Arch Linux with Encrypted LVM in VirtualBox

Hey! Listen! To make sure you’re reading the most current version of this post, check the table below.

DateURLUpdates
2017-01-02Encrypted Arch Linux install
  • New partition layouts
  • 2014-11-15Arch Linux with Encrypted LVM on hardware
  • Replaced Cinnamon with Openbox
  • 2014-11-10Arch Linux with Encrypted LVM on hardware
  • Installing on hardware instead of inside VM
  • 2014-10-06Arch Linux with Encrypted LVM in VirtualBox
  • Using 64bit instead of 32bit
  • Replaced GDM with LightDM
  • 2014-09-05Arch Linux with Encrypted LVM in VirtualBox
  • Replaced MBR with GPT
  • Added encryption
  • 2014-08-27Arch Linux with LVM in VirtualBox
  • Initial post
  •  

    This post is the same as my last post, except I’m using 64bit Arch Linux instead of 32bit, replaced GDM with LightDM, and removed as many Gnome dependencies as possible.

    Base Installation

    • 20GB disk with the following partitions:
      • /dev/sda1
        • 1007K BIOS boot partition – required when using GRUB2 + GPT + BIOS
      • /dev/sda2
        • 128MB boot partition for GRUB2
      • /dev/sda3
        • Encryption with LUKS+dm-crypt
          • LVM
            • 1GB swap
            • 14GB root
            • 4.9GB home
    • Wired network connection (since I’m in a VM)
    • GRUB2 bootloader
    • Light display manager (LightDM)
    • Muffin window manager (included with Cinnamon)
    • Cinnamon desktop environment
    • VirtualBox Guest Additions

    Extras

    • Audio/video/DVD support
    • Archey
    • Firewall
    • Printing (CUPS)
    • Flash/Java browser plugins

     

    You’ll need the following before you begin:

    • A copy of the Arch Linux ISO (I recommend using a torrent instead of a direct download)
    • A copy of VirtualBox
    • The VirtualBox Extension Pack

     

    This tutorial is loosely based on the Arch Linux Beginner’s Guide.

     

    Base Install

    Step 0 – Explanation

    Before I begin, I wanted to explain a few of the decisions I made:

    1. Again, I chose to go with a traditional BIOS instead of UEFI. My laptop doesn’t support UEFI, so I’m forced to stay with a traditional BIOS on hardware, and I’ll be doing the same thing in VirtualBox. This setting can be changed in VirtualBox, but I’m not going to cover that.
    2. This time around, I chose to go with a GUID Partition Table (GPT) instead of a Master Boot Record (MBR). I’m probably not going to utilize all the advantages GPT offers, but it’s never bad to learn a new technology.
    3. Unlike last time, where all of my mount points where under LVM, I’m now using a mix of traditional partitions as well as logical volumes. Both BIOS boot and /boot need to be on their own, unencrypted partitions. Then, I’ll encrypt my third partition and install LVM on it, which is where my three logical volumes for swap, root, and home will be stored. With this setup (called LVM on LUKS), I can unlock all three volumes with one password. See the figure below for an illustrated example.
      +-----------+ +----------------+ +---------------------------------------------------------------------------+
      |           | |                | |Logical volume1        | Logical volume2        | Logical volume3          |
      | GPT-BIOS  | | Boot partition | |/dev/mapper/lvolswap   | /dev/mapper/volroot    | /dev/mapper/lvolhome     |
      | partition | | (may be on     | |_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ |_ _ _ _ _ _ _ _ _ _ _ _ _ |
      |           | | other device)  | |                                                                           |
      |           | |                | |                        LUKS encrypted partition                           |
      | /dev/sda1 | | /dev/sda2      | |                          /dev/sda3                                        |
      +-----------+ +----------------+ +---------------------------------------------------------------------------+
    4. Again, I chose ext4 over ext3.

     

    Step 1 – Setup your VM

    Install VirtualBox on your host machine and then install the Extension Pack. Create a new virtual machine for a 64bit Arch Linux installation. I am using a 20GB hard drive with 2048MB of RAM. Once the virtual machine is setup, go to Settings–>General–>Advanced and set Shared Clipboard to Bidirectional.

    20140830_011

     

    Next, go to Settings–>Display–>Video and set the Video Memory to 128MB (this is for Cinnamon). Then, on the same tab, enable 3D Acceleration (again, this is for Cinnamon).

    20140830_002

     

    Finally, go to Settings–>Storage and mount the Arch Linux ISO under the empty IDE Controller. Check the box next to Live CD/DVD.

    20140830_003

     

    Press OK to save and then Start to boot from the ISO. From the menu, select Boot Arch Linux (i686) and press Enter.

    20140830_004

     

    At this point, you should be automatically logged into a root prompt. Until we get Cinnamon installed and working, this is all going to be text-based and you’ll only be using the keyboard, no mouse.

    Arch Linux 3.15.7-1-ARCH (tty1)
    
    archiso login: root (automatic login)
    root@archiso ~ #

     

    Step 1.1 – Securely wipe your disk

    Since this is just a test VM, it’s not that big of a deal. However, for any production machine that’s going to contain sensitive data, you would wipe the disk before doing anything. Unfortunately, depending on the size of the disk, this could take a long time. If your drive is already encrypted, you could simply wipe the header and your data would be safe. Since I’m paranoid, I always choose to nuke the entire drive. You could use badblocks to do a destructive write test (as I did here), or use dd, as shown below. If you’re using a SSD, your techniques will have to be a little different.

    dd if=/dev/zero of=/dev/sda iflag=nocache oflag=direct bs=4096

    Please don’t copy/paste this command directly, as you could risk destroying your current system. I’m not responsible for anything you break 🙂

     

    Step 1.5 – Setup SSH access

    I want to copy text from the VM to this blog to give you examples of what I’m seeing. Since Cinnamon isn’t installed yet, I’m going to setup SSH access as described here. Then, I need to forward a host post (e.g., 3022) to port 22 on the VM. I covered that in a previous post, here. You don’t need to do this step unless you want to copy/paste text to/from the VM.

