Arch Linux installation cheat sheet

This is my cheat sheet for installing Arch Linux. It results in a base system including disk encryption, graphics, and sound. Pretty much everything I need to get started. I update the cheat sheet as necessary from time to time. The last update was September 24, 2020.

Use of this cheat sheet assumes that the target system boots with UEFI, has an Intel processor, and uses Intel graphics. You should also have some prior Linux/Unix experience. That said, you can certainly deviate as much as you want/need. If you get stuck or aren't sure of something, consult the ArchWiki.

Please let me know if I've made any egregious errors. And no, I don't consider the use of bash, nano, or ext4 to be errors.

Boot the install medium.
Check that the system has booted into UEFI mode.
- ls /sys/firmware/efi/efivars
  - This should get a list of UEFI variables. If not, reboot and do whatever's needed to boot into UEFI mode.
Establish an internet connection.
1. iw dev
2. wifi-menu -o [wireless interface]
Update the system clock.
- timedatectl set-ntp true
  - Check the status of the systemd-timesyncd service with timedatectl status.
Prepare the storage devices.
1. Get a list of all storage devices attached to the system. Make note of the one you want.
  - lsblk
2. Wipe the drive with random data before partitioning and encrypting.
  - If the drive already contains LUKS formatted partitions...
    - For each partition, dd if=/dev/urandom of=/dev/[device][partition number] bs=512 count=40960
      - This will overwrite the first 20 MiB of the partition with random data, wiping the LUKS header data.
      - This option is much quicker than writing random data to the entire drive, but not necessarily as secure.
  - Else...
    1. cryptsetup open --type plain /dev/[device] container
    2. fdisk -l
      - /dev/mapper/container should exist.
    3. dd if=/dev/zero of=/dev/mapper/container
      - This will write random data to the entire drive.
      - This could take a long time, depending on the size of the drive.
3. Partition the disk.
  - cgdisk /dev/[device]
    - Be sure to make the first partition 512 MiB and mark it as EFI type. This will be the boot partition.
4. Encrypt, make a filesystem on, and mount the root partition.
  1. cryptsetup -v luksFormat /dev/[device][root partition]
    - Don't forget the password you use for the encryption key!
  2. cryptsetup open --type luks /dev/[device][root partition] root
  3. mkfs -t ext4 /dev/mapper/root
  4. mount /dev/mapper/root /mnt
5. Make the filesystem for the EFI boot partition and mount it. Do not encrypt the EFI boot partition!
  1. mkfs.vfat -F32 /dev/[device][EFI boot partition]
  2. mkdir /mnt/boot
  3. mount /dev/[device][EFI boot partition] /mnt/boot
6. Generate keyfiles for each of the remaining partitions you need to encrypt.
  1. mkdir /mnt/etc
  2. For each partition yet to be encrypted, dd bs=512 count=4 if=/dev/urandom of=/mnt/etc/[keyfile name] iflag=fullblock
7. Encrypt, make a filesystem on, and mount the remaining partitions.
  - For each partition...
    1. cryptsetup -v luksFormat /dev/[device][partition number] /mnt/etc/[keyfile to use]
    2. cryptsetup open --type luks --key-file /mnt/etc/[keyfile to use] /dev/[device][partition number] [partition name]
    3. mkfs -t ext4 /dev/mapper/[partition name]
    4. mkdir /mnt/[directory corresponding to partition]
    5. mount /dev/mapper/[partition name] /mnt/[directory corresponding to partition]
Install and configure the base system.
1. Select a mirror and install the base system.
  1. nano /etc/pacman.d/mirrorlist
    - Uncomment the mirror you want pacman to use when downloading and installing packages for the base system
  2. pacstrap /mnt base linux linux-firmware e2fsprogs gptfdisk man-db sudo nano iw wpa_supplicant dialog netctl dhcpcd wget ntp base-devel
2. Generate an fstab.
  1. genfstab -U /mnt >> /mnt/etc/fstab
  2. To validate that the fstab has been generated, nano /mnt/etc/fstab
3. Chroot and configure the base system.
  1. arch-chroot /mnt /bin/bash
