Arch linux install guide (Installing bootloader and luks on usb key).

INFO

USB KEY = /dev/sdc SSD = /dev/sda

Partition usb memory and create filesystem

# GPT it
parted --script --align optimal /dev/sdc mklabel gpt
# Create boot-partition
parted --script /dev/sdc mkpart ESP fat32 1M 513M
# Set boot-flag
parted /dev/sdc set 1 boot on

or

fdisk /dev/sdc
g
n
1
2048
+128M
t
1
w

Create filesystem

mkfs.vfat -n EFIBOOT -F32 /dev/sdc1

Setup encryption on SSD

# Greate header "Disk"
fallocate -l 2M header.luks

# Wipe the disk, select a password
blkdiscard /dev/sda
cryptsetup luksFormat /dev/sda --header header.luks

# Mount disk
cryptsetup open --header header.luks --type luks /dev/sda encrypted

# Setup subvolumes on SSD
mkfs.btrfs /dev/mapper/encrypted

mount -o ssd,compress=lzo /dev/mapper/encrypted /mnt
btrfs subvolume create /mnt/archlinux
btrfs subvolume create /mnt/home
umount /mnt

Mount partitions

mkdir -p /mnt/archlinux
mount -o ssd,compress=lzo,subvol=archlinux /dev/mapper/encrypted /mnt/archlinux
mkdir /mnt/archlinux/boot
mount /dev/sdc1 /mnt/archlinux/boot
mkdir /mnt/archlinux/home
mount -o ssd,compress=lzo,subvol=home /dev/mapper/encrypted /mnt/archlinux/home
# The line below is not needed but nice to have during installation
cp header.luks /mnt/archlinux/boot/

Install base-system with i3 and some packages needed.

pacstrap /mnt/archlinux bash btrfs-progs bzip2 coreutils device-mapper diffutils dmenu feh file filesystem findutils gawk gcc-libs gettext glibc grep gzip i3status i3-wm inetutils iproute2 iputils less licenses linux logrotate man-db man-pages nano pacman pciutils perl procps-ng psmisc rxvt-unicode sed shadow s-nail sudo sysfsutils systemd-sysvcompat tar texinfo ttf-dejavu urxvt-perls usbutils util-linux vim which xf86-input-synaptics xf86-video-vesa xfsprogs xorg-font-util xorg-server xorg-xinit xterm zsh slim

Configure your host

cp header.luks /mnt/archlinux/etc
arch-chroot /mnt/archlinux /bin/bash

Setup initramfs in /etc/mkinitcpio.conf

# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run.  Advanced users may wish to specify all system modules
# in this array.  For instance:
#     MODULES="piix ide_disk reiserfs"
MODULES=(loop i915 vfat)

# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image.  This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=""

# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way.  This is useful for config files.
FILES=(/etc/header.luks)

# HOOKS
# This is the most important setting in this file.  The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added.  Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
##   This setup specifies all modules in the MODULES setting above.
##   No raid, lvm2, or encrypted root is needed.
#    HOOKS="base"
#
##   This setup will autodetect all modules for your system and should
##   work as a sane default
#    HOOKS="base udev autodetect block filesystems"
#
##   This setup will generate a 'full' image which supports most systems.
##   No autodetection is done.
#    HOOKS="base udev block filesystems"
#
##   This setup assembles a pata mdadm array with an encrypted root FS.
##   Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
#    HOOKS="base udev block mdadm encrypt filesystems"
#
##   This setup loads an lvm2 volume group on a usb device.
#    HOOKS="base udev block lvm2 filesystems"
#
##   NOTE: If you have /usr on a separate partition, you MUST include the
#    usr, fsck and shutdown hooks.
HOOKS=(base systemd autodetect block keyboard sd-encrypt fsck filesystems)

# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"

# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=""

Create /etc/crypttab.initramfs

encrypted /dev/sda none luks,header=/etc/header.luks,discard
# In theory the /dev/disk/by-path/ symlink should be more stable. Eg.:
#encrypted /dev/disk/by-path/<the symlink to /dev/sda> none luks,header=/etc/header.luks,discard

Create fstab

# automount /boot when accessed. this will hang 5min waiting for you to insert the USB key
LABEL="EFIBOOT" /boot vfat defaults,noauto,utf8,tz=UTC,dmask=0022,fmask=0133,x-systemd.automount,x-systemd.device-timeout=5min,x-systemd.idle-timeout=5min 0 0

# root filesystem
/dev/mapper/encrypted / btrfs defaults,ssd,compress=lzo,subvol=archlinux 0 1
# ..and /home
/dev/mapper/encrypted /home btrfs defaults,ssd,compress=lzo,subvol=home 0 2

# it is nice to have the "real root" of the btrfs filesystem mounted somewhere,
# but not necessearily at /mnt
/dev/mapper/encrypted /mnt btrfs defaults,ssd,compress=lzo,subvolid=0 0 2

Follow the guide on : Beginners guide

Note: You probably want to setup the locale from the livesystem

Add user

useradd -m -G adm,disk,audio,network,video YOURUSERNAME
passwd YOURUSERNAME

Sudoers

Edit /etc/sudoers, and add or comment out

%adm ALL=(ALL) ALL

Install bootloader

Run:

bootctl install

Edit /boot/loader/entries/arch.conf

Add:

title          Arch Linux
linux          /vmlinuz-linux
initrd         /initramfs-linux.img
options        root=/dev/mapper/encrypted rootfstype=btrfs rw rootflags=ssd,compress=lzo,subvol=archlinux rootwait

Run:

mkinitcpio -p linux
bootctl update

Network

Edit /etc/systemd/network/dhcp.network and add your network adaptor (In the case below its enp0*)

[Match]
Name=enp0****

[DHCPv4]
UseHostname=false

[Network]
DHCP=ipv4

[DHCP]
RouteMetric=10

Reboot

systemctl enable systemd-resolved
systemctl enable systemd-timesyncd
systemctl enable systemd-networkd
systemctl start systemd-resolved
systemctl start systemd-timesyncd
systemctl start systemd-networkd
ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

Reboot

reboot