     

    Step 2 – Test internet connectivity

    Enter the following at the prompt to test your internet connection. The DHCP daemon should have been started at boot, so you should expect a response with 0% packet loss. Since this build is in a VM, our internet connection will be wired. I won’t be covering wireless in this tutorial.

    ping -c 3 www.google.com

     

    Step 3 – Setup partitions

    First, we need to setup partitions. However, before we do anything, we need to make sure the device mapper and encryption kernel modules are loaded with the command below.

    modprobe -a dm-mod dm_crypt

     

    Next, use the fdisk utility to find the name of your disk. More than likely, the disk will be /dev/sda.

    fdisk -l

    Notice the 20GB disk we setup for the VM. This is the disk we want to work with.

    Disk /dev/sda: 20 GiB, 21474836480 bytes, 41943040 sectors
    Units: sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    
    Disk /dev/mapper/arch_airootfs: 32 GiB, 34359738368 bytes, 67108864 sectors
    Units: sectors of 1 * 512 = 512 bytes
    Sector size (logical/physical): 512 bytes / 512 bytes
    I/O size (minimum/optimal): 512 bytes / 512 bytes
    

    Note – I will be using /dev/sda in this guide. Please don’t copy/paste from this guide directly, as you could risk destroying your current system. I’m not responsible for anything you break 🙂

     

    Optionally, you can erase the partition tables on your disk (but it should be blank already).

    sgdisk --zap-all /dev/sda

     

    Next, we want to use gdisk to create the partitions. The fdisk utility only works with MBR disks, while gdisk only works with GPT disks.

    gdisk /dev/sda

     

    Use the o option to create a new GPT.

    Command (? for help): o
    This option deletes all partitions and creates a new protective MBR.
    Proceed? (Y/N): Y

     

    Use the n option to create a new partition, then press Enter to use the first partition

    Command (? for help): n
    Partition number (1-128, default 1):

     

    This first partition (/dev/sda1) will be our BIOS boot partition. This partition needs to be 1007K, which, when added to the size of the preceding GPT of 17K, will align the partition to 1024K. Press Enter to select the default option for the first sector of the partition, then +1007K for the last.

    First sector (34-41943006, default = 2048) or {+-}size{KMGTP}:
    Last sector (2048-41943006, default = 41943006) or {+-}size{KMGTP}: +1007K
    Current type is 'Linux filesystem'

    Note – This partition is only required when using GRUB2 + GPT + BIOS.

     

    Use the L option to list all available partition types.

    Hex code or GUID (L to show codes, Enter = 8300): L
    0700 Microsoft basic data  0c01 Microsoft reserved    2700 Windows RE
    3000 ONIE boot             3001 ONIE config           4100 PowerPC PReP boot
    4200 Windows LDM data      4201 Windows LDM metadata  7501 IBM GPFS
    7f00 ChromeOS kernel       7f01 ChromeOS root         7f02 ChromeOS reserved
    8200 Linux swap            8300 Linux filesystem      8301 Linux reserved
    8302 Linux /home           8400 Intel Rapid Start     8e00 Linux LVM
    a500 FreeBSD disklabel     a501 FreeBSD boot          a502 FreeBSD swap
    a503 FreeBSD UFS           a504 FreeBSD ZFS           a505 FreeBSD Vinum/RAID
    a580 Midnight BSD data     a581 Midnight BSD boot     a582 Midnight BSD swap
    a583 Midnight BSD UFS      a584 Midnight BSD ZFS      a585 Midnight BSD Vinum
    a800 Apple UFS             a901 NetBSD swap           a902 NetBSD FFS
    a903 NetBSD LFS            a904 NetBSD concatenated   a905 NetBSD encrypted
    a906 NetBSD RAID           ab00 Apple boot            af00 Apple HFS/HFS+
    af01 Apple RAID            af02 Apple RAID offline    af03 Apple label
    af04 AppleTV recovery      af05 Apple Core Storage    be00 Solaris boot
    bf00 Solaris root          bf01 Solaris /usr & Mac Z  bf02 Solaris swap
    bf03 Solaris backup        bf04 Solaris /var          bf05 Solaris /home
    bf06 Solaris alternate se  bf07 Solaris Reserved 1    bf08 Solaris Reserved 2
    bf09 Solaris Reserved 3    bf0a Solaris Reserved 4    bf0b Solaris Reserved 5
    c001 HP-UX data            c002 HP-UX service         ea00 Freedesktop $BOOT
    eb00 Haiku BFS             ed00 Sony system partitio  ed01 Lenovo system partit
    Press the <Enter> key to see more codes:
    ef00 EFI System            ef01 MBR partition scheme  ef02 BIOS boot partition
    fb00 VMWare VMFS           fb01 VMWare reserved       fc00 VMWare kcore crash p
    fd00 Linux RAID
    

     

    Then, enter ef02 as the partition type.

    Hex code or GUID (L to show codes, Enter = 8300): ef02
    Changed type of partition to 'BIOS boot partition'

     

    Use the n option to create a new partition, then press Enter to use the second partition

    Command (? for help): n
    Partition number (2-128, default 2):

     

    This second partition (/dev/sda2) will be our /boot partition. This partition needs to be around 13MB, but we want a nice, even number that will leave plenty of room for growth/changes. Anything over 100MB will do, but I’m using 128MB. Press Enter to select the default option for the first sector of the partition, then +128M for the last.

    First sector (34-41943006, default = 4096) or {+-}size{KMGTP}:
    Last sector (4096-41943006, default = 41943006) or {+-}size{KMGTP}: +128M
    Current type is 'Linux filesystem'

     

    Use the L option to list all available partition types.

