Skip to main content

Arch Linux Installation Guide For Developers

ยท 8 min read
Gabe Martino

Arch Linux Install

BTW we use Arch

Here at LunaSec not only have we been busy hacking, but we've also onboarded a couple new team members WOOHOO ๐Ÿฅณ! Through the onboarding process, we realized there is an opportunity to release our developer environment setup as a guide for the community.

We're sharing this guide to both show how we are using Arch Linux as Security Engineers at LunaSec and to give confidence to developers considering making the switch to Arch.

Why is Arch the best operating system for developers?

Here are a few of the reasons why we decided to use Arch as our development environment:

  • We have direct visibility and control down to the kernel
  • We know what's on our system and only use what we deem necessary
  • We can configure our environments to meet security standards quickly and seamlessly
  • We have access to the latest packages for development

We found Arch to be that sweet spot between security, accessibility, and productivity. As an Open Source startup, using Open Source software is fundamental to our values and culture as security professionals.

Lastly before we begin, here's a friendly shout out to Michael Picht for his guide over at nerdstuff.org. We referenced it while compiling our own guide and found it very helpful in our work, thanks again Michael ๐Ÿ‘.

Preparing For the Install

Grab the version of Arch you would like to install. Create a bootable USB of the Arch Image you downloaded. ( Etcher is available for Linux or Rufus for Windows to make your USB boot image. For further guidance please refer to the Arch Wiki.)

note

Verify secure boot is disabled in the BIOS before continuing to the next steps.

What We're Installing

Beginning the Install

Plug in your Arch USB image from the previous step and boot into it from your BIOS. From here, you'll be using the terminal.

We recommend installing via SSH to streamline copying over commands.

To do this you'll connect to the Internet using the iwctl tool to connect to your WIFI.

Open up the iwctl tool:

iwctl

Search for your wireless adapter:

device list

Scan your local networks with your wireless adapter (wlan0):

station wlan0 get-networks

Connect to your network:

station wlan0 connect YOUR_NETWORK
note

If your network is seperated with a space, use quotes for "YOUR NETWORK"

Once connected, exit iwctl:

exit

Verify your connection works:

ping google.com

Enabling SSH

Now that your machine is connected to the internet, enable the SSH protocol and connect to it from your outside computer.

Start SSH:

systemctl start sshd.service

Set a password for root:

passwd

Find the machine's IP Address:

ip addr show

From your other computer, connect via SSH (You'll be prompted for the root password you just set)

ssh "root@<IP-OF-THE-FIRST-PC>

Installation Overview

Now that you're connected via SSH, you're ready to do the following:

  • Create a Systemd boot partition
  • Create a Linux Filesystem partition for Arch
  • Encrypt your Filesystem Partition with LUKS
  • Create BTRFS Sub Volumes on your Linux Filesystem partition
  • Install Arch with recommended Packages

Create the Boot and Filesystem partitions

Identify the drive on which to install Arch:

lsblk
note

For this guide we'll be referencing our drive with the nvme0n1 naming convention, remember to replace it with your drive's name when referencing it.

The following commands will create two partitions, one for boot and for the filesystem:

gdisk /dev/nvme0n1

This will begin the gdisk program / prompt. Begin by creating the EFI partition (choose size 550M and hex code EF00):

Command (? for help): o
Command (? for help): n
Enter
Enter
+550M
EF00

The Boot Partition should now be created. Let's create the File system partition.

Command (? for help): n
Write the new partitions to disk:
Enter
Enter
Enter
Enter

Command (? for help): w

Now let's verify that our two partitions exist:

lsblk

You should be able to see the two partitions available as /dev/nvme0n1p1 and /dev/nvme0n1p2.

Encryption

With your partitions set, create the encrypted container for your root file system. Below is the command to encrypt the partition using LUKS:

cryptsetup --cipher aes-exts-plain64 --hash sha256 --use-random --verify-passphrase luksFormat --type luks2 /dev/nvme0n1p2

Open the encrypted partition with:

cryptsetup open /dev/nvme0n1p2 luks
note

("luks" is just a placeholder, you can use the name of your choice, but remember to continue the guide with your naming convention)

File System Creation

Format the EFI partition with FAT32 and give it the label EFI:

mkfs.vfat -F32 -n EFI /dev/nvme0n1p1

Format the root partition with BTRFS and give it the label ROOT:

mkfs.btrfs -L ROOT /dev/mapper/luks
note

If you didnโ€™t open the LUKS container under the name โ€œluksโ€ you must adjust the command accordingly

Create and Mount Sub Volumes

Create sub volumes for root, home, the package cache, snapshots, and the entire BTRFS file system:

mount /dev/mapper/luks /mnt
btrfs sub create /mnt/@
btrfs sub create /mnt/@swap
btrfs sub create /mnt/@home
btrfs sub create /mnt/@pkg
btrfs sub create /mnt/@snapshots
umount /mnt

