The steps I use to get an intial install of Arch Linux. It includes both BIOS/MBR and UEFI/GPT steps as I've got a mixture of old and new hardware.
It will create an installation with block device device encryption (aside from the boot partition) using LVM on LUKS (via dm-crypt). The boot partition can be better secured using UEFI if you're able to sign the bootloader.
sshd_config- a hardened, production grade OpenSSH example configsysctl.conf- tweaked kernel settings for better security
The guide assumes that /dev/sda is the system disk
-
Boot up the arch installer
-
Change to UK keyboard (arch defaults to US)
loadkeys uk
-
If wifi connection is needed
iwctl [iwd]> station $device connect $ssid
-
BIOS/MBR based install
-
fdisk /dev/sda -
Create an MBR partition table
(fdisk) o
-
Creates two paritions,
bootandroot(fdisk) n (fdisk) p (fdisk) 1 (fdisk) <Enter> (fdisk) +500M (fdisk) t (fdisk) 83 (fdisk) n (fdisk) p (fdisk) 2 (fdisk) <Enter> (fdisk) <Enter> (fdisk) t (fdisk) 83 (fdisk) w
-
Format the
bootpartitionmkfs.ext2 /dev/sda1
-
-
UEFI/GPT based install
-
Create the partitions
cgdisk /dev/sdx 1 500MB EFI partition # Hex code = ef 2 100% / partition # Hex code = 83
-
Format the
bootpartitionmkfs.fat -F32 /dev/sda1
-
-
Create the encrypted partition and open it
cryptsetup --verify-passphrase luksFormat /dev/sda2 --type luks2 cryptsetup luksOpen /dev/sda2 cryptroot
-
Create an encryption key for grub (so the passphrase isn't prompted twice) and put it on slot 0 for added boot speed. Note this does improve convenience at the cost of security as the key becomes a point of weakness
dd if=/dev/urandom of=/root/keyfile.bin bs=1024 count=4 chmod 000 /root/keyfile.bin cryptsetup luksAddKey /dev/sda2 /root/keyfile.bin
-
Create the logical volumes inside the encrypted partition
pvcreate /dev/mapper/cryptroot vgcreate system /dev/mapper/cryptroot lvcreate --size 16G system --name swap lvcreate -l +100%FREE system --name root
-
Create the filesystems on encrypted partitions
mkfs.ext4 /dev/mapper/system-root mkswap /dev/mapper/system-swap
-
Mount the partitions
mount /dev/mapper/system-root /mnt swapon /dev/mapper/system-swap # UEFI/GPT mkdir -p /mnt/boot/efi mount /dev/sda1 /mnt/boot/efi # BIOS/MBR mkdir -p /mnt/boot mount /dev/sda1 /mnt/boot
-
Install base system
pacstrap /mnt \ base \ linux \ linux-firmware bash \ vim \ iwd \ sudo # UEFI/GPT pacstrap /mnt \ efibootmgr \ # BIOS/MBR pacstrap /mnt \ grub-bios -
Generate fstab. For SSD's change
relatimeon all non-boot partitions tonoatimeto reduce weargenfstab -pU /mnt >/mnt/etc/fstab -
Copy the Grub crypto key into the root partition
cp /keyfile.bin /mnt
-
Enter the new system
arch-chroot /mnt /bin/bash
-
Set locale
vim /etc/locale.gen # uncomment any locales needed, ie en_GB.UTF-8 locale-gen echo LANG=en_GB.UTF-8 >/etc/locale.conf
-
Set the default paper size
echo a4 > /etc/papersize
-
Install base packages
pacamn-key --init pacman -S \ dialog \ gnome-terminal \ lvm2 \ mesa \ xorg-server -
mkinitcpio
vim /etc/mkinitcpio.conf ## Add 'keyboard keymap' to HOOKS before 'block' ## Add 'encrypt lvm2' to HOOKS before 'filesystems' sed -i 's\^FILES=.*\FILES="/keyfile.bin"\g' /etc/mkinitcpio.conf mkinitcpio -p linux
-
grub
vim /etc/default/grub # GRUB_HIDDEN_TIMEOUT=0 # GRUB_HIDDEN_TIMEOUT_QUIET=true # GRUB_ENABLE_CRYPTODISK=y # GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:cryptroot root=/dev/mapper/system-root" # GRUB_CMDLINE_LINUX="cryptdevice=UUID=...:cryptroot root=UUID=..." # UEFI/GPT grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id="Arch" # BIOS/MBR grub-install --target=i386-pc /dev/sda grub-mkconfig -o /boot/grub/grub.cfg
-
Create users
useradd --create-home --user-group --group wheel rob passwd rob
-
Enable
wheelgroupsed -i '/%wheel ALL=(ALL) ALL/s/^#//' /etc/sudoers -
Set hostname
echo "robs-machine" >/etc/hostname echo "127.0.1.1 robs-machine.localdomain robs-machine" >> /etc/hosts
-
System clock
ln -sf /usr/share/zoneinfo/Europe/London /etc/localtime hwclock --systohc --utc
-
NTP
pacman -S --noconfirm ntp systemctl enable ntpd -
Hardening
# disable root password passwd -l root # reduce permissions on sensitive files chmod 700 /boot /etc/iptables
-
Entropy services
pacman -S --noconfirm rng-tools haveged systemctl enable haveged systemctl enable rngd
-
Pacman
pacman -S --noconfirm pacman-contrib systemctl enable paccache.timer -
Systemd
systemctl enable systemd-homed -
Login
pacman -S lightdm lightdm-gtk-greeter systemctl enable lightdm -
Desktop
pacman -S cinnamon nemo-fileroller nemo-preview
-
NetworkManager
pacman -S networkmanager gnome-keyring pacman -S --noconfirm dnsmasq networkmanager-openvpn network-manager-applet libsecret echo "[main] dns=dnsmasq" | sudo tee /etc/NetworkManager/NetworkManager.conf systemctl enable NetworkManager
-
Clean up and reboot
exit umount -R /mnt swapoff -a