    Hex code or GUID (L to show codes, Enter = 8300): L
    0700 Microsoft basic data  0c01 Microsoft reserved    2700 Windows RE
    3000 ONIE boot             3001 ONIE config           4100 PowerPC PReP boot
    4200 Windows LDM data      4201 Windows LDM metadata  7501 IBM GPFS
    7f00 ChromeOS kernel       7f01 ChromeOS root         7f02 ChromeOS reserved
    8200 Linux swap            8300 Linux filesystem      8301 Linux reserved
    8302 Linux /home           8400 Intel Rapid Start     8e00 Linux LVM
    a500 FreeBSD disklabel     a501 FreeBSD boot          a502 FreeBSD swap
    a503 FreeBSD UFS           a504 FreeBSD ZFS           a505 FreeBSD Vinum/RAID
    a580 Midnight BSD data     a581 Midnight BSD boot     a582 Midnight BSD swap
    a583 Midnight BSD UFS      a584 Midnight BSD ZFS      a585 Midnight BSD Vinum
    a800 Apple UFS             a901 NetBSD swap           a902 NetBSD FFS
    a903 NetBSD LFS            a904 NetBSD concatenated   a905 NetBSD encrypted
    a906 NetBSD RAID           ab00 Apple boot            af00 Apple HFS/HFS+
    af01 Apple RAID            af02 Apple RAID offline    af03 Apple label
    af04 AppleTV recovery      af05 Apple Core Storage    be00 Solaris boot
    bf00 Solaris root          bf01 Solaris /usr & Mac Z  bf02 Solaris swap
    bf03 Solaris backup        bf04 Solaris /var          bf05 Solaris /home
    bf06 Solaris alternate se  bf07 Solaris Reserved 1    bf08 Solaris Reserved 2
    bf09 Solaris Reserved 3    bf0a Solaris Reserved 4    bf0b Solaris Reserved 5
    c001 HP-UX data            c002 HP-UX service         ea00 Freedesktop $BOOT
    eb00 Haiku BFS             ed00 Sony system partitio  ed01 Lenovo system partit
    Press the <Enter> key to see more codes:
    ef00 EFI System            ef01 MBR partition scheme  ef02 BIOS boot partition
    fb00 VMWare VMFS           fb01 VMWare reserved       fc00 VMWare kcore crash p
    fd00 Linux RAID
    

     

    We can leave this partition at 8300 by pressing Enter.

    Hex code or GUID (L to show codes, Enter = 8300):
    Changed type of partition to 'Linux filesystem'

     

    Use the n option to create a new partition, then press Enter to use the third partition

    Command (? for help): n
    Partition number (3-128, default 3):

     

    This third partition (/dev/sda3) will be encrypted and have LVM running on top of the encryption. This partition will take up the rest of the disk. Press Enter to select the default option for the first sector of the partition, then +0 to take up the remainder of the free space.

    First sector (34-41943006, default = 266240) or {+-}size{KMGTP}:
    Last sector (266240-41943006, default = 41943006) or {+-}size{KMGTP}: +0
    Current type is 'Linux filesystem'

     

    Use the L option to list all available partition types.

    Hex code or GUID (L to show codes, Enter = 8300): L
    0700 Microsoft basic data  0c01 Microsoft reserved    2700 Windows RE
    3000 ONIE boot             3001 ONIE config           4100 PowerPC PReP boot
    4200 Windows LDM data      4201 Windows LDM metadata  7501 IBM GPFS
    7f00 ChromeOS kernel       7f01 ChromeOS root         7f02 ChromeOS reserved
    8200 Linux swap            8300 Linux filesystem      8301 Linux reserved
    8302 Linux /home           8400 Intel Rapid Start     8e00 Linux LVM
    a500 FreeBSD disklabel     a501 FreeBSD boot          a502 FreeBSD swap
    a503 FreeBSD UFS           a504 FreeBSD ZFS           a505 FreeBSD Vinum/RAID
    a580 Midnight BSD data     a581 Midnight BSD boot     a582 Midnight BSD swap
    a583 Midnight BSD UFS      a584 Midnight BSD ZFS      a585 Midnight BSD Vinum
    a800 Apple UFS             a901 NetBSD swap           a902 NetBSD FFS
    a903 NetBSD LFS            a904 NetBSD concatenated   a905 NetBSD encrypted
    a906 NetBSD RAID           ab00 Apple boot            af00 Apple HFS/HFS+
    af01 Apple RAID            af02 Apple RAID offline    af03 Apple label
    af04 AppleTV recovery      af05 Apple Core Storage    be00 Solaris boot
    bf00 Solaris root          bf01 Solaris /usr & Mac Z  bf02 Solaris swap
    bf03 Solaris backup        bf04 Solaris /var          bf05 Solaris /home
    bf06 Solaris alternate se  bf07 Solaris Reserved 1    bf08 Solaris Reserved 2
    bf09 Solaris Reserved 3    bf0a Solaris Reserved 4    bf0b Solaris Reserved 5
    c001 HP-UX data            c002 HP-UX service         ea00 Freedesktop $BOOT
    eb00 Haiku BFS             ed00 Sony system partitio  ed01 Lenovo system partit
    Press the <Enter> key to see more codes:
    ef00 EFI System            ef01 MBR partition scheme  ef02 BIOS boot partition
    fb00 VMWare VMFS           fb01 VMWare reserved       fc00 VMWare kcore crash p
    fd00 Linux RAID
    

     

    Then, enter 8e00 as the partition type.

    Hex code or GUID (L to show codes, Enter = 8300): 8e00
    Changed type of partition to 'Linux LVM'

     

    Use the p option to preview your changes.

