Debian is still my go to distribution for any server, but I felt like I was in a bit of a no man's land with my laptop. Debian stable (currently Jessie) is rock solid and reliable but I want to install new packages, like the latest version of Firefox. Debian testing and unstable (Stretch and Sid) are well ... unstable, and you really can't complain when things break1.
I've been using Arch Linux on my desktop for a while and for a bleeding edge distribution it's surprisingly stable2.
These my notes on installing Arch Linux on my laptop with Full Disk Encryption. As I noted in my post on Setting Up Full Disk Encryption on Debian Jessie it's not really "Full" disk encryption, there is still a small partition
/boot that's unencrypted and will contain the kernel and initramfs.
First I downloaded the latest Arch Linux iso, verified it, and copied it to a USB flash drive.
gpg --recv-keys 0x7f2d434b9741e8ac gpg --verify archlinux-2016.07.01-dual.iso.sig dd if=archlinux-2016.07.01-dual.iso of=/dev/sdb
Then I booted the USB drive and, updated the time, because that's what it says in the documentation and it's a good idea.
timedatectl set-ntp true
I created 3 partitions on my hard drive an 80GB SSD:
- 512MB FAT32 partition to boot from.
- A big partition to be used as the root.
- A 4GB partition for swap space.
parted /dev/sda > mklabel gpt > mkpart ESP fat32 1MiB 513MiB > set 1 boot on > mkpart primary 513MiB -4G > mkpart primary 76GB 100%
I setup a LUKs volume on the second partition, formated it to btrfs then mounted it to
/mnt/ and mounted the FAT32 volume to
cryptsetup luksFormat /dev/sda2 cryptsetup luksOpen /dev/sda2 arch_root mkfs.btrfs /dev/mapper/arch_root mount /dev/mapper/arch_root /mtn/ mkdir /mnt/boot mount /dev/sda1 /mnt/boot
I updated the mirrors list and installed Arch Linux following the install guide and installed vim3 and added a host name.
vim /etc/pacman.d/mirrorlist pacstrap /mnt base genfstab -p /mnt >> /mnt/etc/fstab arch-chroot /mnt ln -s /usr/share/zoneinfo/Australia/Perth /etc/localtime nano /etc/locale.gen locale-gen nano /etc/locale.conf # LANG=en_AU.UTF-8 pacman -S vim vim /etc/hostname
/etc/mkinitcpio.conf to add
udev on line 51 and then created my initramfs
vim /etc/mkinitcpio.conf # HOOKS="base udev encrypt autodetect modconf block filesystems keyboard fsck" mkinitcpio -p linux
Next I used efibootmgr to add an entry into my EFI boot options to boot the Linux kernel directly rather than using a boot loader like GRUB which then boots the kernel.
I think this is an extremely elegant solution as it means I end up with only 3 files in my
/boot/ volume: The kernel, The initramfs, and a fallback initramfs (which isn't really necessary). It's much neater than a bunch of GRUB scripts and config files.
pacman -S efibootmgr efibootmgr -d /dev/sda -p 1 -c -L "Arch Linux" -l /vmlinuz-linux -u "cryptdevice=/dev/sda2:arch_root root=/dev/mapper/archroot rw initrd=/initramfs-linux.img"
Next I added a user and setup sudo so they could become root.
useradd michael --create-home --groups wheel passwd michael pacman -S sudo visudo # Uncomment line 82. %wheel ALL=(ALL) ALL
Lastly I setup my swap partition to be a LUKs volume with a random key.
vim /etc/crypttab # arch_swap /dev/sda3 /dev/urandom swap vim /etc/fstab # /dev/mapper/arch_swap none swap sw 0 0
I exited the chroot and rebooted.
I installed KDE because that's my desktop of choice but the lovely thing about Arch Linux is you can make it almost anything you want.
# Logged in as Michael, but run as root dhcpcd enp0s25 pacman -S xorg-server pacman -S plasma-meta pacman -S kde-applications-meta pacann -S sddm systemctl enable sddm.service systemctl enable NetworkManager.service
Added the track pad driver
pacman -S xf86-input-synaptics
Set time to NTP, I would have though this would be done automatically because I'd synced the time when I started the installer, but apparently not.
timedatectl set-ntp true
And set the KDE Wallet to automatically unlock with my user password. This is a slight trade off in security because with the default setup I could have two different passwords, or I could login but choose not to unlock the wallet. But in this case I've decided to go with it because it's much more convenient and secure enough.
sudo pacman -S kwallet-pam vim /etc/pam.d/sddm
My sddm file
#%PAM-1.0 auth include system-login auth optional pam_kwallet5.so auth optional pam_kwallet.so kdehome=.kde4 account include system-login password include system-login session include system-login session optional pam_kwallet5.so session optional pam_kwallet.so
You can't complain but you can file bug reports, which is helpful to the Debian maintainers. ↩
Things still break in new and interesting ways on Arch Linux, just less often than I would expect for the rate of package churn. ↩
Vim is included in the installer .iso file, so you can use it while your installing, but it's not part of the base packages so once you run
arch-chrootyou can't use it until you install it
pacman -S vim↩