -S xorg-server xorg-xinit xorg-server-utils xorg-twm xorg-xclock xterm

    Once those are installed, run startx and you should get a very basic XOrg window system.

    20141114_001

    Now, we’ll install a proper GUI. For this, I’m going to be using Openbox instead of Cinnamon. Remember, since Openbox isn’t a full desktop environment, we’ll need to manually install packages that would normally come bundled in a DE (e.g., file manager, network manager, panel, menu generator, etc…).

    pacman -S lightdm lightdm-gtk3-greeter gnome-icon-theme networkmanager network-manager-applet openbox obconf lxappearance-obconf lxinput lxrandr lxsession numix-themes openbox-themes parcellite polkit xterm thunar gvfs volumeicon nitrogen xfce4-notifyd xfce4-power-manager

    Note – Other greeters besides lightdm-gtk3-greeter are available here.

     

    Enable the newly installed Light display manager (LightDM) so you can use it when we reboot.

    systemctl enable lightdm.service

    We’re going to enable the NetworkManager service at boot. However, by default, Arch Linux receives an IP address via DHCP by using the DHCP client daemon (dhcpcd). Since the two will conflict, we’re going to disable dhcpcd.

    systemctl enable NetworkManager.service
    systemctl disable dhcpcd
    systemctl disable dhcpcd@enp2s0

     

    We also need to configure the swappiness (yes, that’s the technical term) of the swap logical volume. A higher swappiness value means more data is swapped to disk, which decreases performance. The default value is 60, but I’m going to set it to 10.

    echo -e "vm.swappiness=10" >> /etc/sysctl.d/99-sysctl.conf

     

    Step 19 – Start the GUI

    Finally, the moment of truth! Reboot your installation and cross your fingers.

    reboot

     

    You should boot into LightDM and be able to login using the normal user we created earlier (not root). If all goes well, Openbox should start.

    20141114_002

    No, it’s not broken. This is what Openbox looks like when it’s newly installed. If you right-click on the background, you’ll see that you get the Openbox menu.

    20141114_003

    Technically, you have Arch installed and Openbox up and running, congratulations! From here on, Xterm will be your best friend 🙂 This is what Openbox looks like after a little bit of customization.

    20141114_004

     

    Misc tweaks/extras

    User directories

    To create all of your default directories in $HOME (e.g., Documents, Music, Pictures, etc…), run the two commands below.

    sudo pacman -S xdg-user-dirs
    xdg-user-dirs-update

     

    Fonts

    Below are the packages I install for additional fonts. I do this first, as nothing looks right without them.

    sudo pacman -S font-mathematica freetype2 terminus-font ttf-dejavu ttf-droid ttf-freefont ttf-inconsolata ttf-liberation ttf-linux-libertine ttf-ubuntu-font-family xorg-xfontsel

     

    Openbox

    Reconfigure Openbox

    Openbox is configured with four files located in ~/.config/openbox:

    • menu.xml
    • autostart
    • rc.xml
    • environment

    Those files may not be there at first, so you’ll need to copy them to your home directory.

    mkdir -p ~/.config/openbox
    cp -R /etc/xdg/openbox/* ~/.config/openbox

    Any time you change any of the four config files, you’ll need to reload them into Openbox with the command below.

    openbox --reconfigure

     

    Update the menu

    If you dig around in the Openbox menu, you’ll see that there are applications listed that we haven’t installed. Naturally, the file ~/.config/openbox/menu.xml controls what appears in the menu. Every time you install/remove an application in Openbox, you’ll need to edit the menu.xml file to reflect those changes, then reload it Openbox. Doing this manually is a pain, so MenuMaker will make that job easier.

    sudo pacman -S menumaker

    Run the command below after installing any packages.

    mmaker -v OpenBox3

    Remember to reconfigure Openbox after you change this file.

    openbox --reconfigure

     

    Autostart

    Certain applications, like Tint2 and Conky, will only run when you start them manually. To fix this, we’ll need to tell them to start after automatically after Openbox starts. You guessed it, we’re going to edit the ~/.config/openbox/autostart file then reconfigure Openbox. My autostart file is below.