    Command (? for help): p
    Disk /dev/sda: 41943040 sectors, 20.0 GiB
    Logical sector size: 512 bytes
    Disk identifier (GUID): 5963D110-8B46-4B67-9C7D-259602D808F4
    Partition table holds up to 128 entries
    First usable sector is 34, last usable sector is 41943006
    Partitions will be aligned on 2048-sector boundaries
    Total free space is 2048 sectors (1024.0 KiB)
    
    Number  Start (sector)    End (sector)  Size       Code  Name
       1            2048            4061   1007.0 KiB  EF02  BIOS boot partition
       2            4096          266239   128.0 MiB   8300  Linux filesystem
       3          266240        41943006   19.9 GiB    8E00  Linux LVM

     

    Use the w option to write your changes to disk.

    Command (? for help): w
    
    Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
    PARTITIONS!!
    
    Do you want to proceed? (Y/N): y
    OK; writing new GUID partition table (GPT) to /dev/sda.
    The operation has completed successfully.

     

    Step 4 – Setup encryption

    Again, the setup we’re going to be using is called LVM on LUKS. This means we’re setting up encryption first, then putting our logical volumes on top of it.

    +-----------+ +----------------+ +---------------------------------------------------------------------------+
    |           | |                | |Logical volume1        | Logical volume2        | Logical volume3          |
    | GPT-BIOS  | | Boot partition | |/dev/mapper/lvolswap   | /dev/mapper/volroot    | /dev/mapper/lvolhome     |
    | partition | | (may be on     | |_ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ |_ _ _ _ _ _ _ _ _ _ _ _ _ |
    |           | | other device)  | |                                                                           |
    |           | |                | |                        LUKS encrypted partition                           |
    | /dev/sda1 | | /dev/sda2      | |                          /dev/sda3                                        |
    +-----------+ +----------------+ +---------------------------------------------------------------------------+

     

    First, we need to setup encryption on our partition. Please consult this table for other encryption options before you copy/paste my command below.

    cryptsetup -v -y -c aes-xts-plain64 -s 512 -h sha512 -i 5000 --use-random luksFormat /dev/sda3

    -v = verbose
    -y = verify password, ask twice, and complafin if they don’t match
    -c = specify the cipher used
    -s = specify the key size used
    -h = specify the hash used
    -i = number of milliseconds to spend passphrase processing (if using anything more than sha1, must be great than 1000)
    –use-random = which random number generator to use
    luksFormat = to initialize the partition and set a passphrase
    /dev/sda3 = the partition to encrypt

    Seriously, read the man page and the FAQ on cryptsetup.

     

    Now, use the command below to view the header information of your LUKS device.

    cryptsetup luksDump /dev/sda3

     

    Finally, we need to unlock the LUKS device before we can setup LVM on it. This will mount the device at /dev/mapper/crypto.

    cryptsetup luksOpen /dev/sda3 crypto

     

    Step 5 – Setup a physical volume

    First, we’re going to scan for disks that are capable of hosting a physical volume.

    lvmdiskscan

    In the example below, we’re going to focus on the LUKS device /dev/mapper/crypto.

      /dev/loop0                [     236.34 MiB]
      /dev/mapper/arch_airootfs [      32.00 GiB]
      /dev/loop1                [      32.00 GiB]
      /dev/mapper/crypto        [      19.87 GiB]
      /dev/loop2                [      32.00 GiB]
      /dev/sda2                 [     128.00 MiB]
      /dev/sda3                 [      19.87 GiB]
      2 disks
      5 partitions
      0 LVM physical volume whole disks
      0 LVM physical volumes

     

    Now, we’re going to create a physical volume on /dev/mapper/crypto.

    pvcreate /dev/mapper/crypto

     

    Finally, we’ll display the physical volume we created.

    pvdisplay

     

    Step 6 – Setup a volume group

    We’re going to create a volume group named VolGroup00 on the physical volume /dev/mapper/crypto. You can name the volume group whatever you’d like.

    vgcreate VolGroup00 /dev/mapper/crypto

     

    Finally, we’ll display the volume group we created.

    vgdisplay

     

    Step 7 – Setup logical volumes

    In this step, we’re going to create three logical volumes on the volume group VolGroup00.

    lvcreate -C y -L 1GB VolGroup00 -n lvolswap
    lvcreate -L 14GB VolGroup00 -n lvolroot
    lvcreate -l +100%FREE VolGroup00 -n lvolhome

    Note – In the first command, the -C y options are used to create a contiguous partition for swap. In the last command, the 100%FREE option is used to fill the remainder of the space.

     

    Finally, we’ll display the logical volumes we created.

    lvdisplay

     

    Step 8 – Create filesystems and mount logical volumes

    The first things we need to do are scan for volume groups and then import any changes.

    vgscan
    vgchange -ay

     

    Next, we’re going to create filesystems on each logical volume.

    mkfs.ext4 /dev/sda2
    mkswap /dev/mapper/VolGroup00-lvolswap
    mkfs.ext4 /dev/mapper/VolGroup00-lvolroot
    mkfs.ext4 /dev/mapper/VolGroup00-lvolhome

    Note – The partition /dev/sda2 needs a filesystem, while /dev/sda1 does not.

     

    Now, we’re going to mount the filesystems we just created.

    swapon /dev/mapper/VolGroup00-lvolswap
    mount /dev/mapper/VolGroup00-lvolroot /mnt
    mkdir /mnt/boot
    mount /dev/sda2 /mnt/boot
    mkdir /mnt/home
    mount /dev/mapper/VolGroup00-lvolhome /mnt/home

     

    Finally, we’ll display the filesystems we created.

    lsblk /dev/sda

    Here, you can see the physical disk called /dev/sda with three partitions on it. Then, you can see that the third partition is a LUKS device that contains a volume group called VolGroup00 with three logical volumes.