  2. ln -sf /usr/share/zoneinfo/[timezone]/[sub timezone] /etc/localtime
  3. hwclock --systohc
  4. nano /etc/locale.gen
    - Uncomment the locale you want for the system (for United States, probably en_US.UTF-8 UTF-8).
  5. locale-gen
  6. echo LANG=[locale you uncommented] > /etc/locale.conf
  7. echo [desired hostname] > /etc/hostname
  8. nano /etc/hosts
    - Add the following lines:
      127.0.0.1 localhost ::1 localhost 127.0.1.1 [hostname].localdomain [hostname]
  9. If the system is being installed on a USB key...
    - nano /etc/mkinitcpio.conf
      - Add the block hook to the hooks array right after udev.
  10. If the system is being installed on a SSD or other flash-based medium...
    1. nano /etc/fstab
      - Change any instances of relatime to noatime.
    2. nano /etc/makepkg.conf
      - Uncomment BUILDDIR=/tmp/makepkg in the BUILD ENVIRONMENT section.
  11. If the system is being installed on a SSD...
    - nano /etc/fstab
      - Add the discard option to all ext4 partitions on the disk.
  12. If /var has been given its own partition...
    - nano /etc/systemd/journald.conf
      - Uncomment Storage and set its value to volatile instead of auto. The purpose of this is to prevent the shutdown message Failed unmounting /var. systemd's journal will be stored in RAM at /run/log/journal instead of on disk at /var/log/journal.
  13. Configure the boot options.
    1. nano /etc/mkinitcpio.conf
      - Add encrypt, keymap, and keyboard to the hooks array. keymap must come before encrypt.
    2. mkinitcpio -P
    3. bootctl install
    4. pacman -S intel-ucode
    5. blkid
      - Look for the UUID of the encrypted root partition (/dev/[device][root partition], not \dev\mapper\root). Write it down for use in the next step.
    6. nano /boot/loader/entries/arch.conf
      - The contents of the file should look like this:
        title Arch Linux linux /vmlinuz-linux initrd /intel-ucode.img initrd /initramfs-linux.img options cryptdevice=UUID=[UUID of encrypted root partition]:root root=/dev/mapper/root rw
    7. nano /boot/loader/loader.conf
      - The contents of the file should look like this:
        default arch.conf timeout 4 editor no
    8. blkid
      - Look for the UUIDs of any other encrypted partitions (again, /dev/[device][partition number], not /dev/mapper/[partition name]). Write them down for use in the next step.
    9. nano /etc/crypttab
      - For each encrypted partition, add the following line:
        [dev mapper name] UUID=[UUID of encrypted partition] /etc/[keyfile to unlock encrypted partition]
    10. nano /etc/fstab
      - Replace the UUIDs or devices of each encrypted partition (besides / and /boot) with /dev/mapper/[partition name].
  14. Set the root password. Don't forget it!
    - passwd
Unmount the partitions and reboot the computer.
1. exit
2. For each encrypted partition except / (root)...
  1. umount /mnt/[directory corresponding to partition]
  2. cryptsetup close [partition name]
3. umount /mnt/boot
4. umount /mnt
5. cryptsetup close root
6. reboot
Log in and configure the system.
1. wifi-menu
2. netctl enable [network you just connected to with wifi-menu]
  - This will create and enable a systemd service that will connect to the wifi network when the system boots.
3. timedatectl set-ntp true
  - Validate that ntp is running with timedatectl status.
4. useradd -m -G wheel -s /bin/bash [your username]
5. passwd [your username]
6. EDITOR=nano visudo
  - Allow members of group wheel sudo access by uncommenting the line %wheel ALL=(ALL) ALL
7. nano /etc/pacman.conf
  - Uncomment the multilib repository lines.
8. pacman -S reflector
9. cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.backup
10. reflector --verbose -l 5 -p http --sort rate --save /etc/pacman.d/mirrorlist
11. pacman -Syy
12. pacman -Syu
13. Install and configure preferred base applications/libraries.
  - pacman -S mesa lib32-mesa libva-intel-driver
  - pacman -S xorg-server xorg-apps xorg-xinit
  - pacman -S alsa-utils pulseaudio pulseaudio-alsa
  - pacman -S ttf-dejavu ttf-freefont