    ##Autostart File ##
    
    ##Background
    (sleep 1s && nitrogen --restore) &
    
    ##tint2 panel
    (sleep 1s && tint2) &
    
    ##Sound Icon
    (sleep 1s && volumeicon) &
    
    ##Conky
    (sleep 3s && conky) &
    
    ##Clipboard
    (sleep 1s && parcellite) &

    Remember to reconfigure Openbox after you change this file.

    openbox --reconfigure

     

    Keybindings

    Compared to a full desktop environment, Openbox is lacking some useful keybindings. The ~/.config/openbox/rc.xml file is where you can change that. The default file is pretty good, but I added a few bindings to launch a terminal, open the menu, snap windows to edges, and run the oblogout script. I’m not going to post that file here, since it’s huge.

    Remember to reconfigure Openbox after you change this file.

    openbox --reconfigure

     

    Dmenu

    Since there is no “Start” button in Openbox, it can be a pain to have to switch desktops or go to the background to open the menu. Dmenu is an application that opens with a key combination (see above) and then lets you search your installed apps.

    sudo pacman -S dmenu

    Set it to run with a key binding using something like the segment below in your rc.xml file.

      <keybind key="W-space">
        <action name="Execute">
            <command>dmenu_run</command>
        </action>
      </keybind>

    Remember to reconfigure Openbox after you change this file.

    openbox --reconfigure

     

    Tint2

    Let’s make this installation a little more user-friendly by setting up a bottom panel with Tint2. Start off by installing the Tint2 package and creating the necessary files. Also, keep the documentation handy, as you’re probably going to need it at some point.

    sudo pacman -S tint2
    mkdir -p ~/.config/tint2
    touch ~/.config/tint2/tint2rc

    Tint2 runs off a configuration file located at ~/.config/tint2/tint2rc. You can edit the tint2rc file directly, or call tint2conf from the terminal to edit Tint2 using a GUI. My tint2rc file is below.

    # Tint2 config file
    # Generated by tintwizard (http://code.google.com/p/tintwizard/)
    # For information on manually configuring tint2 see http://code.google.com/p/tint2/wiki/Configure
    
    # Background definitions
    # ID 1
    rounded = 0
    border_width = 0
    background_color = #000000 50
    border_color = #000000 0
    
    # ID 2
    rounded = 5
    border_width = 0
    background_color = #4E4E4E 49
    border_color = #000000 0
    
    # ID 3
    rounded = 5
    border_width = 0
    background_color = #FF8000 49
    border_color = #FFFFFF 65
    
    # Panel
    panel_monitor = all
    panel_position = bottom center horizontal
    panel_size = 100% 4%
    panel_margin = 0 0
    panel_padding = 0 0 7
    panel_dock = 0
    wm_menu = 0
    panel_layer = top
    panel_background_id = 1
    
    # Panel Autohide
    autohide = 0
    autohide_show_timeout = 0.3
    autohide_hide_timeout = 2
    autohide_height = 2
    strut_policy = follow_size
    
    # Taskbar
    taskbar_mode = single_desktop
    taskbar_padding = 1 3 3
    taskbar_background_id = 0
    taskbar_active_background_id = 0
    
    # Tasks
    urgent_nb_of_blink = 8
    task_icon = 0
    task_text = 1
    task_centered = 0
    task_maximum_size = 175 35
    task_padding = 5 1
    task_background_id = 2
    task_active_background_id = 3
    task_urgent_background_id = 2
    task_iconified_background_id = 2
    
    # Task Icons
    task_icon_asb = 100 0 0
    task_active_icon_asb = 100 0 0
    task_urgent_icon_asb = 100 0 0
    task_iconified_icon_asb = 100 0 0
    
    # Fonts
    task_font = Inconsolata Medium 9
    task_font_color = #FF8000 49
    task_active_font_color = #000000 100
    task_urgent_font_color = #FF0000 100
    task_iconified_font_color = #FF8000 49
    font_shadow = 0
    
    # System Tray
    systray = 1
    systray_padding = 5 5 5
    systray_sort = ascending
    systray_background_id = 0
    systray_icon_size = 16
    systray_icon_asb = 70 0 0
    