    NAME                      MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
    sda                         8:0    0   20G  0 disk
    ├─sda1                      8:1    0 1007K  0 part
    ├─sda2                      8:2    0  128M  0 part  /mnt/boot
    └─sda3                      8:3    0 19.9G  0 part
      └─crypto                254:1    0 19.9G  0 crypt
        ├─VolGroup00-lvolswap 254:2    0    1G  0 lvm   [SWAP]
        ├─VolGroup00-lvolroot 254:3    0   14G  0 lvm   /mnt
        └─VolGroup00-lvolhome 254:4    0  4.9G  0 lvm   /mnt/home

     

    Step 9 – Select a mirror

    Next, we need to select a mirror to use when downloading packages. You can use the Mirrorlist Generator to find the best mirror for you based on your country.  Then, I would recommend renaming the current mirrorlist to have a backup.

    mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist_old

     

    Use vi to create a new list…

    vi /etc/pacman.d/mirrorlist

    …and populate it with the entries from the mirrorlist generator. Mine is below.

    ##
    ## Arch Linux repository mirrorlist
    ## Sorted by mirror score from mirror status page
    ## Generated on 2014-10-06
    ##
    
    ## Score: 0.6, United States
    Server = http://mirror.us.leaseweb.net/archlinux/$repo/os/$arch
    ## Score: 1.0, United States
    Server = http://lug.mtu.edu/archlinux/$repo/os/$arch
    ## Score: 1.2, United States
    Server = http://mirror.umd.edu/archlinux/$repo/os/$arch
    ## Score: 1.2, United States
    Server = http://mirrors.acm.wpi.edu/archlinux/$repo/os/$arch
    ## Score: 1.4, United States
    Server = http://mirror.cs.pitt.edu/archlinux/$repo/os/$arch
    ## Score: 1.4, United States
    Server = http://mirror.pw/archlinux/$repo/os/$arch
    ## Score: 1.5, United States
    Server = http://archlinux.surlyjake.com/archlinux/$repo/os/$arch
    ## Score: 1.6, United States
    Server = http://mirror.nexcess.net/archlinux/$repo/os/$arch
    ## Score: 1.7, United States
    Server = http://mirrors.aggregate.org/archlinux/$repo/os/$arch
    ## Score: 1.7, United States
    Server = http://mirror.rit.edu/archlinux/$repo/os/$arch
    ## Score: 2.0, United States
    Server = http://mirrors.einhammr.com/archlinux/$repo/os/$arch
    ## Score: 2.0, United States
    Server = http://mirror.jmu.edu/pub/archlinux/$repo/os/$arch
    ## Score: 2.2, United States
    Server = http://mirrors.abscission.net/archlinux/$repo/os/$arch
    ## Score: 2.2, United States
    Server = http://mirrors.kernel.org/archlinux/$repo/os/$arch
    ## Score: 2.2, United States
    Server = http://www.gtlib.gatech.edu/pub/archlinux/$repo/os/$arch
    ## Score: 2.4, United States
    Server = http://mirrors.cat.pdx.edu/archlinux/$repo/os/$arch
    ## Score: 2.5, United States
    Server = http://mirrors.cecsresearch.org/archlinux/$repo/os/$arch
    ## Score: 2.9, United States
    Server = http://mirror.cc.columbia.edu/pub/linux/archlinux/$repo/os/$arch
    ## Score: 3.0, United States
    Server = http://mirrors.rutgers.edu/archlinux/$repo/os/$arch
    ## Score: 3.2, United States
    Server = http://mirrors.liquidweb.com/archlinux/$repo/os/$arch
    ## Score: 3.4, United States
    Server = http://mirror.ancl.hawaii.edu/linux/archlinux/$repo/os/$arch
    ## Score: 3.8, United States
    Server = http://mirrors.advancedhosters.com/archlinux/$repo/os/$arch
    ## Score: 4.0, United States
    Server = http://mirrors.gigenet.com/archlinux/$repo/os/$arch
    ## Score: 4.2, United States
    Server = http://cosmos.cites.illinois.edu/pub/archlinux/$repo/os/$arch
    ## Score: 4.7, United States
    Server = http://mirror.vtti.vt.edu/archlinux/$repo/os/$arch
    ## Score: 5.0, United States
    Server = http://mirror.metrocast.net/archlinux/$repo/os/$arch
    ## Score: 5.2, United States
    Server = http://mirror.es.its.nyu.edu/archlinux/$repo/os/$arch
    ## Score: 7.7, United States
    Server = http://ftp.osuosl.org/pub/archlinux/$repo/os/$arch
    ## Score: 14.7, United States
    Server = http://mirrors.xmission.com/archlinux/$repo/os/$arch
    ## Score: 15.2, United States
    Server = http://iad.mirror.rackspace.com/archlinux/$repo/os/$arch
    ## Score: 15.3, United States
    Server = http://dfw.mirror.rackspace.com/archlinux/$repo/os/$arch
    ## Score: 16.7, United States
    Server = http://ord.mirror.rackspace.com/archlinux/$repo/os/$arch
    Note – The list of mirrors generated has every server commented out. Use a text editor to do a find/replace on #Server with Server. The mirrors are used by pacman in the order they are listed.

     

    Finally, use pacman to refresh the package lists. You should do this every time you update your mirrorlist.

    pacman -Syy

     

    Step 10 – Install the base system

    Finally, we’re installing Arch Linux! Use the pacstrap command to install the system to /mnt. Use the -i option to ignore being prompted for all 75 packages we’re about to install.

    pacstrap -i /mnt base base-devel

     

    You’ll need to press Enter once to confirm all packages in the base group, then again for the base-devel group. This step will take 5-10 minutes.