Mount the sub volumes:

mount -o noatime,nodiratime,compress=zstd,space_cache=v2,ssd,subvol=@ /dev/mapper/luks /mnt
mkdir -p /mnt/{boot,home,var/cache/pacman/pkg,.snapshots,btrfs}
mount -o noatime,nodiratime,compress=zstd,space_cache=v2,ssd,subvol=@home /dev/mapper/luks /mnt/home
mount -o noatime,nodiratime,compress=zstd,space_cache=v2,ssd,subvol=@pkg /dev/mapper/luks /mnt/var/cache/pacman/pkg
mount -o noatime,nodiratime,compress=zstd,space_cache=v2,ssd,subvol=@snapshots /dev/mapper/luks /mnt/.snapshots
mount -o noatime,nodiratime,compress=zstd,space_cache=v2,ssd,subvolid=5 /dev/mapper/luks /mnt/btrfs

Mount the EFI partition:

mount /dev/nvme0n1p1 /mnt/boot
note

Optional - The following is for those wanting to use a swapfile.

Create swap file (taken from Btrfs - Swap file and Swap file):

cd /mnt/btrfs/@swap
truncate -s 0 ./swapfile
chattr +C ./swapfile
btrfs property set ./swapfile compression none
dd if=/dev/zero of=./swapfile bs=1M count=<FILE-SIZE-IN-MiB> status=progress
chmod 600 ./swapfile
mkswap ./swapfile
swapon ./swapfile
cd -

Base System and /etc/fstab

With your subvolumes created and mounted, you are now ready to install Arch Linux. For our machine we will be using intel-ucode as the X1 has an intel CPU setup

note

If your machine has an AMD CPU, replace intel-ucode with amd-ucode. Feel free to add any other packages you want to install at this time in the command below.

pacstrap /mnt linux linux-firmware base btrfs-progs intel-ucode nano networkmanager git

Generate /etc/fstab:

genfstab -U /mnt >> /mnt/etc/fstab

System Configuration

This is where you'll be managing system configurations. In our case we're configuring this as an American user, but for those of you reading outside the US, set the language and keyboard bindings to your locale.

CHROOT into the new system:

arch-chroot /mnt/

Set the hostname:

echo <YOUR-HOSTNAME> > /etc/hostname

Set locale:

echo LANG=en_US.UTF-8 > /etc/locale.conf

Uncomment the following rows in /etc/locale.gen:

en_US.UTF-8.UTF-8

Generate locale:

locale-gen

Define hosts in /etc/hosts:

<ip-address>    <hostname.domain.org>   <hostname>
127.0.0.1 <YOUR-HOSTNAME>.localdomain <YOUR-HOSTNAME>
::1 localhost.localdomain localhost

Set the root user's password:

(We recommend setting a secure password for your newly created root user.)

passwd

Initramfs

Configure the creation of initramfs by editing /etc/mkinitcpio.conf. Edit the line HOOKS=... to:

HOOKS=(base keyboard udev autodetect modconf block keymap encrypt btrfs filesystems resume)
note

resume in the above hooks is for those of you setting up a swap partition. If you don't intend to use swap, you can simply remove it.

Recreate initramfs:

mkinitcpio -p linux

Boot Manager

Install systemd-boot:

bootctl --path=/boot install

Create file /boot/loader/entries/arch.conf and fill it with:

title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options cryptdevice=UUID=<UUID-OF-ROOT-PARTITION>:luks:allow-discards root=/dev/mapper/luks rootflags=subvol=@ rd.luks.options=discard rw
note

Optional - If you are using a swap, add the following to the options flag. You will also need to follow this guide to calculate your offset

resume=/dev/mapper/luks resume_offset=<YOUR-OFFSET>

Provide the UUID of your root partition:

blkid -s UUID -o value /dev/sda2

Replace UUID-OF-ROOT in /boot/loader/entries/arch.conf

Edit /boot/loader/loader.conf and fill it with:

default  arch.conf
timeout 4
console-mode max
editor no

Lastly, exit chroot, unmount your partition, and reboot:

exit
umount -R /mnt
reboot

Installation Complete

Congratulations, you now have Arch running on your laptop!

You now have an encrypted partition of Arch Linux running on your laptop with a root user and networking.

What's left to do?

  • Sign in as root on your laptop
  • Setup a user with sudo privileges
  • Setup a Window Manager / Desktop Environment
  • Install YAY and AUR
  • Generate SSH Keys
  • Generate GPG Keys
  • Find ways to interject into conversations that you now use Arch

References