    # Clock
    time1_format = %H:%M:%S
    time1_font = Inconsolata Medium 10
    time2_format = %a %b %d %Y
    time2_font = Inconsolata Medium 10
    clock_font_color = #FF8000 49
    clock_padding = 1 3
    clock_background_id = 0
    
    # Tooltips
    tooltip = 0
    tooltip_padding = 2 2
    tooltip_show_timeout = 0.7
    tooltip_hide_timeout = 0.3
    tooltip_background_id = 1
    tooltip_font = sans 10
    tooltip_font_color = #000000 80
    
    # Mouse
    mouse_middle = none
    mouse_right = none
    mouse_scroll_up = toggle
    mouse_scroll_down = iconify
    
    # Battery
    battery = 1
    battery_low_status = 10
    battery_low_cmd = notify-send "battery low"
    battery_hide = 98
    bat1_font = Inconsolata Medium 9
    bat2_font = Inconsolata Italic 9
    battery_font_color = #FF8000 49
    battery_padding = 1 0
    battery_background_id = 0
    
    # End of config

    If you’re editing the file manually, use the command below to reload your tint2 configuration.

    killall -SIGUSR1 tint2

     

    Conky

    Next up is Conky, which is an application that can display system stats on the desktop. Start off by installing the Conky package.

    sudo pacman -S conky

    Conky runs off a configuration file located at ~/.conkyrc. Create this file manually with the command below.

    touch ~/.conkyrc

    The .conkyrc file is broken down into two parts: configuration settings and variables. The configuration settings go at the top of the file, and the variables come after the TEXT tag. Anything after TEXT is printed to the screen. My .conkyrc file is below.

    background yes
    #gap_x 20
    gap_y 100
    alignment left
    update_interval 1
    use_xft yes
    xftfont Inconsolata:size=10
    own_window yes
    own_window_type override
    own_window_transparent yes
    own_window_colour 000000
    #own_window_hints undecorated,below,sticky,skip_taskbar,skip_pager
    own_window_argb_visual no
    own_window_argb_value 0
    double_buffer yes
    draw_shades no
    draw_graph_borders no
    default_bar_size 0 7
    default_graph_size 20 20
    #border_inner_margin 16
    default_color FFFFFF
    color2 FF8000
    #minimum_size 0 0
    temperature_unit fahrenheit
    format_human_readable yes
    
    TEXT
    ${color}
    ${nodename} @ ${kernel}
    
    ${color}CPU
    ${color2}${cpubar}
    ${cpu cpu0}%
    ${color}${top name 1}${color2}${alignr}${top cpu 1}%
    ${color}${top name 2}${color2}${alignr}${top cpu 2}%
    ${color}${top name 3}${color2}${alignr}${top cpu 3}%
    ${color}${top name 4}${color2}${alignr}${top cpu 4}%
    
    ${color}RAM${color2}${alignr}${mem}/${memmax}
    ${color2}${membar}
    ${memperc}%
    ${color}${top_mem name 1}${color2}${alignr}${top_mem mem 1}%
    ${color}${top_mem name 2}${color2}${alignr}${top_mem mem 2}%
    ${color}${top_mem name 3}${color2}${alignr}${top_mem mem 3}%
    ${color}${top_mem name 4}${color2}${alignr}${top_mem mem 4}%
    
    ${color}/${color2} ${alignr}${fs_used /}/${fs_size /}
    ${fs_bar /}
    ${fs_used_perc /}%
    
    ${color}/home${color2} ${alignr}${fs_used /home}/${fs_size /home}
    ${fs_bar /home}
    ${fs_used_perc /home}%
    
    ${color}LAN
    enp2s0 @${color2} ${addr enp2s0}
    ${color}DOWN ${color2}${downspeed enp2s0}${color}${alignr}UP ${color2}${upspeed enp2s0}
    ${downspeedgraph enp2s0 20, 130}${alignr}${upspeedgraph enp2s0 20, 130}
    ${color}TOTAL ${color2}${totaldown enp2s0}${color}${alignr}TOTAL ${color2}${totalup enp2s0}
    