    :: There are 50 members in group base:
    :: Repository core
       1) bash  2) bzip2  3) coreutils  4) cryptsetup  5) device-mapper
       6) dhcpcd  7) diffutils  8) e2fsprogs  9) file  10) filesystem
       11) findutils  12) gawk  13) gcc-libs  14) gettext  15) glibc
       16) grep  17) gzip  18) inetutils  19) iproute2  20) iputils
       21) jfsutils  22) less  23) licenses  24) linux  25) logrotate
       26) lvm2  27) man-db  28) man-pages  29) mdadm  30) nano  31) netctl
       32) pacman  33) pciutils  34) pcmciautils  35) perl  36) procps-ng
       37) psmisc  38) reiserfsprogs  39) s-nail  40) sed  41) shadow
       42) sysfsutils  43) systemd-sysvcompat  44) tar  45) texinfo
       46) usbutils  47) util-linux  48) vi  49) which  50) xfsprogs
    
    Enter a selection (default=all): 
    :: There are 25 members in group base-devel:
    :: Repository core
       1) autoconf  2) automake  3) binutils  4) bison  5) fakeroot  6) file
       7) findutils  8) flex  9) gawk  10) gcc  11) gettext  12) grep
       13) groff  14) gzip  15) libtool  16) m4  17) make  18) pacman
       19) patch  20) pkg-config  21) sed  22) sudo  23) texinfo
       24) util-linux  25) which
    
    Enter a selection (default=all):

     

    Step 11 – Generate an fstab

    The fstab file tells the sytem what each disk/partition/logical volume does and how to mount it. Use the command below to generate one.

    genfstab -U -p /mnt >> /mnt/etc/fstab

     

    It’s always recommended to check the fstab file for errors.

    blkid

     

    Cat out the /mnt/etc/fstab file and compare the UUIDs and logical volumes types to what was returned by blkid above.

    cat /mnt/etc/fstab

     

    Step 12 – Set locales and system information

    We need to chroot into the newly installed system before we can configure it.

    arch-chroot /mnt /bin/bash

     

    Next, we’re going to set locales. Use vi to edit the /etc/locale.gen file to uncomment your preferred encoding from the file.

    vi /etc/locale.gen

    An excerpt of my file is below, notice the uncommented line.

    #en_PH ISO-8859-1
    #en_SG.UTF-8 UTF-8
    #en_SG ISO-8859-1
    en_US.UTF-8 UTF-8
    #en_US ISO-8859-1
    #en_ZA.UTF-8 UTF-8
    #en_ZA ISO-8859-1

     

    Then, use the command below to generate a locale.

    locale-gen

     

    Now, run the following two commands to generate a locale.conf file and set the LANG variable. Substitute en_US.UTF-8 with the encoding you uncommented in the step above.

    echo LANG=en_US.UTF-8 > /etc/locale.conf
    export LANG=en_US.UTF-8

     

    Set a timezone with the following two commands. Substitute America and New_York with your zone and sub-zone.

    rm /etc/localtime
    ln -s /usr/share/zoneinfo/America/New_York /etc/localtime

     

    Set the hardware clock with the following command.

    hwclock --systohc --utc

     

    There’s still more work to be done. Here, set a hostname with the following command. Substitute ArchTest with your hostname of choice.

    echo ArchTest > /etc/hostname

     

    Now, use vi to edit the /etc/hosts file.

    vi /etc/hosts

    Add the same hostname to /etc/hosts.

    #
    # /etc/hosts: static lookup table for host names
    #
    
    #<ip-address>   <hostname.domain.org>   <hostname>
    127.0.0.1       localhost.localdomain   localhost  ArchTest
    ::1             localhost.localdomain   localhost
    
    # End of file
    

     

    Find the name of your network adapter by using ip link.

    ip link

    In the example below, my adapter is enp0s3. Arch Linux uses Consistent Network Interface Naming to name its adapters, which is why your adapters won’t be named like eth0 or wlan0.

    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
        link/ether 08:00:27:9a:53:40 brd ff:ff:ff:ff:ff:ff

     

    Now, enable the DHCP client daemon on that adapter. Substitute enp0s3 with your adapter name.

    systemctl enable dhcpcd@enp0s3

     

    Step 13 – Generate an initial ramdisk

    This step is very important. Since we’re using LVM and encryption, we need to edit the /etc/mkinitcpio.conf file to include a few extra hooks.

    vi /etc/mkinitcpio.conf

    Before…

    HOOKS="base udev autodetect modconf block filesystems keyboard fsck"

    After…

    HOOKS="base udev autodetect modconf block keymap encrypt lvm2 resume filesystems shutdown keyboard usbinput fsck"

    Note – The hooks keymap, encrypt, lvm2, and resume need to come between block and filesystems. The shutdown hook is after the filesystems entry. I had to add usbinput to use my USB keyboard.

     

    Finally, generate the ramdisk. For now, ignore any errors about missing firmware.

    cd /boot
    mkinitcpio -p linux

     

    Step 14 – Create users and set passwords

    Set a password for the root user with the command below.

    passwd

     

    It’s also a good idea to create a normal user for you to use later on. Substitute logan with your username.

    useradd -m -g users -G audio,lp,optical,storage,video,games,power,scanner,wheel -s /bin/bash logan

    Note – I have this user added to the wheel group, which we’ll need to use sudo. More on that later.

     

    Then, change the password for your new user. Substitute logan with your username.

    passwd logan

     

    Step 15 – Install and configure a bootloader

    Use pacman to install a few packages, including the GRUB2 bootloader.

    pacman -S fuse grub lvm2 os-prober

     

    In the GRUB2 config file, we need to set a kernel parameter. The file to edit, however, depends on which bootloader you are using. In our case, it is GRUB2, and we’ll be editing the /etc/default/grub file.

    vi /etc/default/grub

     

    Find the line GRUB_CMDLINE_LINUX=”” and add the cryptdevice parameter to specify the location of your encrypted LVM. The format used is cryptdevice=device:vgname. We’re also adding a parameter for swap to be used to suspend/resume the system.