    ${color}WLAN
    wlp3s0 @${color2} ${addr wlp3s0}
    ${color}SSID ${color2}${wireless_essid wlp3s0} ${wireless_link_qual_perc wlp3s0}%
    ${color}DOWN ${color2}${downspeed wlp3s0}${color}${alignr}UP ${color2}${upspeed wlp3s0}
    ${downspeedgraph wlp3s0 20, 130}${alignr}${upspeedgraph wlp3s0 20, 130}
    ${color}TOTAL ${color2}${totaldown wlp3s0}${color}${alignr}TOTAL ${color2}${totalup wlp3s0}
    
    ${color}Weather
    NOW ${color2}${weather http://weather.noaa.gov/pub/data/observations/metar/stations/ KPIT temperature}F ${weather http://weather.noaa.gov/pub/data/observations/metar/stations/ KPIT weather}

    Changes to your .conkyrc file are reflected immediately, so there’s no need to reload it.

     

    Oblogout with xlockmore

    By default, the only way to log out of Openbox or lock the screen is through the terminal. If you want something quicker, the oblogout package can be installed to give you a graphical option, including: cancel, logout, restart, shutdown, suspend, hibernate, and lock the screen. I’m also going to install xlockmore, as a simple way to lock the screen when I’m away.

    sudo pacman -S oblogout xlockmore

    You can bind oblogout to a key combination, and then customize what each button does. Then, edit the /etc/oblogout.conf file to customize your menu. My oblogout.conf file is below.

    [settings]
    usehal = false
    
    [looks]
    opacity = 0 
    bgcolor = black
    buttontheme = oxygen
    #original#buttons = cancel, logout, restart, shutdown, suspend, hibernate, lock
    buttons = cancel, logout, restart, shutdown, lock
    
    
    [shortcuts]
    cancel = Escape
    shutdown = S
    restart = R
    #suspend = U
    logout = K
    lock = L
    #hibernate = H
    
    [commands]
    shutdown = systemctl poweroff
    restart = systemctl reboot
    suspend = dbus-send --system --print-reply --dest="org.freedesktop.UPower" /org/freedesktop/UPower org.freedesktop.UPower.Suspend
    hibernate = dbus-send --system --print-reply --dest="org.freedesktop.UPower" /org/freedesktop/UPower org.freedesktop.UPower.Hibernate
    logout = openbox --exit
    lock = xlock -mode galaxy -echokeys -echokey "*" +description -mousemotion -fg white -bg black -info ' ' -username 'Username: ' -password 'Password:'
    #switchuser = gdm-control --switch-user
    #safesuspend = safesuspend

     

    Daily-use packages

    Below is the list of packages that I use on my machine. You don’t need to install them, obviously.

    sudo pacman -S arandr audacity baobab brasero bzip2 chromium clamav coreutils deluge devede exfat-utils file-roller filezilla firefox freerdp galculator gimp gksu gparted gzip hardinfo haveged htop inkscape libreoffice libvncserver medit mupdf networkmanager-openvpn networkmanager-pptp ntfs-3g openssh openvpn p7zip pinta pptpclient remmina rsync scrot thunar-archive-plugin thunar-media-tags-plugin thunar-volman tumbler gvfs gvfs-afc gvfs-mtp tigervnc tlp truecrypt unrar unzip util-linux viewnior vim wget x11vnc zip
    
    sudo systemctl enable haveged
    sudo systemctl enable tlp.service
    sudo systemctl enable tlp-sleep.service
    sudo ln -sf /dev/null /etc/systemd/system/systemd-rfkill@.service
    sudo ln -sf /usr/bin/chromium /usr/bin/chrome

     

    Audio/video/sound codecs and DVD support

    Unlike Ubuntu or Linux Mint, Arch Linux won’t support many codecs or DVD playback out-of-the-box. The packages below should cover most of what you need to do.

    sudo pacman -S alsa-firmware alsa-utils ffmpeg flac gstreamer gstreamer0.10 gstreamer0.10-ffmpeg gstreamer0.10-good-plugins gst-libav gst-plugins-base gst-plugins-good lame libdvdcss libdvdnav libdvdread libmpeg2 libtheora libvorbis mplayer vlc x264 x265 xvidcore winff

    Unmute and test your speakers with the commands below. This is assuming you’re using ALSA and have a 2.0 setup.

    amixer sset Master unmute
    speaker-test -c 2

     

    Flash player plugin

    As much as I hate relying on a closed source product, sometimes you just need Flash player. The official Adobe version of Flash player, as well as open source alternatives, are available in pacman. The command below installs the Adobe version.

    sudo pacman -S flashplugin

    Note – Adobe discontinued support for the Linux version of Flash player in 2012, but will provide security updates until 2017. Flash will still be available if you’re using Chrome/Chromium, but if you’re using anything else, you’ll need to use the package above.

     

    Archey

    This is personal preference, but I’m going to install Archey from the Arch User Repository (AUR). The AUR is a community-driven repository for Arch Linux packages. Installing packages from the AUR involves downloading the tarball to your PC, then extracting it, building the package, and installing it using pacman. There are scripts that will do this automatically, but you should know how to do it manually.

    cd ~
    wget https://aur.archlinux.org/packages/ar/archey/archey.tar.gz
    tar -xvzf archey.tar.gz
    cd archey
    makepkg -s
    sudo pacman -U archey*.pkg.tar.xz

     

    Edit your .bashrc file to add the archey line at the end.

    vi ~/.bashrc

    Before…

    #
    # ~/.bashrc
    #
    
    # If not running interactively, don't do anything
    [[ $- != *i* ]] && return
    
    alias ls='ls --color=auto'
    PS1='[u@h W]$ '

    After…

    #
    # ~/.bashrc
    #
    
    # If not running interactively, don't do anything
    [[ $- != *i* ]] && return
    
    alias ls='ls --color=auto'
    PS1='[u@h W]$ '
    
    archey

     

    Now, whenever you start a terminal (in the GUI over SSH), you’ll see something like this.

    20140830_012

    Firewall

    Getting a firewall up and running should be near the top of your to-do list. I’m fairly comfortable with Fedora’s GUI firewall package, firewalld, but it doesn’t support iptables. I want to eventually learn iptables, but am not ready to jump right into it yet. Browsing the firewall wiki page presented an overwhelming amount of options, and I settled on ufw, which is a front-end for iptables. I’m also installing Gufw in case I need a little help 🙂

    sudo pacman -S gufw iptables ufw

     

    Start ufw and make it available after boot.

    sudo ufw enable
    sudo systemctl start ufw
    sudo systemctl enable ufw

     

    Make sure that the iptables service isn’t running, since it will conflict with ufw.

    sudo systemctl --type=service
    sudo systemctl disable iptables.service
    sudo systemctl disable ip6tables.service

     

    I’m going to be starting with a basic configuration and adding to it as needed.

    sudo ufw default deny
    sudo ufw allow from 192.168.0.0/24
    sudo ufw allow Deluge
    sudo ufw allow SSH

     

    LightDM – Turn on NumLock at login

    First, install the package below.

    sudo pacman -S numlockx

    Then, edit /etc/lightdm/lightdm.conf to change the line below.

    Before…

    #greeter-setup-script=

    After…

    greeter-setup-script=/usr/bin/numlockx on

     

    Pacman

    Colored Terminal

    To enabled colors in pacman, uncomment the line below from /etc/pacman.conf.

    Color

     

    Pacman progress bar

    To change the progress bar to look like Pacman eating dots, add the following line to your /etc/pacman.conf file.

    ILoveCandy

     

    Optimize pacman database

    First, run the command below, and make note of your time.

    time testdb

    Then, run the command below to optmize the database. This is primarily intended for spinning HDDs, not SSDs.

    sudo pacman-optimize && sync

    Then, run testdb again and compare your time.

    time testdb

     

    Printing (CUPS)

    Let me tell you something. I. HATE. PRINTING. Every time there is a printer involved in any workflow, I can promise you it will all come to a grinding halt at the printer. Apparently, Matthew Inman of The Oatmeal agrees with me. At home, we have a HP Photosmart D110a that I’d love to go Michael Bolton on if I could.

    When using Ubuntu, Linux Mint, and Fedora, CUPS has always served me pretty well. I don’t know if I could print labels, envelopes, or photos, but printing a one-off document is relatively painless.