    Before…

    GRUB_CMDLINE_LINUX=""

    After…

    GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda3:VolGroup00 resume=/dev/VolGroup00/lvolswap"

     

    Setup GRUB2 with the following two commands.

    grub-install --target=i386-pc --recheck /dev/sda
    grub-mkconfig -o /boot/grub/grub.cfg

    When you run the second command, you may see warnings like those shown below.

    /run/lvm/lvmetad.socket: connect failed: No such file or directory
    WARNING: Failed to connect to lvmetad. Falling back to internal scanning.

    According to this page, you can ignore those warnings. This means you don’t need to set use_lvmetad = 0.

     

    Exit chroot with exit and unmount any filesystems.

    exit
    umount /mnt/home
    umount /mnt/boot
    umount /mnt

     

    Finally, shutdown your VM.

    shutdown -h now

     

    Remove the ISO file from the virtual drive we inserted back in step 1.

    20140830_005

     

    Step 16 – Start Arch Linux

    Start your VM, and you should be greeted by the GRUB2 bootloader.

    20140830_006

    Enter the password to unlock your encrypted partition /dev/sda3.

    20140905_001

     

    After the operating system loads, you should be back at a root prompt where you can login with the root username and root password you set earlier.

    20140905_002

     

    The first order of business is to test your internet connectivity.

    ping -c 3 www.google.com

     

    Then, check for updates with pacman.

    pacman -Syu

     

    Next, we need to edit the /etc/sudoers file to allow use of the wheel group for our normal users. Only use visudo to edit /etc/sudoers, as it locks the file while editing, provides basic syntax checking, etc…

    visudo

    Uncomment the %wheel ALL=(ALL) ALL line, like below.

    Before…

    # %wheel ALL=(ALL) ALL
    

    After…

    %wheel ALL=(ALL) ALL

     

    Step 17 – Install VirtualBox Guest Additions

    Since this is a VM, you may want some of the features offered by the Guest Additions package. The Arch Linux wiki page recommends using a pacman packing instead of using the script on the virtual Guest Additions disk.

    pacman -S virtualbox-guest-utils virtualbox-guest-modules

     

    Next, load the kernel modules…

    modprobe -a vboxguest vboxsf vboxvideo

    …and make them load at boot as well.

    echo -e "vboxguest\nvboxsf\nvboxvideo" >> /etc/modules-load.d/virtualbox.conf

     

    Finally, enable the service at boot.

    systemctl enable vboxservice

     

    Step 18 – Install the GUI

    Now, we’re going to install and configure the GUI and a few other features. This will take about 10-15 minutes to download.

    pacman -S cinnamon cinnamon-control-center lightdm lightdm-gtk3-greeter mesa networkmanager network-manager-applet terminator

    Note – Other greeters besides lightdm-gtk3-greeter are available here.

     

    Enable the newly installed Light display manager (LightDM) so you can use it when we reboot.

    systemctl enable lightdm.service

     

    Now, we’re going to enable the NetworkManager service at boot. However, by default, Arch Linux receives an IP address via DHCP by using the DHCP client daemon (dhcpcd). Since the two will conflict, we’re going to disable dhcpcd.

    systemctl enable NetworkManager.service
    systemctl disable dhcpcd
    systemctl disable dhcpcd@enp0s3

     

    This is personal preference, but I like to make the panel in Cinnamon transparent by editing the /usr/share/cinnamon/theme/cinnamon.css file.

    vi /usr/share/cinnamon/theme/cinnamon.css

    Add background-color: rgba(0,0,0,0); to the end of the #panel section, like below.

    #panel {
            color: #ffffff;
            background-color: #555555;
            font-size: 8.5pt;
            font-weight: normal;
            height: 25px;
            background-color: rgba(0,0,0,0);
    }

     

    We also need to configure the swappiness (yes, that’s the technical term) of the swap logical volume. A higher swappiness value means more data is swapped to disk, which decreases performance. The default value is 60, but I’m going to set it to 20.

    echo -e "vm.swappiness=20" >> /etc/sysctl.d/99-sysctl.conf

     

    Step 19 – Start and configure the GUI

    Finally, the moment of truth! Reboot your installation and cross your fingers.

    reboot

     

    You should boot into LightDM and be able to login using the normal user we created earlier (not root).

    20141006_002

     

    If all goes well, Cinnamon should start (with a transparent bottom panel). If you resize the window, the background image and panels should adjust, showing that VirtualBox Guest Additions are working.

    20141006_003

     

    Check that the swappiness (lol) is still set to 20.

    cat /proc/sys/vm/swappiness

     

    Now is a good time to install some packages, my list is below. This is also a great way to test sudo!

    sudo pacman -S alsa-firmware alsa-utils arandr audacity baobab bash-completion banshee brasero bzip2 chromium clamav coreutils deluge devede dia exfat-utils file-roller filezilla firefox font-mathematica freetype2 gedit gimp gksu gthumb gparted gzip htop inkscape k3b libreoffice macchanger mesa nemo-share networkmanager-openvpn networkmanager-pptp networkmanager-vpnc ntfs-3g openssh openvpn p7zip pidgin pinta pitivi pptpclient remmina terminus-font tigervnc ttf-dejavu ttf-droid ttf-freefont ttf-inconsolata ttf-liberation ttf-linux-libertine ttf-ubuntu-font-family unrar unzip util-linux vi vim vpnc wget zip

     

    Unmute and test your speakers with the commands below. This is assuming you’re using ALSA and have a 2.0 setup.

    amixer sset Master unmute
    speaker-test -c 2

     

    To create all of your default directories in $HOME (e.g., Documents, Music, Pictures, etc…), run the two commands below.

    sudo pacman -S xdg-user-dirs
    xdg-user-dirs-update

     

    That’s all, folks! I’m going to keep testing out Arch Linux and working on making it a daily driver. I’m still looking for a few more features (below). When I get them working, I’ll update this post accordingly.