    We’ll need a few packages before we get started, and you’ll also need to know which driver pack you want. I also recommend skipping the config files and using an alternative interface to CUPS, in this case, that’s system-config-printer.

    sudo pacman -S cups cups-pdf hplip libcups system-config-printer

     

    You’ll need to create a new group, then add yourself to that group. Substitute logan with your username.

    sudo groupadd lpadmin
    sudo usermod -aG lpadmin logan

     

    Next, use vi to edit the /etc/cups/cups-files.conf file to add the newly created group to the SystemGroup line.

    sudo vi /etc/cups/cups-files.conf

    Before…

    # Administrator user group, used to match @SYSTEM in cupsd.conf policy rules...
    SystemGroup sys root

    After…

    # Administrator user group, used to match @SYSTEM in cupsd.conf policy rules...
    SystemGroup sys root lpadmin

     

    Next, start the systemd service for CUPS.

    sudo systemctl enable org.cups.cupsd.service

    Reboot your machine, since you changed your group membership and CUPS needs cycled.

    sudo reboot

     

    Next, launch system-config-printer from the terminal then click on Add. If a login box appears, enter your username and password.

    20140830_013

     

    On the left, select Network Printer, then Find Network Printer.  On the right, enter the IP address of the printer and click Find.

    20140830_014

     

    When the printer is found, you’ll need to choose a Connection from the box at the bottom. Choose the connection that best represents the driver pack you installed earlier and click Forward.

    20140830_015

     

    Give the printer a name, description, and location, then click Apply.

    20140830_016

     

    When the dialog box appears, print a test page and start praying to the printing gods that it comes out.

    20140830_017

    Systemd – boot performance

    I’m not going to talk about whether I love systemd or hate it. Honestly, I’m not technical enough to have an opinion on it. That being said, we can use it to improve our boot performance.

    To see the time taken to start each systemd unit file, enter the command below.

    systemd-analyze blame

    At some points in the boot process, the next until file cannot proceed until the previous one loads. To see this, enter the command below at the terminal. This can give you a good idea of where pauses/hangs are happening in the boot process.

    systemd-analyze critical-chain

     

    VirtualBox host support

    If you’re going to be using this Arch Linux installation as a VirtualBox host, you’ll need the following packages installed.

    sudo pacman -S virtualbox virtualbox-guest-iso virtualbox-host-dkms virtualbox-host-modules

    In addition, you’ll need to make sure the VirtualBox kernel modules run at startup on your host, then add your user account to the vboxusers group.

    sudo echo -e "vboxdrv\nvboxnetadp\nvboxnetflt\nvboxpci" >> /etc/modules-load.d/virtualbox.conf
    sudo gpasswd -a $USER vboxusers
    sudo reboot

     

     

    That’s all, folks! I’m going to keep testing out Arch Linux and working on making it a daily driver. I’ll update this post accordingly.

    -Logan

    13 thoughts on “Arch Linux with Encrypted LVM on hardware

    1. Hi there, thats a great tutorial. Easy to understand how to Arch Linux with Encrypted LVM on hardware. Do you prefer /dev/zero instead of /dev/urandom? Which one you recommend? Thanks!!

      • Thanks! Since it was a new drive and I wasn’t trying to wipe any of my information, I used /dev/zero. However, if I was trying to wipe a drive of mine, I’d do a few passes of /dev/urandom and /dev/zero.

    2. Hi again today I’ve noticed the following error during boot:
      ERROR: resume: hibernation device ‘/dev/****/lvolswap’ not found.

      • Was this after a recent update, or on your first reboot? Was it working before? I don’t use hibernation myself, so I’ve never encountered this. According to this thread, you may need a hook in /etc/mkinitcpio.conf or the resume_offset= kernel parameter.

    3. I’ve just recently switched to arch and first thing I did was install it on LUKS encrypted drive. I notice you went for unencrypted grub. It’s worth noting that for security reasons you might want to place your /boot on the encrypted LVM aswell.

      You could even use something as basic like this and still have encrypted grub:
      $ lsblk
      NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
      sda 8:0 0 223,6G 0 disk
      └─sda1 8:1 0 223,6G 0 part
      └─system 254:0 0 223,6G 0 crypt
      ├─system-swap 254:1 0 8G 0 lvm [SWAP]
      └─system-root 254:2 0 215,6G 0 lvm /

    Leave a Comment

    This site uses Akismet to reduce spam. Learn how your comment data is processed.