    • Windows networking (Samba)
    • Wireless support  (on hardware, not in a VM)
    • Touchpad support (on hardware, not in a VM)
    • Power management (on hardware, not in a VM)

     

    A few extras

    Audio/video codecs and DVD support

    Unlike Ubuntu or Linux Mint, Arch Linux won’t support many codecs or DVD playback out-of-the-box. The packages below should cover most of what you need to do.

    sudo pacman -S ffmpeg flac gstreamer gstreamer0.10 gstreamer0.10-ffmpeg gstreamer0.10-good-plugins gst-libav gst-plugins-base gst-plugins-good lame libdvdcss libdvdnav libdvdread libmpeg2 libtheora libvorbis mplayer vlc x264 x265 xvidcore winff

     

    Archey

    This is personal preference, but I’m going to install Archey from the Arch User Repository (AUR). The AUR is a community-driven repository for Arch Linux packages. Installing packages from the AUR involves downloading the tarball to your PC, then extracting it, building the package, and installing it using pacman. There are scripts that will do this automatically, but you should know how to do it manually.

    cd ~
    wget https://aur.archlinux.org/packages/ar/archey/archey.tar.gz
    tar -xvzf archey.tar.gz
    cd archey
    makepkg -s
    sudo pacman -U archey*.pkg.tar.xz

     

    Edit your .bashrc file to add the archey line at the end.

    vi ~/.bashrc

    Before…

    #
    # ~/.bashrc
    #
    
    # If not running interactively, don't do anything
    [[ $- != *i* ]] && return
    
    alias ls='ls --color=auto'
    PS1='[u@h W]$ '

    After…

    #
    # ~/.bashrc
    #
    
    # If not running interactively, don't do anything
    [[ $- != *i* ]] && return
    
    alias ls='ls --color=auto'
    PS1='[u@h W]$ '
    
    archey

     

    Now, whenever you start a terminal (in Cinnamon or over SSH), you’ll get that awesome Arch Linux system info page everyone likes to show off.

    20140830_012

    Firewall

    Getting a firewall up and running should be near the top of your to-do list. I’m fairly comfortable with Fedora’s GUI firewall package, firewalld, but it doesn’t support iptables. I want to eventually learn iptables, but am not ready to jump right into it yet. Browsing the firewall wiki page presented an overwhelming amount of options, and I settled on ufw, which is a front-end for iptables. I’m also installing Gufw in case I need a little help 🙂

    sudo pacman -S gufw iptables ufw

     

    Start ufw and make it available after boot.

    sudo ufw enable
    sudo systemctl start ufw
    sudo systemctl enable ufw

     

    Make sure that the iptables service isn’t running, since it will conflict with ufw.

    sudo systemctl --type=service
    sudo systemctl disable iptables.service
    sudo systemctl disable ip6tables.service

     

    I’m going to be starting with a basic configuration and adding to it as needed.

    sudo ufw default deny
    sudo ufw allow from 192.168.0.0/24
    sudo ufw allow Deluge
    sudo ufw allow SSH

     

    Printing (CUPS)

    Let me tell you something. I. HATE. PRINTING. Every time there is a printer involved in any workflow, I can promise you it will all come to a grinding halt at the printer. Apparently, Matthew Inman of The Oatmeal agrees with me. At home, we have a HP Photosmart D110a that I’d love to go Michael Bolton on if I could.

    When using Ubuntu, Linux Mint, and Fedora, CUPS has always served me pretty well. I don’t know if I could print labels, envelopes, or photos, but printing a one-off document is relatively painless.

    We’ll need a few packages before we get started, and you’ll also need to know which driver pack you want. I also recommend skipping the config files and using an alternative interface to CUPS, in this case, that’s system-config-printer.

    sudo pacman -S cups cups-pdf hplip libcups system-config-printer

     

    You’ll need to create a new group, then add yourself to that group. Substitute logan with your username.

    sudo groupadd lpadmin
    sudo usermod -aG lpadmin logan

     

    Next, use vi to edit the /etc/cups/cups-files.conf file to add the newly created group to the SystemGroup line.

    sudo vi /etc/cups/cups-files.conf

    Before…

    # Administrator user group, used to match @SYSTEM in cupsd.conf policy rules...
    SystemGroup sys root

    After…

    # Administrator user group, used to match @SYSTEM in cupsd.conf policy rules...
    SystemGroup sys root lpadmin

     

    Reboot your machine, since you changed your group membership and CUPS needs cycled.

    sudo reboot

     

    Next, launch the system-config-printer package by going to Menu–>Administration–>Print Settings then click on Add. If a login box appears, enter your username and password.

    20140830_013

     

    On the left, select Network Printer, then Find Network Printer.  On the right, enter the IP address of the printer and click Find.

    20140830_014

     

    When the printer is found, you’ll need to choose a Connection from the box at the bottom. Choose the connection that best represents the driver pack you installed earlier and click Forward.

    20140830_015

     

    Give the printer a name, description, and location, then click Apply.

    20140830_016

     

    When the dialog box appears, print a test page and start praying to the printing gods that it comes out.

    20140830_017

     

    Flash player plugin

    As much as I hate relying on a closed source product, sometimes you just need Flash player. The official Adobe version of Flash player, as well as open source alternatives, are available in pacman. The command below installs the Adobe version.

    sudo pacman -S flashplugin

    Note – Adobe discontinued support for the Linux version of Flash player in 2012, but will provide security updates until 2017. Flash will still be available if you’re using Chrome/Chromium, but if you’re using anything else, you’ll need to use the package above.

     

    Java plugin

    Java support in Arch Linux is relatively easy, only requiring the plugin below.

    sudo pacman -S icedtea-web

    -Logan

    Leave a Comment